Edit tour

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Sample name:	a2e-enterprise.26.3.3677.2903.exe
Analysis ID:	1407717
MD5:	29c3418978dd57c42c7e9530b3aac3d6
SHA1:	08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:	22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

a2e-enterprise.26.3.3677.2903.exe (PID: 7316 cmdline: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe MD5: 29C3418978DD57C42C7E9530B3AAC3D6)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf			Jump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf			Jump to behavior

Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB\|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE\|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL\|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

0_2_0040729B

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/disable-group-policy.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://support.diditbetter.com/support-request.aspx
Source: Add2ExchangeSetup.msi.0.dr	String found in binary or memory: http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.dr	String found in binary or memory: http://www.DidITbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenThe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://aka.ms/ssmsfullsetup
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/abMicrosoft.Office.Experimentation.SendTenantIdToTasMicrosof
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://config.edge.skype.net/config/v1/Officehttps://config.edge.skype.com/config/v1/Office0.0.0.0?
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com/nexus/rules/nexus/upload/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/abclientidRequestGUIDX-MSEdge-IGcorpnetflightReached
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exe
Source: SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/Microsoft_SQL_Server_Express_2022.ini
Source: SQL12x_to_SQL22x.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQL2022-SSEI-Expr.exe
Source: SQL12x_to_SQL12xSP4.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLEXPR_x86_ENU_2012SP4.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLServer2008SP4-KB2979596-x86-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SSMS-Setup-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.DidItBetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.diditbetter.com/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	String found in binary or memory: https://support.diditbetter.com/support-request.aspx

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_97c23fc6-3

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_004171E0	0_2_004171E0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_0041525D	0_2_0041525D
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_0041239B	0_2_0041239B
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00419640	0_2_00419640
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00418D70	0_2_00418D70
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00417EF0	0_2_00417EF0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00419E80	0_2_00419E80
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00416F4A	0_2_00416F4A
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: 0_2_00418F60	0_2_00418F60

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: String function: 0040540C appears 42 times
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Code function: String function: 004199A0 appears 232 times

Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002B14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000000.1748755714.0000000000428000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutolog.exeN vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Section loaded: apphelp.dll

Jump to behavior

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@2/93@0/0

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03

Source: a2e-enterprise.26.3.3677.2903.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Add2ExchangeSetup.msi.0.dr

Binary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

File read: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: a2e-enterprise.26.3.3677.2903.exe

Static file information: File size 42987850 > 1048576

Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source:	Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB\|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE\|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL\|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source:	Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr

Source: setup.exe0.0.dr	Static PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: setup.exe.0.dr	Static PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_004199A0 push eax; ret

0_2_004199BE

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf			Jump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	File created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf			Jump to behavior

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	Jump to dropped file

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

0_2_0040729B

Source: a2e-enterprise.26.3.3677.2903.exe

Binary or memory string: ;qEMu

Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe

Code function: 0_2_00404151 __EH_prolog,GetVersionExA,

0_2_00404151

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	0%	ReversingLabs
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe	0%	ReversingLabs
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT	0%	Avira URL Cloud	safe
http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx	0%	Avira URL Cloud	safe
http://support.diditbetter.com/disable-group-policy.aspx	0%	Avira URL Cloud	safe
http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage	0%	Avira URL Cloud	safe
http://www.DidITbetter.com	0%	Avira URL Cloud	safe
http://www.sysinternals.comopenThe	0%	Avira URL Cloud	safe
https://support.DidItBetter.com/	0%	Avira URL Cloud	safe
https://support.diditbetter.com/downloads.aspx	0%	Avira URL Cloud	safe
http://support.diditbetter.com/support-request.aspx	0%	Avira URL Cloud	safe
https://support.diditbetter.com/support-request.aspx	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://s3.amazonaws.com/dl.diditbetter.com	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.dr	false		high
https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://support.DidItBetter.com/	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false	Avira URL Cloud: safe	unknown
http://support.diditbetter.com/disable-group-policy.aspx	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://s3.amazonaws.com/dl.diditbetter.com/	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	false		high
http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exe	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
http://www.DidITbetter.com	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.dr	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
http://www.sysinternals.com	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://support.diditbetter.com/support-request.aspx	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/ssmsfullsetup	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
http://www.sysinternals.comopenThe	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
https://support.diditbetter.com/downloads.aspx	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr	false	Avira URL Cloud: safe	unknown
http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage	Add2ExchangeSetup.msi.0.dr	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdf	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.dr	false		high
http://support.diditbetter.com/support-request.aspx	a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1407717
Start date and time:	2024-03-12 18:06:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	a2e-enterprise.26.3.3677.2903.exe
Detection:	CLEAN
Classification:	clean5.winEXE@2/93@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: a2e-enterprise.26.3.3677.2903.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe	V425Q1tORs.exe	Get hash	malicious	Unknown	Browse
	V425Q1tORs.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe	V425Q1tORs.exe	Get hash	malicious	Unknown	Browse
	V425Q1tORs.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2Exchange Enterprise Guide.pdf

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	13802294
Entropy (8bit):	7.381292062112644
Encrypted:	false
SSDEEP:	98304:AVtrmiA6vqtF7gGDpOUU1egv9+SGqjoHm6z3MIBlPB86QnXAe:AVcp6odUUUb+SGwcLBo6Qn7
MD5:	E42B5D240E70A4AE87E23B646B2CE944
SHA1:	6811A7D2FD4B4C5B84BE239C63DF0BC22ADFBC3C
SHA-256:	B2485A101BFBD604737D39FF4A91507292E24784F98CACCCAC48486D32249812
SHA-512:	45B69F7791E1506460560FAEF8768416F59415B231DFFA47CFF690EEA1D5C764DCCF7C5E9F73D57184960876C45D41AF1D2A64C9DD65244F6CF11189BA706512
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	%PDF-1.7..........2 0 obj..[/ICCBased 3 0 R]..endobj..3 0 obj..<<../Filter /FlateDecode ../Length 2596 ../N 3 ..>>..stream..x...wTS....7.P.....khR.H..H..1..J..."6DTpDQ...2(...C.."...Q....D.qp...Id...y.....~k....g.}.......LX....X......g`......l..p..B..F...\|.l....... ...?.......Y"1.P......\...8=W.%.O..4M.0J."Y.2V.s.,[\|..e.9.2.<..s..e...'.9....`......2.&c.tI.@.o..\|N6.(....sSdl-c.(2.-.y..H._../X........Z..$...&\S........M...0.7.#.1..Y..r.f..Y.ym..";.8980m-m.(..]....v.^....D....W~.....e....mi..]..P....`/....u.}q..\|^R..,g+...\K..k)/......C_\|.R....ax.8.t1C^7nfz.D....p.......u....$../.ED.L L..[.....B.@...............X..!.@~..(*. .{d+..}..G.........}W.L...$..cGD2..Q...Z.4 .E@..@...............A(..q`1.....D .........`'..u..4.6p.t.c.48....`...R0...)...@......R.t C....X.....C.P...%CBH..@.R.....f.[.(t....C..Qh...z.#0...Z..l..`O8.......28......p.\|..O...X.?......:..0...FB.x$..!.....i@......H...[..EE1PL........V.6..Q.P..>.U.(j...MFk......t,:....FW........8.....c.1...L.&.

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2ExchangeSetup.msi

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {6CC5F0A5-DD20-463B-A745-23226EA64FC9}, Title: Add2Exchange Setup, Subject: Add2Exchange, Author: Advantage International, Comments: A Microsoft Exchange Server synchronization program., Number of Words: 2, Last Saved Time/Date: Mon Mar 11 15:43:44 2024, Last Printed: Mon Mar 11 15:43:44 2024
Category:	dropped
Size (bytes):	30423552
Entropy (8bit):	7.989713441416668
Encrypted:	false
SSDEEP:	786432:AZHbPULLLrq72tsjOH5uQol2vRY+DVN8HKOG:AlPsHrTtsjOH/Hz0H
MD5:	2D8B406D3C360459C99E3A1BC9D1E30E
SHA1:	3288467999C470DC54535A831C47720C299103BE
SHA-256:	F1B7B284704703E02471A645F7295D6678EC87DF998B2C9A90C6B3067CFB590C
SHA-512:	ED6A44B2ED614CE9B2FC698701BAFA8D806B4A3F7158C6AE9F2F2D190A9A0A74FF17F4F0C3A50357323581E339900DAD933F9CFE8CC3D55FC8701EAAAE2E67E5
Malicious:	false
Reputation:	low
Preview:	......................>...................................8...................................w.......u...............{...............................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...G.......:...;...<...=...>...?...@...A...B...C...D...Y...F.......H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...[...\...]..._.......^.......`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	PDF document, version 1.7, 6 pages
Category:	dropped
Size (bytes):	416578
Entropy (8bit):	7.9921021749352
Encrypted:	true
SSDEEP:	6144:0DZnpoW8Juj+7PQzBg5vxLX09lgN9h26fswbbEH2XeudeW0uLX:AnNj+bQK5vio9TswUTkeo
MD5:	5717BDB29D1561AE86E08AF6459CAC84
SHA1:	7D74FF33E1A7299CAF9BF2F45D64F15F2F0C336A
SHA-256:	FB6B1D910F9B44416C50E5E31E449835391B9B33FD238AA45C5BCB61465F7373
SHA-512:	995045AC8002438BB0958FBBDB3261B850D4C2AAE7684BE668A94449608573080A079E90458FEDBA5120376C248B913DA1E7141A0591E3E7FECCE4D907C1C203
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	%PDF-1.7..4 0 obj.(Identity).endobj.5 0 obj.(Adobe).endobj.8 0 obj.<<./Filter /FlateDecode./Length 77377./Length1 352268./Type /Stream.>>.stream.x..}.`T.......Y2K..7{..dB2Y....(....$.d..%.\p....}i..j...b@.im...`m+..P...J[......7.........\|p..=w}..w.s.9.. ..F..u..O..[P<...3.<.Lhn.oY.x..?<...Lh.:....!......N.~z.8Q...".5O.:}......@..k.N.1}.;/V.4...:m..xi.e./..\....4y...k....`......t......9.]R......c.;........{......-.:...._*....@U....]`.-.7....].ra.....kz.`.._p.......>....-.;......Az.E.`S8....0.Zt..K..V=....a....]H.%>.;.&.Y:o.9..[...X....^.3......}.,X1....l.....^..._...O....k.........-...t......-..F...'...k..5.........kw...M.s..,.Z.<..j.`..).77}..`.N..v.bm.. ...........y9.....@.....2. ........%.ix.R..]P..K..j.....M>........2..</.I.Rx.....J!KUMrii..(.......h...c....80~....e.....:?S_....N.,....r....Lz+..s.Px`y.0......L.=0.{."..........9.I./.............V._.........a$A .U.N..7............................?.....pT .......b.0..........l..=......7....

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	16151
Entropy (8bit):	4.908485763338948
Encrypted:	false
SSDEEP:	384:8EK8+x+DdcyDbv+IvRapPD3+roNVkLNXm64rd2:XK8+x+htbvJwN3+rocP
MD5:	F23F6315632CF0B58C2243A3FA3E4D06
SHA1:	CD32534BAEE9CCB55C1FAF8653FC53DB22291C85
SHA-256:	EA34C9C0CD918EF15FCE8FEED4DF83359BDE1D6E60F6632378970D73D68F36A7
SHA-512:	A5CC08E0CCFE4BD48CDF19D5638B3A34B756DFA8636A12CBD53A78415DCFE6874DFFE99119CDF4D4CF7C05EB041EB461B8E8F48FB84EAF07BAD85FFB4AC97AAB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17134}{\\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\widctlpar\b\f0\fs22 Add2Exchange End User License Agreement\par..\b0\par....\pard\widctlpar\sa200\sl276\slmult1\f1 This EULA covers both the Retail License and the Original Equipment Manufacturers License. By proceeding, you agree to be bound by one of the following options. [Option #1 is the Retail License and Option #2 is the OEM License]. This is your END-USER LICENSE AGREEMENT ("EULA") FOR DIDITBETTER SOFTWARE(r). IMPORTANT-READ CAREFULLY: This End-User License Agreement ("EULA") is a legal agreement between you (whether an individual or an entity) and [Option #1 - DIDITBETTER SOFTWARE, a division of Advantage International, Inc. ("DIDITBETTER SOFTWARE")] or [Option #2 - the manufactur

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\First_Time_Installer.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	17385
Entropy (8bit):	4.608607390064206
Encrypted:	false
SSDEEP:	192:y4EBdqrg+gCoTgFPjAJy9oWSWvncm5yJvv8WEj+WonoHEqNgr:CpCocFPSyKWdvXAJcWEtoiEq+r
MD5:	24906D4F36602C1492A74A26C229E000
SHA1:	11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390
SHA-256:	E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
SHA-512:	00C6C2F4F94EB11860F061DE5E53A710C93FD13AFDC71D475087AD4C3058E4AB9205E8C3567F420A9D538C80035B29A866002F27DA1BE4AB55206C181BC9FB73
Malicious:	false
Reputation:	low
Preview:	<#.. .SYNOPSIS.. Create Initial Environment for Add2Exchange Install.. Assign Permissions for Add2Exchange.. Install Add2Exchange.. Cleanup.. Luanch Add2Exchange for the first time.... .DESCRIPTION.. Step 1: Account Creation.. Step 2: Upgrade .Net and Powershell if needed.. Step 3: Create zLibrary and Create Shortcuts.. Step 4: Install Outlook and Setup Profile.. Step 5: Mailbox Creation.. Step 6: Create a Mail Profile.. Step 7: Add Permissions (moved to step 11a).. Step 8: Add Public Folder Permissions.. Step 9: Enable AutoLogon.. Step 10: Install Add2Exchange.. Step 11: Add Registry Favs.. Step 11a: Setup Timed Permissions.. Step 12: Cleanup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurren

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Links\Request Support for DidItBetter.url

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	207
Entropy (8bit):	5.155953403004538
Encrypted:	false
SSDEEP:	6:J254vVG/4xtOFVm/lCBL3W3yLPiQAwW3UGIyc1ynE5Vsv:3VW4xtOFVm9C93W3yrCwWghynd
MD5:	A675BC61B22D603FA553D133C3A80530
SHA1:	69C7F69497435AE1C7045FC7646DF7E030A71D60
SHA-256:	703F87D93902B09647F65B0A6C0FAC76AD3D3ECEFCECBA0B487D6BE5FC11CC86
SHA-512:	6B7410E10F34E3675B57A12A0F3986396FFFF60187CE07B8BC2932E463351EEF8C4BF8B0E5E384BEAAEA79CDBA4CBA606C12ECABBC93D0C5FADC40B8A439D6A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..URL=http://support.diditbetter.com/support-request.aspx..IDList=..IconFile=C:\Windows\system32\SHELL32.dll..IconIndex=160..HotKey=0..

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Outlook_Installer.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2031
Entropy (8bit):	4.9264371266008435
Encrypted:	false
SSDEEP:	48:uLl0WZPDP6MPPOb0PPGsGyk9z1585wQ5zYGLa9zOdg9zzPtvvKn3anlPIl:20WIMaMyyk9z1585wQ50GLa9zOdg9zxC
MD5:	9A6C59517107E29E7078D7B96723CB98
SHA1:	3511E00B4372319EF796129621FC62D4AF7A4FA5
SHA-256:	C0553E6FA21203007BCF887EB57BACDC9E01BB3646495200A76C372030164CEF
SHA-512:	C14AA17A084ECA0E3EC106F962AF5271ABCF9AB363CC5D3AC467D29ADF4BFDE1D36CD7AF707897D913C77F660E3B3585527CA8CE15F51EE4930FC210039CE5CC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<#...NAME.. Outlook Installer..#>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$Outlook365Installer = New-Object system.Windows.Forms.Form..$Outlook365Installer.ClientSize = New-Object System.Drawing.Point(247,169)..$Outlook365Installer.text = "Outlook 365 Install"..$Outlook365Installer.TopMost = $false....$ProRetail = New-Object system.Windows.Forms.Label..$ProRetail.text = "Office 365 Pro Retail"..$ProRetail.AutoSize = $true..$ProRetail.width = 25..$ProRetail.height = 10..$ProRetail.location = New-Object System.Drawing.Point(21,30)..$ProRetail.Font = New-Object System.Drawing.Font('Microsoft Sans Serif',14,[System.Drawing.FontStyle]([System.Drawing.FontStyle]::Bold -bor [System.Drawing.FontStyle]::Underline))....$Pro32 = New-Object system.Windows.Forms.Button

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx64_Configuration.xml

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1023
Entropy (8bit):	5.202613438368244
Encrypted:	false
SSDEEP:	24:OkfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:9fE+e6jyctLcrcjLcqDDtyB
MD5:	BC70B4D7C9C7053F4C30FC1721A67D63
SHA1:	D9E574805F4018C7CC25C2AA97DC56DA3E0B5044
SHA-256:	794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
SHA-512:	6AF3A9F2428698FB935894470BF7F0AC8BEAE66936DF3E6B5994A96E62972AD693763892B4FF58CE322E8275C135F4E2FE3A31CBA7A87AC15DA129B0CB242569
Malicious:	false
Preview:	<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="64" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx86_Configuration.xml

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1023
Entropy (8bit):	5.2041868894674
Encrypted:	false
SSDEEP:	24:OTfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:ufE+e6jyctLcrcjLcqDDtyB
MD5:	6C49E64FFF25A2225546976F7A9BE5F6
SHA1:	6CC15D048275904F2E8D7AFC1F7789750FC6365E
SHA-256:	B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
SHA-512:	FDCF646EA8D896ACA2EF3AF156D5403D509EAA06580A87854BAA5B2D0353B4483F62EA60F128338020E8039A95A3DC3FC85A45ED4A2539929A0A3B366A0F7B99
Malicious:	false
Preview:	<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="32" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx64.cmd

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.572765012132931
Encrypted:	false
SSDEEP:	3:Pg4QQ6/QIK6Wde8UMeKJ:PVQQFKWlU2
MD5:	E49E7FD101C66A32558FF27564234222
SHA1:	671A4BBE57BB7C9E872693DFA4CDC967D4329A93
SHA-256:	72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
SHA-512:	1A7CE80BE39B2B2CF38B1687A0CD6E9F318C216F6562F1170283835360B8AFE053D72CAD6714F4073927932BFFCD3EDDFCAB09962A6C145BF5F34C1CBD261E8B
Malicious:	false
Preview:	setup.exe /configure Office365_Pro_Retailx64_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx86.cmd

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.572765012132931
Encrypted:	false
SSDEEP:	3:Pg4QQ6/QIK6WdoMeKJ:PVQQFKWi2
MD5:	8D16D2E6750AE5217ADBBAC538E6E89E
SHA1:	06126FF482AB5F91E32315DE94ECE2F39533C1BF
SHA-256:	FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
SHA-512:	D17FC93E05CAF4FB938EC1CE9A18793610A2B2381D020227613117031E238B0E6F8A1957EC1000BDD7D2CF2587C3DD1FD4C2CD93010B70686FDF46747BE50B2C
Malicious:	false
Preview:	setup.exe /configure Office365_Pro_Retailx86_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5169440
Entropy (8bit):	6.649944627880774
Encrypted:	false
SSDEEP:	98304:vqihTvjtEh2N5LQhyddG4THBZoJG3QBMxvble/bsTwY2h3:TpvE8dgq3oJG3QBMxBlW3
MD5:	B374FA0E7E34B9CE9C142FE80E1EFADE
SHA1:	2537F4523B12E9801F2ACB8FE38D5D725A56A61D
SHA-256:	A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
SHA-512:	8F5FF73932568006C38B9E1BB8DAABF0DC6E419FC1E6D96159FB1234439B8AB9B283D617540CDC5860538AFFEA89BA0A553F4CCF2B9F1949D9E907BA56C2F74C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: V425Q1tORs.exe, Detection: malicious, Browse Filename: V425Q1tORs.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Gc.-...~...~...~..'~...~..%~...~..$~#..~Ig.....~Ig..+..~Ig.....~...~...~...~...~fd.....~fd.....~fd.....~fd.....~...~)..~.d.....~.d.....~.d)~...~..A~...~.d.....~Rich...~........PE..L...r..[.........."......l+..2#.......#.......+...@...........................O.......O...@.................................8b?.......A...............N. ?...`K..<....:.8.....................:......,.@.............+.8....M?......................text....k+......l+................. ..`.rdata........+......p+.............@..@.data.........?..H...x?.............@....rsrc.........A.......@.............@..@.reloc...<...`K..>...dJ.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup.zip

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2668259
Entropy (8bit):	7.998881312154931
Encrypted:	true
SSDEEP:	49152:MUbYsgyV5rS/kPE79ObqVIBYZKKXEqYbrjdLiBWn8qfMVqCqJ:MUbYsgyUcgOIdZ4ZZLou6qCqJ
MD5:	A00060FA16A451A14EFD4D8431CF4FA0
SHA1:	57EE5FF9CE2DCD217AFC03820FDF2E4A1EFB072B
SHA-256:	5FC1DC21BE4CBC3536079157FD9C75F93EAC09C90DF836432320817E7C720F1A
SHA-512:	4C02E3F18FB1F66BE214811491C7FA11E4570E947DD3C34A18B13A3F24F37B117266E91ACAF0B6A4F11A21A8965918C83CCF8D39AD142290566FBCEFAB8888BA
Malicious:	false
Preview:	PK.........@[W................Setup/PK.........AiV .-......<......Setup/A2E_Auto_Migration.ps1..ks.F.{f....g..Rj..t<u3...6.p.6..C:.j.S...$..........0N_..\|...n_.k.}....>...no...K..<.K.....%=....^.......kx.....\|".v..7C.g.bR.Y.........R.....%.........h.........y..2.L.O....+..v.+u-.pSr...%....pc...oL..K7..g.R...Sr\|$.f.V.....^...e.c>w.N-2.........d...z,R.=P.......H..fTp...WN...... ~.7.....h\|.}x.3e[.q....O..,...;.fOH]...z.@..X.=.vM..qi..........c.i..7...h..7.F'.}.u$.@MB....5.];.`0.o4..e.g..]sJ(.8a...5[.Cn. 8Pp.A}........6e.c..#.~...}N.5...wZ....s.....g............A.c..fdYla...P.O......k8..\|.h.....ERX8Zz4.$.S~}....%.C..... :.'Z.`..............w4.=..b...C..(..........\K.}E}....\|..+k..7..TJ..<~....C.....6..<..+.,f....g..A.dx..G......;...u..c.S..c.J.x<.38...it...}.7M...v._.N.........c.......H..:...j...R.5..2P..x...?v..p..`.e...=ri...U.7..F}....W..`.L-h..O.>...^M+.x..d.C.'K....p...gk6.\|..nM...(D..=.....Z.L#.<g.b..c..(#. .K.R..c..Q..5R..e.Ex..

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Auto_Migration.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15579
Entropy (8bit):	4.889068941413246
Encrypted:	false
SSDEEP:	192:URv4EBdSWEG7Dw4XpX4XoXJszFpzVf+/g7sD5FNPZWSDw4XpX4XoXhopz6f+/g7j:URxSWRb5oY+zd+/gI55oYOzC+/gqS
MD5:	93424836BFC74EF4E3291D2AD4190A59
SHA1:	3E9240FD41C8BDD4F969D1676CB4859FA4480F2E
SHA-256:	B9FC8E91F823BC275C8A881B9918609D646546AF25255E9F25E339544A662441
SHA-512:	7E95C9EC2D62D1AD8831BD2160B58C248AECDEF60EF07F7F4322B71A037141C4F784AF50CF80334674B53063098CFC66255E33CBAF9B52057FE1E77BC035D2FA
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Step 1 of 2.. Run Post_A2E_Migration.ps1 after this.. Automatically Migrates Add2Exchange to a new server.... .DESCRIPTION.. Check for current files and locations.. copy reg. files for Add2Exchange and backup.. Backup A2E SQL DB and move to landing zone.. Download from S3 latest build of Add2Exchange and upgrade prior to move...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_Power

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Directory.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	897
Entropy (8bit):	5.143902574568429
Encrypted:	false
SSDEEP:	24:SU0+J2+rcELm7LR6LPk1ophAl6PoHZu2p2MeD3nMhz:A+gYmPROsEDm9eD3E
MD5:	F0881E090546B066243B4E31C5871A4F
SHA1:	20E3AFBA20B081A484E4F6EA00E865394D7DAFC8
SHA-256:	09DC73CEAAC643ED32120FBB7AE81BE75A922C2318A3A55ACED9042CF0350466
SHA-512:	96AA3A128CCF4C7B9735F349A31C240A927D2F44F855BC5C66554A2A466C96028805991BB508EC3DDAE35A5BDF6368FBC4B212AFAAD458041550812FD9040675
Malicious:	false
Preview:	<#.. .SYNOPSIS.. A2E Directory shortcut.... .DESCRIPTION.. Open Add2Exchange Directory...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue.. Start-Process $Install....Write-Host "ttyl"..Get-PSSession \| Remove-PSSession..Exit....# End Scripting

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_MMC.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.206402114423433
Encrypted:	false
SSDEEP:	24:zKU0jSJ2+rcELm7LR6LPk1ophAl6PoLZu2p2MeHhpyhz:8+gYmPROsEDO9eHhpK
MD5:	6C6FE5D9C01ED59D63ABC1737A003357
SHA1:	B8FE156802D624D1B1322A211A572C6EC0332E33
SHA-256:	2C9CDDAA12253497C76A7DF48A9E9845FE3D9D3289F2E5844043EDDDA57C6273
SHA-512:	1405622C66DB32383DD8CDEB3409261BD3FD11B8C96BEA0D757B87AEA3EE09E6D98EF39F20303FB8C47A132A2B632A5385A76970AB8E59ADA2D3B79ADCB07C3A
Malicious:	false
Preview:	<#.. .SYNOPSIS.. A2E MMC shortcut.... .DESCRIPTION.. Open Add2Exchange MMC...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....$MMC = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue..Push-Location $MMC..Start-Process ".\Console\DidItBetter MMC.msc"....Write-Host "ttyl"..Get-PSSession \| Remove-PSSession..Exit....# End Scripting

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Permissions_Commands.rtf

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	216321
Entropy (8bit):	4.453510072484783
Encrypted:	false
SSDEEP:	6144:Bruqfz1OZCOkNCRPRs8rHwsREvJGA217MY0sM:hLZOZtpBRmH2V+sM
MD5:	8A81C1400FFC2CD5B1FAAD465C0701EE
SHA1:	D26758B75BB032383464C2F5E5B020DD06FAE7D8
SHA-256:	8CD1F3A5BB0971E36910A7B67E48E2F7C6D310FD088BDA61B498E231AE585F0B
SHA-512:	146A14848BD885D892B38DD264D98D77805273A4F714A355446C0B81DAFBD200B1647E20C1370EC0DDF836B8B4E1F3EF99E5CF3A01477762354BA34F2360193E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fmodern\fprq1\fcharset0 Consolas;}{\f2\fnil\fcharset0 Arial;}{\f3\fswiss\fprq2\fcharset0 Calibri;}}..{\colortbl ;\red106\green153\blue85;\red212\green212\blue212;\red86\green156\blue214;\red220\green220\blue170;}..{\\generator Riched20 10.0.19041}{\\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\widctlpar\f0\fs22\lang9{\pict{\*\picprop{\sp{\sn wzDescription}{\sv Image}}{\sp{\sn posv}{\sv 1}}..}\pngblip\picw5349\pich1291\picwgoal3033\pichgoal732 ..89504e470d0a1a0a0000000d494844520000184d000005dd08030000008fbc05e8000000017352..474200aece1ce90000000467414d410000b18f0bfc610500000300504c5445000000fffffffcef..e7fef7f3fadeceef9560eb7d3cf9d6c2f5be9df2ad85d3e5c7b8d5a6cae0bcdcead2e4efddf4b6..91f09d6cec8547f6faf48cbb6e72ac4d95c179afd09af1a578ed8d547ab157f6c6a9f7ceb683b6..63fbe7daa7cb8fc1dbb19ec684edf5e9ecececb2b2b2c5c5c5d9d9d9f5f5f5cfcfcf6666667979..798c8c8c6f6f6fbcb

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_SQL_Backup.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8283
Entropy (8bit):	5.268485089494731
Encrypted:	false
SSDEEP:	96:lPdmPEB3GsP9ELNqjkdsiY7/MyDIC4GmL2MuozftgXWefk7NawVJDQxx/vJvXW1x:b4EBWsPGNqXMyD2LPR6RYNawVpYvBE
MD5:	E289DC757526BB6118CCD8B234483DB7
SHA1:	7185C6F23862169FA3E148935909E28952FA5D08
SHA-256:	C3C92F663B02D0E1E2B2BD46AE8A2983DC6A829EB4E4A8AF09B4D37B589D593C
SHA-512:	F7E76959B0EC843C2EE8C97FBF1D730F779D0BE369C13CCDF83A9D25D9792E02CF06905D2E51AC3CF420B43CBAFAFE80C4F70E4141AC3F6727E866CF5296158F
Malicious:	false
Preview:	<#.. .SYNOPSIS.. A2E SQL Backup.... .DESCRIPTION.. Auto backs up the A2E SQL database.. Makes task for auto backup.. default retention is 5 copies...... .NOTES.. Version: 4.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Variables..$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue #Current Add2Exchange Installation Path..$CurrentDB = $Install + 'Database\' #Current Database Location..$ServerName = Get-ItemPropertyVal

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Setup_Details.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (485), with CRLF line terminators
Category:	dropped
Size (bytes):	20181
Entropy (8bit):	5.1450742793043265
Encrypted:	false
SSDEEP:	384:4Xp3AzWqaGaAn6b/bSA40PeFlREGS+FUzgrfFfGroH+mLMYT+RdwKGip4fP28Ewj:yb340SlRjS+6zgLFfeoH3MYCRdbGiKfz
MD5:	8DC459D4B78D918A341B4938B1552F70
SHA1:	595052E1A7BA7A36D8A32AF4CC53AE1B0F85D4EF
SHA-256:	1F27A71C9A9008D49BAF22364336AF763ACB549D260225E387746199A68D6EA8
SHA-512:	EC2DE4DE898083E46C4BE3F32D1FEE0E5032223D4BFF73D9988C51C1DC1C8038E86B4F36184AD4DCBD1EC804020B0CF08D82010DF9FD276E10FA77C826AAEAB3
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Powershell script to include Add2Exchange setup details in .txt.... .DESCRIPTION.. Checks registry for A2E setup details and prints to .txt file.. Get licensing info.. Get install paths.. Get local account for Add2Exchange.. Get PS Version.. Get Windows Version.. Get DB Version...... .NOTES.. Version: 1.10.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Script #....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim()

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Add2Outlook_Set_Granular_permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
Category:	dropped
Size (bytes):	24006
Entropy (8bit):	4.5977428899880435
Encrypted:	false
SSDEEP:	192:q4EBlX9hOegnbK4pDTfMQ2EX6LyOCXzY4pvfMmc8n6w0STq4pffMcG:EAnbK4pDTfMCuwzY4pvfMQvTq4pffMH
MD5:	9531BBFDE471AF746FDFEEB69964B848
SHA1:	CAE7CAD062B3FE3EF4ED3B78BDE521823C169E99
SHA-256:	229C448416621A50ED51125A1973D019BF3A5FE596584A4CE53E3C6AE1B0A098
SHA-512:	029D7B8703A2A5BF2F1F0B48F5E6F461B3FCD3D3662DBC5DC903E29C201CD565867263FC6576B32730FB11857C3945309DD3550E9AE563C671FD6546CDB6C94F
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Add2Outlook Granular permissions.... .DESCRIPTION.. Sets Granualr permissions to users on-premise or office 365...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Support"..}....Start-Transcript -Path "C:\Program

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Permissions_Task_Creation.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	5.243228574520891
Encrypted:	false
SSDEEP:	384:H6tXgbb7+HNlzF2lm8tPj78F2cfBF2lCUBI2F2lzRjRtF2xpF215F2NAF2kFF2G2:m0ADOPpen/Fx0j
MD5:	BB243A354ADBE069FCAF359567A51028
SHA1:	A224B862CEFEEE04408459E81EDC2639DAD3D2E0
SHA-256:	7AED627FC4B85C44148A3AAAEF85B80636D388838AFDE60D62C494E53C8DEA3F
SHA-512:	9FD37D8ACBDC015580B7C2E0A090BDF6C68D52416D5EEA7203EACF9C3F3407A8B0A7A56F072286AEAD99DDB224B79655C77C8F38E00BC7D28698D954D9F7C6EA
Malicious:	false
Preview:	#Logging..Start-Transcript -Path ".\A2E_PowerShell_log.txt" -Append....#Pathing....$TestPath = ".\Add2Exchange Creds"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. ..}..Else {.. .. New-Item -ItemType directory -Path ".\Add2Exchange Creds"..}....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2) { Write-Host "You are on the latest Version" } .... Else {.. Write-Host "Upgrading Modules...".. Update-Module -Name ExchangeOnlineManagement -Force.. Write-Host "Success

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_All_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2151
Entropy (8bit):	5.162487348740605
Encrypted:	false
SSDEEP:	48:9YmPROBka5K9X9Lz9k9TElltstjA4HcYA4Zx:qmPEBVo9X939k9TaMjYY9x
MD5:	3A7D2158C9D2F4FCB32B6E159B0B525E
SHA1:	26955DDF02A0ADA152B45B870A3757EE35DDB157
SHA-256:	8E47D64B5963369453417FFC938997BEF43B15C951C57E52DF190B4BABD95276
SHA-512:	4C0B8E4A3D6832842823CE9D13D864A746CF3876F542A1E5111346C1E21F41481DCA11684CAF0032C7BD8862839486E44B8185903C11DB6E0CE733F10A891DF2
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }.. .. .. #Execution Policy.. .. Set-ExecutionPolicy -ExecutionPolicy Bypass.. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12.. .. #Variables.. $Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt".. $ServiceAccount = Get-Content ".\Add2Exchange Creds\Sync_Account_Name.txt".. $Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt".. $Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring.. .. # Script #.. .. Try {.. .. $Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username, $Password.. .. $S

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dist_List_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2102
Entropy (8bit):	5.230466173766324
Encrypted:	false
SSDEEP:	48:9YmPROBk6PBN9n9LT9U9TS9jY1tkD7PzNIFMGIA4H9r:qmPEBtPBN9n939U9TS9y8bS2P5r
MD5:	89CF421CCCE150873AA500F3758F8F5A
SHA1:	0B65BA14167491C7764374092CBE1B7013BC5DD0
SHA-256:	FBE3DB3AE3ABACE46DD71EAF8FB1CFE9CDD6E5487B58FD5D94FF1ECA6BF91ECE
SHA-512:	CB948C442328D6A0AD0DF3B9382E2A482DEAE6CD3A613E30411F9C9A3DA172E7F249D0D6DD4DC03E987A400418ECF9D3305C976C305B768F50EEDC3FF34D2BDF
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables..$Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt"..$ServiceAccount = Get-Content ".\Add2Exchange Creds\Sync_Account_Name.txt"..$Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring..$Groups = Get-Content ".\Add2Exchange Creds\Dist_List_Name.txt"....Try {....$Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dynamic_Distribution.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3035
Entropy (8bit):	5.145689633354292
Encrypted:	false
SSDEEP:	48:9YmPROBk6PBN9Z9U9TZ9n9x1tkfnAH7IzYtn3BKz1w:qmPEBtPBN9Z9U9TZ9n9n57m6xKz1w
MD5:	1F7EB58896F3866ECF20359778262CC9
SHA1:	93116FF3EDF8528B74641019AEABE9CF53EB528B
SHA-256:	86DC185646EA5CDFEBBB3EAB8A188F3E4A006C07C256777FB18652EAB29564D1
SHA-512:	200C61EBD1C921E461EF6B7129C15A4E094C6C0BBBC235BB199EDA82C99F64EB688C9EF028E76A0233AC476BF851A3B105B782F0B4F6DB4DDC01C0636BE9E659
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables..$Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt"..$Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring..$DynamicDG1 = Get-Content ".\Add2Exchange Creds\Dynamic_Name.txt"..$StaticDG1 = Get-Content ".\Add2Exchange Creds\Static_Name.txt"....Try{....$Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username, $Passwor

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_All_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2554
Entropy (8bit):	5.173142548372283
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMC/9LT9/9+EY7A4H29:qmPEBtKMC/939/9+ti9
MD5:	454AD4DAF7770AA0475332B7B61F35A8
SHA1:	D9CAF58B50B20B15B6D713DC1C2A87CB0F421CFE
SHA-256:	0B995601F037D76FD2B6B9746AFDCC33A29F8769772A7E26AE8DDA20B79B392A
SHA-512:	D19D3080FD3207716A8AB794DDB103339D50C28AC0BC24FCBBE80BD10E64A27C0282844F6E32B55643AD196912E043A16A3C45EF187C83AB3ED0B1A2CE3F255F
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_Dist_List_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2772
Entropy (8bit):	5.190597884596586
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMC/9LT9/9+S9jYT7PzNIFMGIA4HyKx:qmPEBtKMC/939/9+S9qbS2PmKx
MD5:	40849438C1AD17F7506ECA0AF810E5A5
SHA1:	622291B78908387DBE154E641D6D22496DA2C946
SHA-256:	9E68CCDA9FA2A971FF15BEA0264A326433C9DAE2AE635E240A790ACE6C7B5F49
SHA-512:	A05BBBE610A0E9317E764782FB375C4140B55CDA1AE0C535B4993A183DE77F74C39BD056853EAE7FA8DE55C33C2E7861F0E58B5C73BA867F52B4F5BD64793934
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_Dynamic_Distribution.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3701
Entropy (8bit):	5.118368046067273
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMCB9/9+V9v9uYWNja7IzYtn8UQprG:qmPEBtKMCB9/9+V9v9ia7m689prG
MD5:	0E3C648CF3C2A950A790C8412752F058
SHA1:	7AD73D971222436E5801E14AF3A43A1E49FE1E9F
SHA-256:	528E4E9F041933014B6CBB1C1405DBBF2CEA0A5225AC56F5090D333595BFEDA7
SHA-512:	E7CE197E2993FA6AABDF8AC4823BD8CAF08312E1AC5D785CF40E28ABB271850444D911678914F4F5DEBD1AF485DCDD642B9037C0127406761ED71ADFBFC414DE
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Shell_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
Category:	dropped
Size (bytes):	35480
Entropy (8bit):	4.466946069094336
Encrypted:	false
SSDEEP:	192:q4EBXL2hO9keHSowqzeZrTJN7nW9pdYkyO:2nkeHSowqCZ78YkF
MD5:	09F016831A4007FBC4A35EF1C5E88CDA
SHA1:	9AFEC61CECE26BCA466EB0F98EB1D9AD95A83D71
SHA-256:	A1095A2035A2CCD0C20A7DB63A6A473FD1973F481C2C6995A910518320DFEA4F
SHA-512:	0039359F4547CBBEF21ED0584FC16A6FB488CDE30702F4BBF05A354D472033E413111215360F3C0B78884DF4ED7746E35E43836D9BEB41DBAC2EBEB73351DD77
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging....$TestPath = ".\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path ".\Support"..}....Start-Transcript -Path ".\Support\A2E_Permission_Results.txt" -Append....# Script #....$Title1 = 'Add2Exchange Enterprise Permissions Menu'....Clear-Host ..Write-Host "================ $Title1 ================"..""..Write-Host "How Are We Logging In?"..""..Write-Host "Press '1' for Office 365"..Write-Host "Press '2' for Exchange 2010" ..Write-Host "Press '3' for Exchange 2013-2019"

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Stand_Alone_DyanmicDistList_Task.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	5.177298437958451
Encrypted:	false
SSDEEP:	24:9ELm7LR6LPk1ophAl6PoqGba5KNZDaNvmLbPXuq7Whz:9YmPROsEDFdAzuX
MD5:	E7429B9BC39E9217F0FB503DE41E1364
SHA1:	0608BB8B293A11F58EEB8CAA322CAF670CD48EFA
SHA-256:	6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
SHA-512:	DB305B546B58D66809CC7F79389CE1D637C1EDDFB490162527C95752A306F2E616CB264B03719A40297773CE1A79D960B453F6EFA6B3C9486648705D351D56B5
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..# Report Correct File Path of DynamicDistribution List File..Write-Host "Creating Task".. $Repeater = (New-TimeSpan -Minutes 720).. $Duration = ([timeSpan]::maxvalue).. $Trigger = New-JobTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval $Repeater -RepetitionDuration $Duration.. $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -WorkingDirectory $Location -Argument '-NoProfile -WindowStyle Hidden -Executionpolicy Bypass -file "ENTER FILE PATH HERE"'.. Register-ScheduledTask -Action $Action -RunLevel Highest -Trigger $Trigger -TaskName "Add2Exchange Permissions" -Descrip

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Stand_Alone_Dynamic_Distribution_List.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2376
Entropy (8bit):	5.091813731955432
Encrypted:	false
SSDEEP:	48:9YmPROBkH+yF0TveJjpnAH7IzYtn3BKzi:qmPEBl6KeJjs7m6xKzi
MD5:	CBC1624883A282B70B867D25B380EE1C
SHA1:	519E9B90F6558C1B507A1B71F9706B9400FE1E40
SHA-256:	0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
SHA-512:	16E60FA701564121144AD3217F7F1689C39FB9D368067256C08D4CF0E57CAFEB75B65F2F32FC58AF5119A62D6F1B253B5E18210B4871EAE48CB8E93EA5F0245D
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Service Stop #..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Service" \| Stop-Service -Verbose -ErrorAction Stop..Start-Sleep -s 30..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Agent" \| Stop-Service -Verbose..Start-Sleep -s 10....# Script #..Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;..Set-ADServerSettings -ViewEntireForest $true.. ..#Variables..# Fill Out Dynamic and Statis Distribution Groups Below....$DynamicDG = @("Dynamic DL HERE", "Dynamic DL HERE")..$StaticDG = @("Static DL HERE", "Static DL HERE")....for ($i = 0;

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_Add2Exchange.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13582
Entropy (8bit):	5.313134466355976
Encrypted:	false
SSDEEP:	384:XUY0O+oYiiMwqhZ6UbLPr9pNjg/vXdAZNBvOrj75bxF5HXgoco8D7zRRCOOyiD+n:z0O+oYiiMwqhZ6UbLPr9pNjg/vXdAZND
MD5:	6BEDF8B55CAB971FF2E23CCC1EA27E7F
SHA1:	627234B6FF79F0780A8B7DAE89B0BDEE54F7526E
SHA-256:	77AD9D0C0B089A83B26AAEFEA3CE8165F0EF1E32B3819AC16B3C4EF9CBCCEE21
SHA-512:	C516BB789C1E8CC52835FFC29C3B25A3BF50E0CE1730BCD2721DE99CD211CB3F976C75928805A5A97A9AED791410C7D05F13ABC5B24D85DDA071B7C5374B183B
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Automatically upgrades Add2Exchange to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Exhcange.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Exchange to latest build.. Sets password for Add2Exchange Service.. Start Add2Exchange Console.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_Add2Outlook.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4036
Entropy (8bit):	5.235276683746445
Encrypted:	false
SSDEEP:	48:3WN3qEyse+3iL+gYmPROBkuNQloEMmotXW0muXzag4fvSSRkFWJKMZyqc0IAXzI2:3WPyPCmPEBd+aVnSRRF/ADJHofSLPw
MD5:	4AAA734208D8E215BBAB17D855B7CF97
SHA1:	93840F59A560538EE2DBB7DA884D70FDE2DDAB4B
SHA-256:	B6BF85319892EBDDA5FA5CF47F59531153C463D33A1D74C39D3C704CE2405556
SHA-512:	82357105967198B1494A9483527FB26D9F8110FC20811733C7E3A4FDE6D0D96B0D5688C71F05B5703D42F27D692924C339F15A42376E2CC7CF92C677AAFB1C43
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Automatically upgrades Add2Outlook to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Outlook.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Outlook to latest build.. Sets password for Add2Outlook Service.. Start Add2Outlook interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_RMM.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6201
Entropy (8bit):	5.186007695712116
Encrypted:	false
SSDEEP:	96:3BcOyaymPEBt0qBfROuEnSjc5SomkY8DP9ku7zF7GNnSnMF/AN6HofYCntdX92rc:C4EBtbf0uSSjlQY8aCa/AEHS
MD5:	2FB639DA7949E56BAA214AE840F13E0B
SHA1:	AC820AE801AB94D6041B5CA11921E53DD31BA232
SHA-256:	2A4E8368A8A7CCAFDE0E226BB499A53A5F265DFBFB48155221C1AD067D7CB072
SHA-512:	F96D6C64D6C99307332835D93B08C8705A32AB74B1FD06E7E24E3856DCD40956ACBFA21FC21D766E0806F2D7DBB8EC161CC52D61621A12290CE51AA9BD9B616B
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Automatically upgrades Recovery and Migration Manager to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for RMM.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades RMM to latest build.. Start RMM interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>.... if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Test for Upgrad

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Upgrade_ToolKit.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4164
Entropy (8bit):	5.222446959080407
Encrypted:	false
SSDEEP:	48:3WN3qEyse+3iL+gYmPROBkuNQloEMFtXWaZXzag4fvSSRkFWJkWZyqcKIAXzIy/v:3WPyPCmPEBd+qrnSlLF/AOHofKcOx
MD5:	28E59560B884DA8763573D7B485297E4
SHA1:	05507AC499BF399373C168177ECBC4DD4E60ADD5
SHA-256:	919D7C612EA6790AE25373037E04AE138356135124F83A4A2C9253D3CB42014C
SHA-512:	9677C82C3388628260DAEAA67FB99048AF6B87771BF6E370CA7A73FC705E882452A62AA3C24DA03F2A6B0F829DBCAECACBAC0D04B4B442613324D7A5E9FC6D0C
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Automatically upgrades Add2Outlook to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Outlook.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Outlook to latest build.. Sets password for Add2Outlook Service.. Start Add2Outlook interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138920
Entropy (8bit):	6.351883874026519
Encrypted:	false
SSDEEP:	1536:uMpeguHQeJD3z7NF0Y1g/z1EwyjcOzk954H6STYSs+sRd1cccTMTsWjcdLEs6y2S:Js5HQeh/vgLewZUFYdmJ4s6puehSE+EU
MD5:	607A332709458F781C20AB49940C4B64
SHA1:	923409BE6C1B183C74DA221DD23A42B4B981BA19
SHA-256:	324C64D24818A0BE63A43A8DF678B88DCA4F8959841F91F4875CC6ED0E93F549
SHA-512:	DF90A3E8B041B756DAD139E4036C3D3F512D4348FCA222886E765FA20D1A578271038A798D4D8936447D9767272FC2D27AB0ABE1F021673ED43F3B8DBC730AD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bc....K...K...K.Q.K...K.Q.K...K.Q.K...K.{.K...K...KF..K.z.K...K.Q.K...K...K...K.z.K...KRich...K........................PE..L......W.............................9............@..........................0............@..............................................................>......0.......................................@............................................text............................... ..`.rdata..p...........................@..@.data...<1..........................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Bypass_AutoDiscover.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2311
Entropy (8bit):	5.186434811896025
Encrypted:	false
SSDEEP:	48:ZZrFM+gYmPROsEDUX7PpQzs6PkQ8ajPpEIxPphApPp8rgn7:1MCmPEsNrhmR88hEIxhhAphsgn7
MD5:	E4178F8743EFBCF5C913DF3B0C0A67EF
SHA1:	63F9EFBB79FDD3E92DBCB446CD63F41BF0E419E7
SHA-256:	10BEAABFD5D7E3DB3BFF5DEDF25FA115B70603CB4C7B3F984240488D3FE93DEC
SHA-512:	D800D8247F2E8A7B930526A7150857A775CAA68FB358DF2FD3D6490E17DBCAE71C176579D1CC1C31C9AB3EC55E6BDA36774BC6ABAA3E6030142D09CB3169CF05
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Bypass AutoDiscover.... .DESCRIPTION.. When ran, will set registry keys in regedit to bypass current autodiscover and exclude O365 Endpoint...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....# Bypass AutoDiscover..Get-ItemProperty -Path "HKCU:Software\Policies\Microsoft\Office\16.0\Outlook\Autodiscover" -Name "ExcludeExplicitO365Endpoint" -ErrorAction SilentlyContinue -E

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\DiditBetter_Support_Menu.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	36279
Entropy (8bit):	5.094410419594323
Encrypted:	false
SSDEEP:	384:iqZEMT2lsd9y18hT2lA5h1OYYPT2lPxD49gccsWT2l1oLq6Al4nlT2lhAKrRWQb5:Dm36PZ+
MD5:	3243E53FE3DC8EBDD8DD2D9C82862EB2
SHA1:	C2FE83D72161EF9A3D8FB01E84B7F2621832E296
SHA-256:	2C3173702001100EDA5538994095561DA59B7023E34EF1F748F2634FA5B39B9B
SHA-512:	5D0E8C8E3C23E75C3139B9CD9DB9B580862A9A92DF4D7EE0C6337DF54C0CEB0B192B5CD6F679A3F0694EA9E5D12A21AF5B1358C0847A4B6F27E57FEF8C20F5A3
Malicious:	false
Preview:	<#.. .SYNOPSIS.. DidItBetter Software Support Menu.... .DESCRIPTION.. Menu for all powershell tools used.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$DidItBetterSupportMenu = New-Object system.Windows.Forms.Form..$DidItBetterSupportMenu.ClientSize = New-Object System.Drawing.Point(542,725)..$DidItBetterSupportMenu.text = "DidItBetter Software Support Menu"..$DidItBetterSupportMenu.TopMost = $false..$DidItBetterSupportMenu.BackColor = [System.Drawing.ColorTranslator]::FromHtml("#ffffff")....$Upgrades = New-Object system.Windows.Forms.Label..$Upgrades.text = "Upgrades"..$Upgrades.AutoSize = $true..$Upgrades.width = 150..$Upgrades.height = 10..$Upgrades.location = New-Object Sys

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Dir_Sync.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1761
Entropy (8bit):	5.156369223547245
Encrypted:	false
SSDEEP:	48:6X+gYmPROBku5S4uvdGeE/unqH9eD7MFszUHjLH:oCmPEBd5S4ulCunqC7MGojT
MD5:	F15B2367D478E08070CF913EFF9775A4
SHA1:	3B239969D571EC0F29E4C88D7ACF783FDB3EC50F
SHA-256:	9853B16C6DC415B0FE4D19FC9929D987CEEFFDBC65BAD3C5426CDAA4897CD5EC
SHA-512:	C9B94757D0F30B29F27D5F4D0F4C14D3E9A66F2D9CB14F0ECD23D0CB285B61B6B4AD30260573ED3AE71CF8D8B9DFC9922C39E478CD6AF69DF19FFBBFF2E4FE09
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Directory Sync.... .DESCRIPTION.. Forces AD sync with cloud AD...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....# Script #..$wshell = New-Object -ComObject Wscript.Shell.. ..$answer = $wshell.Popup("Caution... You Must Run this on a box with Active Directory. If the box you are running this on does not have Active Directory; Click Cancel and the File will be Automatically copied to your Clipboard. Otherwise, Click OK to Continue.", 0, "WARNING!!", 0x1)..if ($answer -eq 2) {.. $Location = Get-Ite

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_Modern_Authentication.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2643
Entropy (8bit):	5.267360743384632
Encrypted:	false
SSDEEP:	48:HrxMy4+gYmPROhE5UNleEXfEXmtXyBM9wv4DyEwDEuwDymDRn7:54CmPEh9j0mAa9WCyEKEuKy8Rn7
MD5:	DAC366EB2AC0C56F103FCE8F00DFE019
SHA1:	390268DFFE32FE42E167CDC5BD95F2FD1BF63C7C
SHA-256:	AEAE6072BC4BA590E63D789457E46EFCB5FDC1EDC9A5E49C850D834E8ABED797
SHA-512:	BFDCF96F078325CA890CE1CF182196A0ADD12F3BE50558B6B499C52898A5587995F1E46F682913DB25BB48311A70A3B75A5D806CDED12CFE93D6D5AD4AB8B86A
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Disable Modern Authentication.... .DESCRIPTION.. Will disable Modern Authentication for machine that it is run on.. Outlook will then use creds manager on board to connect to exchange...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....$TestPath = Get-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Identity" -Name EnableADAL..$TestPath = Get-Itemproperty -

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_Outlook_Updates.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.198020535628352
Encrypted:	false
SSDEEP:	24:oXtLJ2+rcELm7LR6LPk1ophAl6PoPsIN4SHAts+8XToL9bGs+8XToLo/T8GnzJhz:oX2+gYmPROsEDUXr2N8XTawN8XTao/R7
MD5:	4D42BA60AD65211D97ACD062F44E7332
SHA1:	01847AA3E0AF6DB359AD6F1C95D68C20F9C24C11
SHA-256:	21C7370D4D2A23DF0F8C3DF41077AF150497F526B25FAC566C705AAF6DD005B8
SHA-512:	AFF23EB46EE4E323BFE28CA3C15BAE0FB0CB9F7048CB3E56FAA76AC1CA9844FD58CF92046C62E0790F8F2D1403500183A60294176C65A162B1A91D92EF0BBE58
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Disables Outlook Updates.... .DESCRIPTION.. Will disable automatic updates within outlook...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....Do {.. $confirmation = Read-Host "Would you like to Disable or Enable Outlook Updates [D/E]".. if ($confirmation -eq 'D') {.. Write-Host "Disabling Outlook Updates".. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\C

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Disable_UAC.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1403
Entropy (8bit):	5.267747383282788
Encrypted:	false
SSDEEP:	24:SvD+ilJ2+rcELm7LR6LPk1ophAl6Po/INdWnVV6InVVodkMUSoMnrojRnz:SvD+iq+gYmPROsEDn3qOQokxSoSrox
MD5:	06EF6793B7BB09AC2DCA61E6B9CD8E9F
SHA1:	19389578400B32411CC079DA4BB84433340A0DAF
SHA-256:	7168CE2EE7EDF60478CA33A20070A43EF5825ABF2596CFE14CAB6299B76AC7CA
SHA-512:	7DFBA058341CC28B83D3FF347D2A124E09A3F1852CA65E3712A3F3D932E2F1D08E867CAA4E1DD91C92CA6B0DE9A4C3D7A7818044378FEBE5A8E8A5C27830E81F
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Disable User Access Control.... .DESCRIPTION.. Disables User Access control within the registry.. Reboot is needed if disabled.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Disable UAC..$Val = Get-ItemProperty -Path "HKLM:Software\Microsoft\Windows\Currentversion\Policies\System" -Name "EnableLUA"....if($val.EnableLUA -ne 0)....{..Set-ItemProperty -Path "HKLM:Software\Microsoft

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\EXModule_dotNET_Update.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4479
Entropy (8bit):	5.181862913027437
Encrypted:	false
SSDEEP:	96:qmPEBydtczToZMpYGoYFJoYFJEvsI3GqJSPKegPB:q4EBeATpCytoEI/Yi5
MD5:	690CA58ED8C9BA7684EE98C8AD8CA515
SHA1:	89F8AE137ADFE3B97D67564CDB301FA178D6756E
SHA-256:	3C80256C8C465767B21829577643B47DE98E91A129C562016F18FF2F2E0BF283
SHA-512:	618B34BC22E2AE4FBAF63DB00CF8FBF14FEF173C03CBEC843B0F28258A7CC9AEBE636EA15E1916AEFF734700E037BE57E3DD516A39CC440BDC73474BBE156AF1
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Auto Reboot..$Confirmation = Read-Host "This update may need a reboot. Reboot automatically after successful Install? [Y/N]"..If ($confirmation -eq 'y') { $Reboot = "Auto Reboot Selected" }..If ($confirmation -eq 'n') { $NoReboot = "Please reboot when possible after update" }......#Create zLibrary..Write-Host "Creating Landing Zone"..$TestPath = "C:\zlibrary\.NET Updates"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Directory

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Export_ADPhoto.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5871
Entropy (8bit):	4.9788787772328185
Encrypted:	false
SSDEEP:	96:2t3dCmPEBpeYS4o2uDqC7mILsFr/5rhrWWGrhynfxJTSyrhynVZBjqiKqdcT6lSq:ig4EBkAuBCILi1FeY75YDBjsqcTlq
MD5:	73B703ABFEE693CFE74DA332CE4D6306
SHA1:	02BA53EC7F923158E3D0F72010E69AF9A983665C
SHA-256:	921FCEFFB82CA49BD1BB8B546C375FC43A701DE8976DB41655ED8807050B8B0B
SHA-512:	AA0813187360F0DBC3FF48303A286A4CCE5A82083B26F344B2FBC70C48FCB7A30BAB8C51C4E16470BCABF344F91E8CBA1F02ED1968F201AE4C237AD70B81E37C
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Export Avtice Directory Photos.... .DESCRIPTION.. Exports user photos from AD or Azure.. PLaces them in .jpg format and attaches an email to the photo.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Support Directory..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\AD_Photos"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftw

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Export_License_and_Profile1.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	5.26714723254083
Encrypted:	false
SSDEEP:	24:SFLuFOJ2+rcELm7LR6LPk1ophAl6PHPek2p8DHk2phqKhz:N+gYmPROsEDveSHH
MD5:	67BCE29BD16BD783041BE4C485263227
SHA1:	F6B6570F9C474666ABEA3E36FB66CF5446A3AF7C
SHA-256:	A6DCFAB242B14EEB55F98F0055AB46856BDAED46FEC060719E91177082039C93
SHA-512:	11C347577D7C297A6951F4BA19BCC8416A06B528EBD0D66A125C0851CD58488E04F1505A191291A4BD4D792321DD88C9B2AED3177DB6DF3FBCD78C6DFC49FEE5
Malicious:	false
Preview:	<#.. .SYNOPSIS.. A2E Export license and Profile 1 data.... .DESCRIPTION.. Exports A2E reg files license and profile 1 data.. places files in zlibrary.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....REG EXPORT "HKLM\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange\LicenseRegistryInfo" C:\zlibrary\License_Info.Reg..REG EXPORT "HKLM\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange\Profile 1" C:\zlibrary\Profile_1.Reg....Write-Host "Done"..Write-Host "ttyl"..Get-PSSession \| Remove-PSSession..Exit....# End Scripting

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\First_Time_Installer.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	17385
Entropy (8bit):	4.608607390064206
Encrypted:	false
SSDEEP:	192:y4EBdqrg+gCoTgFPjAJy9oWSWvncm5yJvv8WEj+WonoHEqNgr:CpCocFPSyKWdvXAJcWEtoiEq+r
MD5:	24906D4F36602C1492A74A26C229E000
SHA1:	11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390
SHA-256:	E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
SHA-512:	00C6C2F4F94EB11860F061DE5E53A710C93FD13AFDC71D475087AD4C3058E4AB9205E8C3567F420A9D538C80035B29A866002F27DA1BE4AB55206C181BC9FB73
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Create Initial Environment for Add2Exchange Install.. Assign Permissions for Add2Exchange.. Install Add2Exchange.. Cleanup.. Luanch Add2Exchange for the first time.... .DESCRIPTION.. Step 1: Account Creation.. Step 2: Upgrade .Net and Powershell if needed.. Step 3: Create zLibrary and Create Shortcuts.. Step 4: Install Outlook and Setup Profile.. Step 5: Mailbox Creation.. Step 6: Create a Mail Profile.. Step 7: Add Permissions (moved to step 11a).. Step 8: Add Public Folder Permissions.. Step 9: Enable AutoLogon.. Step 10: Install Add2Exchange.. Step 11: Add Registry Favs.. Step 11a: Setup Timed Permissions.. Step 12: Cleanup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurren

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\GP_Results.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	5.174877386170697
Encrypted:	false
SSDEEP:	24:YhvEJ2+rcELm7LR6Lifk1oxhAlOHoPWIN/kvjstXBGXjdmPZGkvsv/S+jyGnzJKS:YNL+gYmPROBkuNp4jstXcsDsHVjPn9
MD5:	D8F3B0F174893BFD6855097BCF188C38
SHA1:	5D3CC8271B4E8F192368369E8F8D1A6C651AA9E7
SHA-256:	891FB63F37784A2D77653278198C3B1CEEC2F923BE32A1FBFE38D3284E29ED26
SHA-512:	0AA9A49F4084A5084CB6075592EF46F2039F8C4D467B680E7990FD08455F3CE0985C7A10669284455301434462BAF91AC5D6E97DC563CD70D599DEE328893318
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Group Policy Results.... .DESCRIPTION.. Finds and diplays current group policies on current user and machine.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Group Policy Results..$TestPath = "C:\zlibrary"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "zLibrary Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\zli

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Get_Diags.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2063
Entropy (8bit):	5.320900192955916
Encrypted:	false
SSDEEP:	48:goN+gYmPROBkuNQtXhRvzfh305LK1019skCZ:9NCmPEBdmdmZi05m
MD5:	2F9F4E1534713C5F75B2D1569B4980C8
SHA1:	D317F95060E851D36DE749BD0C3EA164331FACE9
SHA-256:	D294B5769B0DFE14ED596287FD3676D7FD8F034DFC3D9844AE8D6AD9F25DF870
SHA-512:	EE43595AC38D5C2CA5BEBB6C35720ABB1ECDC8BABDF50E04CF0B9987315E8F03F14DF6D6818A93DD3045E490162393003E5FC60C450382A1D924C75B73393C2F
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Get A2E Diags.... .DESCRIPTION.. Downloads and extracts A2E Diags from Amazon S3.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Create zLibrary\A2E Diags Directory....Write-Host "Creating Landing Zone"..$TestPath = "C:\zlibrary\A2E Diags"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "A2E Diags Directory Exists...Resuming"..}..Else {.. New-Ite

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Legacy_PowerShell.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4326
Entropy (8bit):	5.300027941259094
Encrypted:	false
SSDEEP:	96:YhPCmPEBdHHYXTYp8rgcr9wSEW4v2ZQwSES8ZwSEVc:R4EBdYXsirvJZ+Z8tr
MD5:	38AC352720450197714B1C8A9A32ACE3
SHA1:	D3C6469DC5B28659DEFA3B7DCA680B78463C1135
SHA-256:	E52FFA8E1FD828987EE62B2975DBD7900EB138EBE95FA03F6BD66B0A07269FB3
SHA-512:	86168DA8760E7663D3001DE186E68BE041566FE786275A62BB96A32D49C67DA02C9D7E8EB19B4BF58E1DF61CF0BA2AA2FDE1379517E62597F545E1C55C7FC717
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Powershell script to check and update .net and .... .DESCRIPTION.. Will update Powershell to 5.1 if .net is below version 4.5.. Get Windows Version.. Get .net version...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Check if .Net 4.5 or above is installed..$release = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\' -Name Release -Err

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\MSExchangeDelegation.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with very long lines (321), with CRLF line terminators
Category:	dropped
Size (bytes):	3485
Entropy (8bit):	5.146501540480007
Encrypted:	false
SSDEEP:	48:G54+gYmPROBkx9JItXiJJ5IJTS4uvdGeE/unqH9eD7rdBNR/S7ERp5rZjPnv:G54CmPEBuMW4S4ulCunqC7rDN3JZjPnv
MD5:	C3B6051BFF57D81301759DFF51EDE1C5
SHA1:	C65685554BA7717D9980D46FBE9A52B4FEE60F90
SHA-256:	202D5AA879A1511C7F8EB926B6A5AD98DBF9D13443CD54C9D8414C142DFE9B09
SHA-512:	44C445F99A30389BF63B1C3FCC90256AE10DE4277B074EA208952AF0F414770B7744C5D47423C5697FE294D2F16019D53CE1D1D0D4A55D2F6D8908DA0B4119CF
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Microsoft Exchange Delegation.... .DESCRIPTION.. Finds old data in msexchangedelegate attribute field for users in a specific OU.. Must run this on AD.. Removes the msexchangedelegate list link from the user.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. .. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass.. ..#Support Directory..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. .. Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-I

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\OSC_Disable.bat

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2735
Entropy (8bit):	5.422414574821863
Encrypted:	false
SSDEEP:	48:qeo1e9eoxe9ZW9eIxZW9edZW5eIxZW5edXW9eIxXW9edXW5eoxXW5eaz4zF0Bnzu:qREdEZW99ZW9kZW59ZW5kXW99XW9kXWV
MD5:	59FDCC52E51AC335C4D24CD27A0FD8BC
SHA1:	019DDC5FD0193C995CA930959E4A8F8BB38C03AC
SHA-256:	3B123AA11B50E117A4FBA11ED03922121F64ED5C8D64DA30F0AEACEC78F0C820
SHA-512:	DCC1B89D0AA1419BF85EE71ABC415878D23F3BA33D5ACBFD522B2E47702112F5090D1E191C714E8635D7DBE5667B172AF0E8C88FC99D845DB6CFB614EE21B4B9
Malicious:	false
Preview:	reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Outlook\Addins\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Outlook\Addins\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\Outlook\AddIns\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\Outlook\AddIns\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\Outlook\AddIns\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microso

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Office_Updater.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	980
Entropy (8bit):	5.145816531057854
Encrypted:	false
SSDEEP:	24:GoqapJ2+rcELm7LR6LPk1ophAl6PofINPy+27hz:GoqJ+gYmPROsEDNr2h
MD5:	F7AFFC19CB6DD094845898341D7F08B7
SHA1:	57BF666D2BC57314E4B1CDAFB859E02FD87ABFAD
SHA-256:	8DA1870CAC7721E842024BE4653DEA71D8799F7DFB1BD598DCCFD4E639F7F1BF
SHA-512:	D45539CFD91BF560F6CA0CC55AE7064BFF55849EB265914287DA0E80D6AE7ABB1639AF907978A7A11E045A6EDF9CCCC8E49C3083FC900525479FC319AE6C02D5
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Microsoft Office Manual updater.... .DESCRIPTION.. Will start the process for Outlook to search for new updates.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #..Set-Location "C:\Program Files\Common Files\Microsoft Shared\ClickToRun".....\OfficeC2RClient.exe /update user......Write-Host "ttyl"..Get-PSSession \| Remove-PSSession..Exit....# End Scripting

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Installer.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2265
Entropy (8bit):	4.869041116921122
Encrypted:	false
SSDEEP:	48:fLn2wmL+a0WZPDP6MPPOb0PPGsGyk9z1585wQ5zYGLa9zOdg9zzPtvvKn3anlPIl:Sdr0WIMaMyyk9z1585wQ50GLa9zOdg9M
MD5:	D44914C6A4C7369D3C627CD4E10BD2D1
SHA1:	7C216AF33F406E83EE06FCC19084A8667AE47DED
SHA-256:	6320EA3B5D06B458781D3EA9411C9E80BBFE6352A3C9D714A371333883D1032A
SHA-512:	5D29A3E880AC2862D7051D6A5F45CAED339C783B1A797459BFAE0E1A6AFC43236B7181471AE81C0BC4C703DC51F2147C6813B2BC30D913E85F2BCC5AD346084B
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Outlook Installer Menu.... .DESCRIPTION.. Choose between Outlook 32bit or 64bit.. This is just a menu for choice.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$Outlook365Installer = New-Object system.Windows.Forms.Form..$Outlook365Installer.ClientSize = New-Object System.Drawing.Point(247,169)..$Outlook365Installer.text = "Outlook 365 Install"..$Outlook365Installer.TopMost = $false....$ProRetail = New-Object system.Windows.Forms.Label..$ProRetail.text = "Office 365 Pro Retail"..$ProRetail.AutoSize = $true..$ProRetail.width = 25..$ProRetail.height = 10..$ProRetail.location = New-Object System.Drawing.Point(21,30)..$ProRetail.Font = New-

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Profile_Set.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	20832
Entropy (8bit):	5.392154078265476
Encrypted:	false
SSDEEP:	384:K4Dno5fW6yyfe8sPbkZb/CzHtIf+qm/Vru1Fw4Ck8CjI8r:NDno57CzHtIf+iI8r
MD5:	880A9575A59B6D1B592248FAC5EE0571
SHA1:	4807DD3AF489E41FAB399745F0B57722FDBE5DE5
SHA-256:	84205172A09054014BB37A59CC32A75D21C941CDBE6D570424AA9544A6BBC670
SHA-512:	6165CBFFADF62A44D1F8007E9F7DF4CF707DEA3A4997BAEE8FA89421990EED67075F70274415B7CACAE1CBA474BB68DC6CDFBB091A44C2617B32E0DAB53FABA9
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Outlook Profile Setup.... .DESCRIPTION.. Setup Outlook profile for Add2Exchange.. Setup GAL Options.. Setup Send/Recieve.. Disables COM Addins.. Sets Options.. Disables Outlook Popups.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Check Outlook Version..$Version = Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\Outlook.Application\CurV

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Outlook_Tools_Menu.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5780
Entropy (8bit):	5.151421010601781
Encrypted:	false
SSDEEP:	96:ir0WeMjI/wz9zqL29zI+9zruY9z3lB9z77u9zPdt9zuk9ze6cqW:NyE/wz9m29M+9fuY95B9H7u9zdt9Ck9U
MD5:	140B1F8CA61563B37C91750045ECBF87
SHA1:	28354FA245E5310B8C74F240EEF115B9C41D44E6
SHA-256:	3E7B62BD9BBE9222449438EDBAC7198C5BAF01E77D32E19FDABAC645293AA10A
SHA-512:	C06F1D8F0D6B769FDFA5E43572DD82F0B4D7D99CC87D64D0D7042D58BC9192DF9B3F3DAB1F0470A0C89EF2046BDBA62A71476F7F0B7331B54E2B7A23996269DB
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Outlook Tools Menu.... .DESCRIPTION.. Simple Menu to show tools that link to powershell files.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$OutlookTools_Menu = New-Object system.Windows.Forms.Form..$OutlookTools_Menu.ClientSize = New-Object System.Drawing.Point(247,344)..$OutlookTools_Menu.text = "Outlook Tools"..$OutlookTools_Menu.TopMost = $false..$OutlookTools_Menu.BackColor = [System.Drawing.ColorTranslator]::FromHtml("#ffffff")....$Rearm_Office = New-Object system.Windows.Forms.Label..$Rearm_Office.text = "rearm Office"..$Rearm_Office.AutoSize = $true..$Rearm_Office.width = 150..$Rearm_Office.height = 10..$Rearm_Office.location = New-Object System.Drawing.Poi

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\PermissionsOnPremOrO365Combined.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
Category:	dropped
Size (bytes):	37412
Entropy (8bit):	4.4377513076022455
Encrypted:	false
SSDEEP:	192:lK4EBuL1h59kJvwqzukl6zZrTJccUV6D9pFO:lLrkJvwq3mur
MD5:	7E4D25A72B3C66B9434B31C57E06F287
SHA1:	80A029D83FF84BDB3239FEC19ED6D7276582098C
SHA-256:	3A95B367EAAFB21B83C53F3BF8BC252180315FB419B155A5AB9C50003C1A6309
SHA-512:	2CD4600CEC2DFEDBADE22C26151FEB6178E6EA0BA7042CFBC488B452F718F28AF5A674412C6241D581E7ADC7D173A8337375FC240A3950C9605FDEB0120E7FB7
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Permissions for on Premise or Office365.... .DESCRIPTION.. Updates PS EXO modules.. Choice of on premise Exchange 2010-2019 server or Office 365.. Sets permissions for individual users, dist. lists.. Can remove permissions.. Remove or add permissions to public folders.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "S

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Permissions_Task_Creation.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43490
Entropy (8bit):	5.249776444593379
Encrypted:	false
SSDEEP:	384:e6tXgbb7+HNlzF2lm8tPj78F2cfBF2lCUBI2F2lzRjRtF2xpF215F2NAF2kFF2Gl:N0ADYsXQZxfnaL
MD5:	84A7CA382672E2CC2AC294809F5DD084
SHA1:	C8B5AEB08A1C2244429D9D1C2FDCA193D721C458
SHA-256:	F5CB96173BFF7C6DC81C01CC6416E9D384A6ECEC64ABEDAA95E1BD023DAE3038
SHA-512:	44F1AB6E1174273F473547E72608F26C50F99558106F1A6257054F0265105FE35F44D4A06029D713B537D242085642C50EF35C2B12B3E0521EC53482ACD72A96
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Permissions task creator.... .DESCRIPTION.. Updates EXO PS modules.. Saves and bit locks passwords and usernames for auto log in to exchange or office 365.. sets additional tasks for permissions to auto run using credentials provided.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Pathing....$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. ..}..Else {.. .. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds"..}....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....IF (Get-Module -ListAvailable -

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Post_A2E_Migration.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	4.744374547827754
Encrypted:	false
SSDEEP:	192:8sY4EBfPE0BYmSABMdKJX4hBdmSATMFKJXQu:8hPjBDSABMmohBsSATM+V
MD5:	75631EEEF162F81CA161A59E63693945
SHA1:	37B8587D9228B52CC88F6234E533B771C7CE78CA
SHA-256:	0F84D9670388289E3DED4D3500656D20DA4E976CA8831B3CE8E1C95D0AD58A86
SHA-512:	0E70B72914F3AA591EB7389750DCDF29F80E1ED295C199FFF12BB1C2F1188DD90A11DEA621C79375966DBC00D6541C632E5AAFABABC0CDD59C03F2F6EB107C11
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Step 2 of 2.. Finishes Migration of Add2Exchange to a new server.... .DESCRIPTION.. Check for current files and locations.. copy reg. files for Add2Exchange and backup.. Runs First_Time_Installer.ps1 once all files are copied over...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #..Do {.... $Title1 = 'Add2Exchange Post Migration Wizard'.... Clear

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Public _Folder_to_Address_Book.vbs

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	268
Entropy (8bit):	5.030279585044127
Encrypted:	false
SSDEEP:	3:TQ9h+rOtcN+m87REKOLEBYMQsNjD/vzTKOtUDATrBAHiLlEQuUIE7UybfrQuFYL8:kgScNPcRjOcjrKuuAT7JUcEDLXs
MD5:	A7171DD633A4B2F800DF6102D7E93DC0
SHA1:	0969D0388FBE550FFB679E331B2217C37BBC1D00
SHA-256:	E93783BCF685866CDD02275E987EA5F2266FCDF50465578D132F2549A85BD634
SHA-512:	EC366E1722818C997A4B9E867ECADC076241FC98C1AB456C2CCCE86195D4E3AB21CF5156E7D05B5A735AF9E37A22326B4C1BB44799A415474D9A633AA90E131E
Malicious:	false
Preview:	Option Explicit....Dim objOL, objNS, objFolder..Set objOL = CreateObject("Outlook.application")..Set objNS = objOL.GetNamespace("MAPI")......Set objFolder = objNS.GetDefaultFolder(18).Folders("Contacts").Folders("Firm Contacts").. objFolder.ShowAsOutlookAB = True..

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\REARM_Office.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1386
Entropy (8bit):	5.304265312379865
Encrypted:	false
SSDEEP:	24:f8NLJ2+rcELm7LR6LPk1ophAl6PoP6+8P5o1FDO+p+utP5o14DIzChz:f8G+gYmPROsEDUP8P5wDsoP5wBz6
MD5:	D3AF23D1D7084FC8BE912E016D51B4FF
SHA1:	D1B3DC03B0419669FD8BAA02D1343875693DD253
SHA-256:	0B2157D302BCAE924480D48254111A363EAB87933881A105FCB300B528041E25
SHA-512:	6D0E5BC6229FAC783E14147D13FC5A4266C6E38F59B2C83A42EBCE385F4551E991ED00CF9E00C6ACA1EB9B925C8BEA20022E011BDA5BDEAB2AB9DD417C210B4D
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Outlook ReARM.... .DESCRIPTION.. Restarts Outlook trial mode.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....#Detect Bitness..$64Bits = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook" -Name "Bitness" \| Select-Object Bitness -ExpandProperty Bitness -ErrorAction SilentlyContinue....If ($64Bits -eq 'x64'){.. Set-Location "C:\Program Files\Microsoft Office\Office16".....\OSPPREARM.EXE....cscript .\ospp.vbs /dstatus....Pause..}....$32Bits = Get-ItemProperty -Path "HKL

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Registry_Favorites.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with very long lines (342), with CRLF line terminators
Category:	dropped
Size (bytes):	4433
Entropy (8bit):	5.260436401478338
Encrypted:	false
SSDEEP:	48:P+gYmPROBzBr2gjUkIxUYEwoU+YUf8UIDU8kUvIkUb/UzIp0sUBIMUcVIXW9ev6r:PCmPEBUhbC7kqNf8tQtbc8cCl7XW90jw
MD5:	AF59015B32AE299D4428243674C54706
SHA1:	6B2A86DD040D579348F32F4FCC349729514491A5
SHA-256:	FFF79D64EDF0F517CCC529A88E21D3A3974BE82E9B209EDDAC0B1048943414BC
SHA-512:	FA9511E5C7C11B0A470BDD46791984F8C37A07A696A5F486FED7E2A48982A5FDD48615601B36B22515B7BE6B89E250B57AA6DD2E9B38E0D7A5AC9C2CBBE725D6
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Powershell script to add Registry favorites.... .DESCRIPTION.. Adds Reg. Favs to Registry shortcuts...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.... Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Registry Favorites..Start-Process Regedit....Write-Host "Creating Registry Favorites"..New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" -Name "Session Manager" -Type string -Value "

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Reset_A2E_Password.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1776
Entropy (8bit):	5.178124013506394
Encrypted:	false
SSDEEP:	24:kDbM731MpW/J2+rcELm7LR6Lifk1oxhAlOHoPhd1sEVTIs08mCDdK6CDfsZdxV2j:R3u7+gYmPROBkuzX0gCA7Bz7MH
MD5:	6D9B75BDE724C06B10B6A2BF461859C9
SHA1:	9AC9C9CD2F844E174CBF56A6D3C66B34E911C5E5
SHA-256:	D85A2F7527A2126274FB31CBD8CE40BEF76F652EB7C3307A1DB62B2F3A896253
SHA-512:	6720554B12444558F91C07DAD836FE38AE203710A29FCE8F42851ADE40AC67838EBFAD5605CC4A1A69675F0043A514F75265DC2C6C4DFAF687CE8212DA7435EB
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Add2Exchange password Reset.... .DESCRIPTION.. Clears out the password field in A2E reg... Asks for new password and updates the Add2Exchange service with new password...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..Write-Host "Reseting the Servive Account Password" -ForegroundColor Red..$Password = Read-Host "What is the New Service Account Password?"..$SVC = Get-WmiObject win32_service -Filter "Name='Add2Exchange Service'"..$SVC.StopService();..$Result = $SVC.Change($Null, $Nul

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Firewall_Rules.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6339
Entropy (8bit):	4.59062346175513
Encrypted:	false
SSDEEP:	96:P8CmPEBdMt4IEYcrjJ+YALRqHALzPAFRqHAFZPn7:74EBdnIEYcrjUBR7zWR1B7
MD5:	5D15CC681D31E58EB755EDF96DAB987F
SHA1:	045A9EE48903AC50B494A0716A8751BAA0942F4F
SHA-256:	298CE83535B8F62B324ACF467722EB89E114AB09687883FCA5B27CF08E57A627
SHA-512:	C8B699E226F3D50C53ECDCC48EE4F3F8CA3B39F1B5226957B61237FE8BBE3C690B90B3F607E462ED571A689582258F42AA4F0C6DAFFBA82FA114723B3D80F473
Malicious:	false
Preview:	<#.. .SYNOPSIS.. SQL Firewall Rules.... .DESCRIPTION.. Deploys rule changes in Firewall for SQL to properly work.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append......# Script #..Do {.. $Title1 = 'Firewall Rules for Remote Add2Exchange SQL'.... Clear-Host .. Write-Host "================ $Title1 ================".. "".. Write-Host "Please Pick Were to Apply Firewall Rules".. "".. Write

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL12x_to_SQL12xSP4.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6945
Entropy (8bit):	5.221084649519329
Encrypted:	false
SSDEEP:	192:9HhM4EDNMCCmdjMVpDlSczf3cTxEa6gF1Xhx:92MXmhgpDMiIEaX
MD5:	0B20B6F052DFDB6E1C3A69AF0030ACB8
SHA1:	0F1461CF9E7616F04A0F94C054C895A1850F6CF6
SHA-256:	543708058ADB5F3AC204995B2EC266AA39766FE8DEA0CB3A893673A2139DEB3B
SHA-512:	DEC7B4DF7877786C6B5724380EB1571695974D79A563C7A413DA03643FFB6A16657415ED785AFA806B0A29CE0F12A0913449A59CEDEFE0401E5BC084FA46CD75
Malicious:	false
Preview:	<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2012 to 2012 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2012 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2012 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2012 to SQL Express 2012 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -Executi

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL12x_to_SQL22x.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	13337
Entropy (8bit):	5.2561277625098555
Encrypted:	false
SSDEEP:	192:+1IBq4EDNQdTMVpDQSczW3ZT/HuHpy+tSLdcSJ3aWGpXrjBZo2ClUoI76v:+1QxgpDli0td5+VRZpClUJ76v
MD5:	AD4A1E79C7603CBCCBDC37A9109C498C
SHA1:	4332F28C590CED2B9B9EA66CF8EE78D28E494E53
SHA-256:	BA17D1CFF354EF35C11C62D9DAEBCD5357D2E51EEA89EFEFAC29ED912E6D6813
SHA-512:	D726DF4DCC2C71F799A9129B0BCA45FFF75455DC9CB0A409D0CD09ECF8BCF49796AD45AF6E2C768A90B6486C82ECB25E10D096FF65F0AB81EE999A003E86A745
Malicious:	false
Preview:	<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2012 SP4 to 2022....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 SP4 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Express 2022.... .DESCRIPTION.. Will upgrade SQL Express 2012 SP4+ to SQL Express 2022.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPoli

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL17x_to_SQL22x.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6918
Entropy (8bit):	5.206034581692453
Encrypted:	false
SSDEEP:	192:EAtc0q4EDNYC6djMVpDiSczf3XT/pgFyNc0q:EAi3h6hgpDbijql
MD5:	F1C85E7B65D147DD29AE2AE410AEC21A
SHA1:	4CA83E0864F3AE91B15987896AC741DA42D28472
SHA-256:	D5E8B1EC255797D5797F36F9B6B81E37D912E2D5E911428EC88CC055764463C0
SHA-512:	6633BD676977EFD456D5363194EE6B4251B33AC86A12FFD24D440242C8C869DB9569D2F5000A09A22BD4828E06CAC4D39A7B641D85B97D472C9DAC36F57D55B4
Malicious:	false
Preview:	<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2017+ to 2022....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2017+ is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2022 Express.... .DESCRIPTION.. Will upgrade SQL Express 2017+ to SQL Express 2022.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL8x_to_SQL12x.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6880
Entropy (8bit):	5.246944638572133
Encrypted:	false
SSDEEP:	192:pHTM4EDdskCPdjMVpDQSczf3cTxEa6gFiXTo:pIsNPhgpDliIEav
MD5:	EBA62744DFE66991433BAF7FC0BAEBF5
SHA1:	137385A79E897DF5C0D0FC6AEFEDDDB8CC4385D7
SHA-256:	9AD9453564BABC5EB58CB18243E094C5CB8BA753009724393517185E1AFDE7BB
SHA-512:	54CAEC1376B3CDEF75CF75B22CF924DCA1EA663BB6203DB85EA6D15916D79E85C0421765C614D2161686384498DA9DB2885C57C0E6D099DA6E2D8C76E168D64C
Malicious:	false
Preview:	<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2008 SP4 to 2012 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 SP4 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2012 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2008 SP4 to SQL Express 2012 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL8x_to_SQL8xSP4.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6869
Entropy (8bit):	5.271716332455319
Encrypted:	false
SSDEEP:	192:SmCd4EDd9yCGdjMVpD5SczW3bTR79IgFJXC/:StBGhgpDAiT
MD5:	1A8612F6E5EF271B6308386FAFCAC2FC
SHA1:	C12001B6714417A25E9D33CBB5E0E3E28FC0C8AB
SHA-256:	A02286A6251AA589C3A01D14DAD72E6A973C5CE3247775ACBDF0A0002702202C
SHA-512:	1F933E8BB7A0DC707820275A3A00DFBF065CF4583A0D20D5978100D5CDD3F1FC64FC844F822CF441C32BDD912667FBF545534BBBEB18BF66F30420D473E29F75
Malicious:	false
Preview:	<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2008 to 2008 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2008 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2008 to SQL Express 2008 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPo

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQLExpress_Main_2022_Upgrade.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	10147
Entropy (8bit):	5.151791839049951
Encrypted:	false
SSDEEP:	192:5icEOrSM54EBd7MCpNOvO07BBkNOh50LspMzxaSa9/Oz0/Xu/yc0/W5/G3p:wnYDNmnH5qPoyU
MD5:	1ADD9F6985014CB6D580776FB1ED7184
SHA1:	6037CE1867FDAECD5AB96619330C7056B81A667E
SHA-256:	F396B1B7C0812275DC5A3F9F46881FFB8D1BA9A9AC356AFCDC9571E8F1911D61
SHA-512:	87E8B62FBD2E2B30DE4A7E069C2EF79A26E4DECC08F2479B1978F1446BF471B94BF5879FE977DCFD18DC2B662F9C7624CDCB67587A8A7E2D4B49EDBD75740562
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Backup and Store A2E DB.. Find SQL Express Version and upgrade accordingly.. Upgrades SQL Express 8x to SQL Express 2022.. Note* SQL 2008 must be at least SP4 to update to SQL Express 2012.. Note* SQL Express 2012 SP4 last version for x86. Must export and import DB into fresh SQL Express 2022.... .DESCRIPTION.. .... .NOTES.. Version: 1.1.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....#Logging..Start-Transcript -Path

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\SQL_Upgrade_Files\SQL_Management_Studio_Quiet_Install.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3008
Entropy (8bit):	5.120422215233596
Encrypted:	false
SSDEEP:	48:4WM+YmPROBkuXjXzag4fvSf8/kyb0X/x3EpWoDLgmtQ7+7lt0c/EqzCwZu4M:7MlmPEBdznf8cyb0GtLgwQ7+7liPt
MD5:	D1BC3C992B5D78090C375480B7BE9D3B
SHA1:	7FE5F2FBC111E6B863326F74D24438169CA680EC
SHA-256:	53E87C98740D6CF268B641B55133958EA6A729DCEB04E71FAB13710B3861D4F0
SHA-512:	325BD84478EE91C5C39A1A92469853DC6084B42CAF079766B0130866653507456DD01CA48F7CCBC9D3CFFF5938B1800463B3EA78123D557FD3FCCB149E314CDD
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Downloads and Silently Installs SQL Managament Studio 19x.... .DESCRIPTION.. .... .NOTES.. Version: 1.1.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Test for HTTPS Access..Write-Host "Testing for HTTPS Connectivity"....try {.. $wresponse = Invoke-WebRequest -Uri https://s3.amazonaws.com/dl.diditbetter.com -UseBasicParsing.. if ($wresponse.StatusCode -eq 200) {.. Write-Output

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Scheduled_Update_Add2Exchange.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6631
Entropy (8bit):	5.235810758535446
Encrypted:	false
SSDEEP:	96:aUKXYYmPEBhJ77gEmYBF/A54HofObcV7755JG9ZZ07xz0aDQrQ:hY4EBhJzf/A6HHAt0rQ
MD5:	AFB9AADF777A7A19E1AE27D5FD22514F
SHA1:	0C1A6A7F0E6D22BC7A635C266868682D7DDEEF1A
SHA-256:	DD988CFD11109E1E7875D41607916EC30B73F4DDDF310515BD15E762A36058D8
SHA-512:	45C3B59D82600DFA5FC3A970C4EB88850AA38D40C05930D8F3ABF8E000AB4384A34BD2B6F26ABB0ECDDE45A982A9F109E49235CD874FA33BA41495A02878648C
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Scheduled Task to automatically upgrade Add2Exchange to the newest version.... .DESCRIPTION.. Downloads from S3.. Upgrades Add2Exchange to latest build.. Sets password for Add2Exchange Service.. Starts Add2Exchange Service after succesfull install.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... To run this as a scheduled task open CMD prompt and type in: schtasks /run /tn "Scheduled Update Add2Exchange" .. Note* the task must be already created before running this in CMD.. #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}........#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx64_Configuration.xml

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1023
Entropy (8bit):	5.202613438368244
Encrypted:	false
SSDEEP:	24:OkfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:9fE+e6jyctLcrcjLcqDDtyB
MD5:	BC70B4D7C9C7053F4C30FC1721A67D63
SHA1:	D9E574805F4018C7CC25C2AA97DC56DA3E0B5044
SHA-256:	794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
SHA-512:	6AF3A9F2428698FB935894470BF7F0AC8BEAE66936DF3E6B5994A96E62972AD693763892B4FF58CE322E8275C135F4E2FE3A31CBA7A87AC15DA129B0CB242569
Malicious:	false
Preview:	<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="64" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx86_Configuration.xml

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1023
Entropy (8bit):	5.2041868894674
Encrypted:	false
SSDEEP:	24:OTfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:ufE+e6jyctLcrcjLcqDDtyB
MD5:	6C49E64FFF25A2225546976F7A9BE5F6
SHA1:	6CC15D048275904F2E8D7AFC1F7789750FC6365E
SHA-256:	B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
SHA-512:	FDCF646EA8D896ACA2EF3AF156D5403D509EAA06580A87854BAA5B2D0353B4483F62EA60F128338020E8039A95A3DC3FC85A45ED4A2539929A0A3B366A0F7B99
Malicious:	false
Preview:	<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="32" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx64.cmd

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.572765012132931
Encrypted:	false
SSDEEP:	3:Pg4QQ6/QIK6Wde8UMeKJ:PVQQFKWlU2
MD5:	E49E7FD101C66A32558FF27564234222
SHA1:	671A4BBE57BB7C9E872693DFA4CDC967D4329A93
SHA-256:	72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
SHA-512:	1A7CE80BE39B2B2CF38B1687A0CD6E9F318C216F6562F1170283835360B8AFE053D72CAD6714F4073927932BFFCD3EDDFCAB09962A6C145BF5F34C1CBD261E8B
Malicious:	false
Preview:	setup.exe /configure Office365_Pro_Retailx64_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx86.cmd

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.572765012132931
Encrypted:	false
SSDEEP:	3:Pg4QQ6/QIK6WdoMeKJ:PVQQFKWi2
MD5:	8D16D2E6750AE5217ADBBAC538E6E89E
SHA1:	06126FF482AB5F91E32315DE94ECE2F39533C1BF
SHA-256:	FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
SHA-512:	D17FC93E05CAF4FB938EC1CE9A18793610A2B2381D020227613117031E238B0E6F8A1957EC1000BDD7D2CF2587C3DD1FD4C2CD93010B70686FDF46747BE50B2C
Malicious:	false
Preview:	setup.exe /configure Office365_Pro_Retailx86_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5169440
Entropy (8bit):	6.649944627880774
Encrypted:	false
SSDEEP:	98304:vqihTvjtEh2N5LQhyddG4THBZoJG3QBMxvble/bsTwY2h3:TpvE8dgq3oJG3QBMxBlW3
MD5:	B374FA0E7E34B9CE9C142FE80E1EFADE
SHA1:	2537F4523B12E9801F2ACB8FE38D5D725A56A61D
SHA-256:	A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
SHA-512:	8F5FF73932568006C38B9E1BB8DAABF0DC6E419FC1E6D96159FB1234439B8AB9B283D617540CDC5860538AFFEA89BA0A553F4CCF2B9F1949D9E907BA56C2F74C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: V425Q1tORs.exe, Detection: malicious, Browse Filename: V425Q1tORs.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Gc.-...~...~...~..'~...~..%~...~..$~#..~Ig.....~Ig..+..~Ig.....~...~...~...~...~fd.....~fd.....~fd.....~fd.....~...~)..~.d.....~.d.....~.d)~...~..A~...~.d.....~Rich...~........PE..L...r..[.........."......l+..2#.......#.......+...@...........................O.......O...@.................................8b?.......A...............N. ?...`K..<....:.8.....................:......,.@.............+.8....M?......................text....k+......l+................. ..`.rdata........+......p+.............@..@.data.........?..H...x?.............@....rsrc.........A.......@.............@..@.reloc...<...`K..>...dJ.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Shell_Into_Exchange.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7051
Entropy (8bit):	4.675718132414485
Encrypted:	false
SSDEEP:	96:iCmPEBdzcsNZg5MVzQWgM4cRpPOY6WIQK84cRpfOY6Wi:54EBdQshqkl6fUV65
MD5:	4ABCE57C7D70986A012F11683C23D47F
SHA1:	4B7CD4E02EDBE9D04A489196A0465A228A5DD39D
SHA-256:	5507006FEDCC5410CAB7C9DC33C0B52E6E919697DD46EEC2F3733E3803887CFD
SHA-512:	A879AA334B113E7A6A64F1A936871C15E79D32DA37EEA257D867F38C762E5263E8124F6C4FE3AE219BEB8719C2BBB7C78C69740E7D648F195D864A07359FCBB6
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Shell into Exchange.... .DESCRIPTION.. Allows for login to Exchange or Office 365 with ability to enter commands manually...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Support"..}....Start-Transcript -Path "C:\Pr

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Shell_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
Category:	dropped
Size (bytes):	36559
Entropy (8bit):	4.503630667237573
Encrypted:	false
SSDEEP:	192:zo4EBdHRhO9keHSowqzSZrTJN7nd9pdYkyO:EIkeHSowqGZ7PYkF
MD5:	BF7B956A983D4C2B772F143AC437F401
SHA1:	BB5902AAF9844CC9C0786884F8B35D052BE13B4A
SHA-256:	51250044F351B81A1A8E38C1EFD47DCB99312DAAAAE15F1A2CA856E0D0E42E73
SHA-512:	4E980628CDA60EC0F91CD4C78B1C8D1D651FBBCD29702A205721B26BBE45B43342BE932DD37C5B2D498ECFD73E511A7EA982C3CBB326A629D64F34A725DA44D7
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Shell Permissions.... .DESCRIPTION.. Automatically logs into the desired on premise exchange or Office 365 and applies permissions.. uses bit-locked creds from timed permission setup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_All_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	5.206475437016567
Encrypted:	false
SSDEEP:	48:9YmPROBkaheuGuLiuZuTElltsEjA4HcYA4Zx:qmPEBV7JpoTaJjYY9x
MD5:	A119485189BCC14AC82C12ADCA54E81E
SHA1:	5CFE9A212D000E8F367B83B1F39474B99F89CD55
SHA-256:	25CA6D42AEE88E873C065741F37959D148A07A41CCC8B393ACB05C7B9F3729CB
SHA-512:	C6FAB52DDC71FAF46D9F260ADA73C5D22E2880068E3319F07106838A86EC2484AF42BEE4383C5708F1A37181D89D4EFF082EB8D158999DEC6BB08E8F9269246F
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }.. .. .. #Execution Policy.. .. Set-ExecutionPolicy -ExecutionPolicy Bypass.. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12.... #Variables.. .. $Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt".. $ServiceAccount = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Sync_Account_Name.txt".. $Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt".. $Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring.

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_Dist_List_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2309
Entropy (8bit):	5.27046054524564
Encrypted:	false
SSDEEP:	48:9YmPROBk6PYUuWuLCuJuTnujY1tkD7PzNIFMGIA4H9r:qmPEBtPYX5p4Tuy8bS2P5r
MD5:	65AEF2EBB5A702F05BDDB39426D22E9E
SHA1:	A40DB715731183703E8E0D9B8D883D039E64D1C0
SHA-256:	A57544B50D040A836A9AFA3334EC7820AD4A11CE3B1E22563BD68183296B1802
SHA-512:	FF41E94E3DD9E40D731F2EB19D2CB978D2AA2564841F42D3E272981EDCE0CC061697FD55D49BAA3E9D6E5B11200DFEE9DC4246089FAD05C577C49D86C6E1EA33
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables....$Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt"..$ServiceAccount = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Sync_Account_Name.txt"..$Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring..$Groups = G

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\2010-2019_Dynamic_Distribution.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3242
Entropy (8bit):	5.184235576844559
Encrypted:	false
SSDEEP:	48:9YmPROBk6PYUuguJuTguWux1tkfnAH7IzYtn3BKz1w:qmPEBtPYXD4TD5n57m6xKz1w
MD5:	399F572DA4C7F58117067DD1D70AB422
SHA1:	03CC2AFDF3AF84E147F0E0A934B094D32FB0460E
SHA-256:	BB60CC3AB32A798ABAD83A52224C2A665B43FD0B389B5FEF8FD146BB8ECFC281
SHA-512:	90576BDD350BEF61E341B50FC59CE81C1C298C97CDA65E1CCD160044B976A848681E82C3CF7C89C15F4DE86DAFD8BA583253328E135EF2B65C7A7D853E01707A
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables....$Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt"..$Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" \| convertto-securestring..$DynamicDG1 = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Dynamic_Name.txt"..$StaticDG1 = Get-Con

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_All_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	5.206204413905134
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMTruLCuuu+EY7A4H29:qmPEBtKMTipx+ti9
MD5:	4CEE73D454FF52AD206F6779B8C1B1C2
SHA1:	2AFF775DEBB685870CB1027DFB629709134C78AD
SHA-256:	CFFE62C1DD72BB82A9B1FF47092FD096B2A5DF219778CDA5D9D0B61B86E72E6B
SHA-512:	00727409C9A4EA398854BAA6398D04C404E40B8B69AB940DAC26789F708F2D0223C27A55FF53FC372B5B1D7DB57BB6967647B8CD7DECD97C4C66BB02418CB4ED
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_Dist_List_Permissions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2936
Entropy (8bit):	5.226696749733595
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMCruLCuuu+nujYs7PzNIFMGIA4HyKx:qmPEBtKMCipx+u9bS2PmKx
MD5:	29DCE03F380B4119D910F6916C83E553
SHA1:	C094CFF3C3D9B460F44F7CF61CA78C8D1F84122D
SHA-256:	3B92B4559CBB46C25330E2D1272C1946928A896B0FEC503A2C2624C7E35509F7
SHA-512:	C14CB1A123CAC0DBB3306A193C5BADAD07E088565383111F1265FC9AA8B5E0BD5A1B94942FF8F7C4C5A9D44E3C250BFFD681AAEF70A5465690A8C8002455F69F
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Office365_Dynamic_Distribution.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3867
Entropy (8bit):	5.150671684787593
Encrypted:	false
SSDEEP:	48:9YmPROBk642pHCZMCpuuu+8ueuuYWNja7IzYtn8UQprG:qmPEBtKMCYx+fBia7m689prG
MD5:	9DB45E661D4F1819D5C2119BA8EBE6F7
SHA1:	43F8E5466B03431EE886981A1A6D15AC4CBF09C4
SHA-256:	91B84050C3505A65F63C4084DE97CEB183BB2131C5ECE05E1FD5B2C9385A5271
SHA-512:	6A8968A8B70BCD6DA01BDD495D2BE1A7F4F2B2620CA216EB123E524F862641860711D3A048029853BF8609C2ED2A96F9586938A184E3E0BF3D8D2C32D976B939
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version \| Sort-Object -Descending \| Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Stand_Alone_DyanmicDistList_Task.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1182
Entropy (8bit):	5.177298437958451
Encrypted:	false
SSDEEP:	24:9ELm7LR6LPk1ophAl6PoqGba5KNZDaNvmLbPXuq7Whz:9YmPROsEDFdAzuX
MD5:	E7429B9BC39E9217F0FB503DE41E1364
SHA1:	0608BB8B293A11F58EEB8CAA322CAF670CD48EFA
SHA-256:	6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
SHA-512:	DB305B546B58D66809CC7F79389CE1D637C1EDDFB490162527C95752A306F2E616CB264B03719A40297773CE1A79D960B453F6EFA6B3C9486648705D351D56B5
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..# Report Correct File Path of DynamicDistribution List File..Write-Host "Creating Task".. $Repeater = (New-TimeSpan -Minutes 720).. $Duration = ([timeSpan]::maxvalue).. $Trigger = New-JobTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval $Repeater -RepetitionDuration $Duration.. $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -WorkingDirectory $Location -Argument '-NoProfile -WindowStyle Hidden -Executionpolicy Bypass -file "ENTER FILE PATH HERE"'.. Register-ScheduledTask -Action $Action -RunLevel Highest -Trigger $Trigger -TaskName "Add2Exchange Permissions" -Descrip

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed Permissions\Stand_Alone_Dynamic_Distribution_List.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2376
Entropy (8bit):	5.091813731955432
Encrypted:	false
SSDEEP:	48:9YmPROBkH+yF0TveJjpnAH7IzYtn3BKzi:qmPEBl6KeJjs7m6xKzi
MD5:	CBC1624883A282B70B867D25B380EE1C
SHA1:	519E9B90F6558C1B507A1B71F9706B9400FE1E40
SHA-256:	0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
SHA-512:	16E60FA701564121144AD3217F7F1689C39FB9D368067256C08D4CF0E57CAFEB75B65F2F32FC58AF5119A62D6F1B253B5E18210B4871EAE48CB8E93EA5F0245D
Malicious:	false
Preview:	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Service Stop #..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Service" \| Stop-Service -Verbose -ErrorAction Stop..Start-Sleep -s 30..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Agent" \| Stop-Service -Verbose..Start-Sleep -s 10....# Script #..Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;..Set-ADServerSettings -ViewEntireForest $true.. ..#Variables..# Fill Out Dynamic and Statis Distribution Groups Below....$DynamicDG = @("Dynamic DL HERE", "Dynamic DL HERE")..$StaticDG = @("Static DL HERE", "Static DL HERE")....for ($i = 0;

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Timed_A2E_SQL_Backup.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4303
Entropy (8bit):	5.198975556588784
Encrypted:	false
SSDEEP:	48:o+gYmPROBkuU69eKr3IHvD5AMgihSKD6dgmdW7CXdWCnvlCVg7SCjSpcMQJtI6oT:oCmPEBdUGwvsiL7FC4GmL2MuozKtG
MD5:	3AAAC6808F523B20E401258345F64C9B
SHA1:	D69BE6F4135500FC2E9312F3F5091FDA06CDB046
SHA-256:	E54C2AB3CA3FAD2491C022C763744D6F82998734F616801F049B21266029BE1D
SHA-512:	0DD462BD8D984B6BACC6635611D128D4AE024D689E5278266B640CEA1204749DED2124CC6589D110637907A2726F20720DE283786C25D746D0C733E29F5D79F5
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Timed A2E SQL Backup.... .DESCRIPTION.. This is a part of a scheduled task to run and backup A2E SQl DB every 3 days.. 5 version retention by default.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Variables..$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue #Current Add2Exchange Installation Path..$CurrentDB = $Install + 'Database\' #Current Database Location..$BackupDirs = Get-Conten

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Windows_Defender_Exclusions.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2815
Entropy (8bit):	5.2554300122995485
Encrypted:	false
SSDEEP:	48:wIi8k8z+N+8Y8zK+gYmPROhE5N/ZVgo9ei2COW818zW1NR8t8zf/xcXWH9enxoSa:halKCmPEhgVJAhfYxoSroz
MD5:	65BAF2C4AECB3C31BD9F5D991FB5F666
SHA1:	7AAC1911A4A0E2235AD4BAC1F8D03DDFC863F4C5
SHA-256:	65DB9ADCFD894401F42E618FCD973498F2D86563BF7B12687A9AFCC0B3BF65E4
SHA-512:	6139BAC47DEA096CD4E6F8AAEFF5A77ABBEE42D1BFE71E1E646534C295262EC96119AF971132920B45731ACC240B42418244380A82C783E0767F2D7CD0D24BC3
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Windows Defender Exclusions.... .DESCRIPTION.. Excludes the below from windows defender live scanning.. "Program Files (x86)\OpenDoor Software.".. "Program Files (x86)\Microsoft SQL Server".. "Program Files\Microsoft SQL Server".. "Program Files (x86)\DidItBetterSoftware".. "zLibrary".. "Program Files (x86)\Microsoft Office".. "C:\Users\zadd2exchange\AppData".... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\shell.ps1

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	786
Entropy (8bit):	5.003777918597954
Encrypted:	false
SSDEEP:	24:V5U4J2+rcELm7LR6LPk1ophAl6PoPhjJyFhNxT:7E+gYmPROsEDUJs5
MD5:	0C3D59CF2897ACE0354138628A349F9A
SHA1:	D3CD0F829B6C162C77C68FFC137E89392E573410
SHA-256:	E81BF291B9B93BDD31AAB066D2E4078C3C2D9EC8A5BFC802DD910C59F47361DD
SHA-512:	498A6702F9CFF747AB1986CB1CB5AB61D11979DDF8C2892FA2C07645FFD883A0048C7DC132C0B229647344957692583B292D1E47DDD82658B0FED116AF53219C
Malicious:	false
Preview:	<#.. .SYNOPSIS.. Shell.... .DESCRIPTION.. Simple open another PS session to shell into Exchange of Office365.. Calls another powershell file "Shell into Exchange"...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..Powershell.exe -noexit ".\Shell_Into_Exchange.ps1" -noprofile....# End Scripting..

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\Logging\gollevel.xtx

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:xJ8n:xun
MD5:	FB5B87D7E7127C6CCBB0D47B99C98629
SHA1:	D0E38F05930EF0AC54BF5A2C555B5013BF7B8145
SHA-256:	120C7DC65B2424AAC3D64B06D0F28C1CFB41553A0294C99DFCBC6B750428430B
SHA-512:	9F39FAEAC437F3A6FC7E32818209CE19E0441B389C6028FDD706B64417EE8EFCF36963A08A1B6764680E762A40716C6E833EE8FBE97F33D07CD6BA68AD164C39
Malicious:	false
Preview:	Level:9

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\Mapi\ExchangeMapiCdo.MSI

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Messaging API and Collaboration Data Objects 1.2.1 v6.5.8320.0, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {EB06CAF7-FF9E-4e70-B2DC-20D0B3E4A188}, Create Time/Date: Mon Apr 29 10:13:53 2013, Last Saved Time/Date: Mon Apr 29 10:13:53 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (candle/light), Security: 1
Category:	dropped
Size (bytes):	3569152
Entropy (8bit):	6.968260863030964
Encrypted:	false
SSDEEP:	49152:Ozi7eSMsESiOtGc5DUNmj6lpDrfb0YZUafrtxjkkwuh+GQGY:tllElIGcyNy6lpDrfQYZ7Bxj1wpGQ
MD5:	1C0E9FD7CB73D8E40802FA2F535B2D96
SHA1:	F109F0E751D0B358C9D5DEE1322738609E07EA2E
SHA-256:	40480D120D9A4349716471B75015FFC08313B541A8E303E326F2A2809EA98731
SHA-512:	EEEEC835D3B29C0E7A5147A2D57A289584DF81070DE90569A0DA6A508EE7CB739CDA5737BB394B6370A0B990440A663B1FD0CCA973F52213FD00445CDB3843A2
Malicious:	false
Preview:	......................>...................7...............=...........................i...j.../...0...1...2...3...4...5...6...7...8...9...................................................................................................................................................................................................................................................................................................................................................................................................................................+............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\OutlookTools\Autodiscover\365autodiscoverOutlook13.reg

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Windows Registry text (Win2K or above)
Category:	dropped
Size (bytes):	673
Entropy (8bit):	5.200084512777063
Encrypted:	false
SSDEEP:	12:jBJ0SK0Z83rQbDIYLRfRRfJ/bjr83rQrKfAsGKMAsk8dAskKPysAskKObsAsOKPK:jBJtZ8bQbDv7P78bQrKf1S1ki1kKf1kT
MD5:	6650B0C072434405DF42D91C81A1573C
SHA1:	D5EF1E3A4408F8FBDC0A514C1F411627FCEA1F98
SHA-256:	D5157FAE52FF0A7CF3D0BFC204EA1674AA117267241B95F1FF90A87F2DA2F612
SHA-512:	83241CAEDB38CC1BCB1DC5FE37984F92E879C8FFACC458DC95947462CE216789F756642CBA99B622289800A45AA8CE3F022ED36E9663EE26CA8B5F31F00096D8
Malicious:	false
Preview:	Windows Registry Editor Version 5.00....[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover].."ExcludeScpLookup"=dword:00000000.."ExcludeHttpsAutodiscoverDomain"=dword:00000001.."ExcludeHttpsRootDomain"=dword:00000001.."ExcludeSrvLookup"=dword:00000000.."ExcludeHttpRedirect"=dword:00000000.."ExcludeSrvRecord"=dword:00000000....[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers].."autodiscover-s.outlook.com"=hex(0):.."autodiscover.hotmail.com"=hex(0):.."autodiscover-s.partner.outlook.cn"=hex(0):.."autodiscover-s.outlook.de"=hex(0):.."autodiscover-s.office365.us"=hex(0):.."autodiscover.THEIR_DOMAIN.com"=hex(0):..

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Tools\OutlookTools\Autodiscover\365autodiscoverOutlook16.reg

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	Windows Registry text (Win2K or above)
Category:	dropped
Size (bytes):	673
Entropy (8bit):	5.201934605641604
Encrypted:	false
SSDEEP:	12:jBJ0SK0Z8PbDIYLRfRRfJ/bjr8PrKfAsGKMAsk8dAskKPysAskKObsAsOKPAv:jBJtZ8PbDv7P78PrKf1S1ki1kKf1kKY1
MD5:	98DD72DEF80AB5D47318F76A726EAFBF
SHA1:	A596F1DC0D4060B90872ABD75C5AA587B55469D6
SHA-256:	224D9957C0368840C9677FAB790B7978AD85F8CBE1F4C344853D4ABB2E19FC8E
SHA-512:	F95D02AF1CD45FC4E6365C290412CD4BBA9B03A44905D33659CFB7B1D34262946DF6589617581D69F78E39BDB9B989017FF3E22E41DB212359DEF138FA937792
Malicious:	false
Preview:	Windows Registry Editor Version 5.00....[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover].."ExcludeScpLookup"=dword:00000000.."ExcludeHttpsAutodiscoverDomain"=dword:00000001.."ExcludeHttpsRootDomain"=dword:00000001.."ExcludeSrvLookup"=dword:00000000.."ExcludeHttpRedirect"=dword:00000000.."ExcludeSrvRecord"=dword:00000000....[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers].."autodiscover-s.outlook.com"=hex(0):.."autodiscover.hotmail.com"=hex(0):.."autodiscover-s.partner.outlook.cn"=hex(0):.."autodiscover-s.outlook.de"=hex(0):.."autodiscover-s.office365.us"=hex(0):.."autodiscover.THEIR_DOMAIN.com"=hex(0):..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9011
Entropy (8bit):	5.090114603797306
Encrypted:	false
SSDEEP:	96:e5JV1qFpLMKTjVEQqoheUe68AX313tBA73pAC6kvDDM:edQqoheFOIbQ
MD5:	D2AE156D41D73955EF95375E429E5B8A
SHA1:	42DF0552AE25A3C214CDB14B2E26DAF136CB2820
SHA-256:	BE67C2179BF4F732A1F1DDC529F0DEC5BA18728804EDB6EDF889EC5CAB402168
SHA-512:	81AD918486F87C1C42FE54D1CB48A9F34E1F6F3232B6A03BA6AC673C97AE365617135D24BAC5BC02E1151BAC636A171B311633851E3357F02C0E21986913CAEF
Malicious:	false
Preview:	..7-Zip SFX 4.65 Copyright (c) 1999-2009 Igor Pavlov 2009-02-03....Processing archive: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe....Extracting a2e-enterprise.26.3.3677.2903\Setup.zip..Extracting a2e-enterprise.26.3.3677.2903\Add2ExchangeSetup.msi..Extracting a2e-enterprise.26.3.3677.2903\Tools\Mapi\ExchangeMapiCdo.MSI..Extracting a2e-enterprise.26.3.3677.2903\Setup\OSC_Disable.bat..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx64.cmd..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx64.cmd..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx86.cmd..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx86.cmd..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx64_Configuration.xml..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx64_Configuration.xml..Extracting a2e-enterprise.26.3.3677.2903\O365Ou

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.999918044877228
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a2e-enterprise.26.3.3677.2903.exe
File size:	42'987'850 bytes
MD5:	29c3418978dd57c42c7e9530b3aac3d6
SHA1:	08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:	22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
SHA512:	e8ffc68971e23bf040155fec5dc0101730fb729365208a202a101e27c289c55016b8e94ef7eaceb820182372fedd68484165b8e491587cf4b5c5a0ed127fb9b3
SSDEEP:	786432:v/NH38u8rB8LSc8EPX+0m8EKQLFD/uDoWIqIKxMTxv9+vCqJuI:JMwPXjFQZGDo/qFAxVw9b
TLSH:	7B973304B0A08677F1022970B3695BE456BFEAD4AC3A3937761267BA1DB7D0D8633DC1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..~/F.~/F.~/F.a$F.~/F^b!F.~/F.a%F.~/F.a+F.~/FSvpF.~/F.~.F_~/F^vrF.~/F.X$F.~/F.,.F.~/F..RF.~/F.X%F.~/F.x)F.~/FRich.~/F.......

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x419d2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4987F062 [Tue Feb 3 07:21:06 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	be41dda43b3125c88e27c41d5512c51f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041DC68h
push 00419D26h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [0041D0DCh]
pop ecx
or dword ptr [00427704h], FFFFFFFFh
or dword ptr [00427708h], FFFFFFFFh
call dword ptr [0041D0E0h]
mov ecx, dword ptr [004256FCh]
mov dword ptr [eax], ecx
call dword ptr [0041D0E4h]
mov ecx, dword ptr [004256F8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041D0E8h]
mov eax, dword ptr [eax]
mov dword ptr [00427700h], eax
call 00007FDCB47E441Ah
cmp dword ptr [004233D0h], 00000000h
jne 00007FDCB47E434Eh
push 00419E6Ch
call dword ptr [0041D0ECh]
pop ecx
call 00007FDCB47E43EBh
push 00422050h
push 0042204Ch
call 00007FDCB47E43D6h
mov eax, dword ptr [004256F4h]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [004256F0h]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0041D0F4h]
push 00422048h
push 00422000h
call 00007FDCB47E43A3h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS2008 build 21022
[ASM] VS2005 build 50727
[ C ] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21600	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x818	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b102	0x1b200	d4c5d76b946ca36ab9bd5aab6cc41d87	False	0.5753078197004609	data	6.570310815454297	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x4db4	0x4e00	c6b21ccaf0d9ef15381630f9c2f032a4	False	0.30193309294871795	data	4.0571847265275185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x570c	0x1400	e1801865b67dbd9655621941066a71b9	False	0.5072265625	data	4.868264558733701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x28000	0x818	0xa00	8a01387edd37bf9a125c14f9a1d77f1e	False	0.248828125	data	2.249846752391889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x283e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x286c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_GROUP_ICON	0x287f0	0x22	data	English	United States	1.0
RT_VERSION	0x28120	0x2c0	data	English	United States	0.49857954545454547

Imports

DLL	Import
USER32.dll	CharUpperW, CharNextA, CharUpperA
OLEAUT32.dll	VariantClear, SysFreeString, SysAllocString
MSVCRT.dll	_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, _onexit, __dllonexit, ?terminate@@YAXXZ, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, memcpy, fputc, fputs, fflush, fgetc, fclose, _iob, free, malloc, memmove, _purecall, memcmp, _CxxThrowException, __CxxFrameHandler
KERNEL32.dll	FormatMessageW, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventA, WaitForSingleObject, VirtualFree, VirtualAlloc, DeleteCriticalSection, WaitForMultipleObjects, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, FileTimeToSystemTime, SetEndOfFile, WriteFile, ReadFile, SetFilePointer, GetFileSize, CreateFileA, FindFirstFileW, FindFirstFileA, FindClose, GetFullPathNameW, GetFullPathNameA, lstrlenA, DeleteFileW, GetCommandLineW, SetFileApisToOEM, SetConsoleCtrlHandler, FileTimeToLocalFileTime, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, CloseHandle, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, MoveFileA, SetFileAttributesW, RemoveDirectoryW, MoveFileW, CreateDirectoryA, CreateDirectoryW, DeleteFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	18:07:45
Start date:	12/03/2024
Path:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Imagebase:	0x400000
File size:	42'987'850 bytes
MD5 hash:	29C3418978DD57C42C7E9530B3AAC3D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:07:45
Start date:	12/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1%
Total number of Nodes:	2000
Total number of Limit Nodes:	105

Executed Functions

Function 0040729B Relevance: 6.1, APIs: 4, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004072A0

Part of subcall function 0040727B: FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286

FindFirstFileW.KERNELBASE(?,?,00000000), ref: 004072CE
AreFileApisANSI.KERNEL32(?,00000000), ref: 004072FA
FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040731B

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FileFind$First$ApisCloseH_prolog
String ID:
API String ID: 4121580741-0
Opcode ID: 5c3926ebc48c721fdce823b9a54e600e3ca16dbec11882dde2ac97a4a5634cf2
Instruction ID: c18351d92dbe26744bc10dadc26f85e170059a6449482e44c1ef4992d28b18b4
Opcode Fuzzy Hash: 5c3926ebc48c721fdce823b9a54e600e3ca16dbec11882dde2ac97a4a5634cf2
Instruction Fuzzy Hash: 1121AE71804209DBCF14EF60C845ADEBB74EF04328F10436EE861A21D1CB38AA85DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404151 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404156
GetVersionExA.KERNEL32(?), ref: 00404182

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 47cb9441f001fc510186d2f1fbe4dca210325c07bb1e5254520bf53accf4a332
Instruction ID: 29164d621a4e179869cae3949537221d291e262eae215510eaaefc1c74ca3229
Opcode Fuzzy Hash: 47cb9441f001fc510186d2f1fbe4dca210325c07bb1e5254520bf53accf4a332
Instruction Fuzzy Hash: 3801DFB1A00204EBCB20DBA4E9197DEBBB4FF44398F0042ABD401B72C1C3780A49CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040117A Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040117F
SetFileApisToOEM.KERNEL32 ref: 00401190

Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626

GetCommandLineW.KERNEL32 ref: 004011BD

Part of subcall function 004048D3: __EH_prolog.LIBCMT ref: 004048D8

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Part of subcall function 004067E7: __EH_prolog.LIBCMT ref: 004067EC
Part of subcall function 004067E7: GetModuleFileNameW.KERNEL32(?,?,00000105,z @,00423400,00000000), ref: 0040681D

Part of subcall function 00406F29: __EH_prolog.LIBCMT ref: 00406F2E
Part of subcall function 00406F29: GetFullPathNameW.KERNEL32(?,00000105,00000000,?,z @,00423400,00000000), ref: 00406F79

_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013D3
_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013FC

Strings

Archive Errors: , xrefs: 004017E0
GetFullPathName Error, xrefs: 00401232
Sub items Errors: , xrefs: 0040181A
x B, xrefs: 004013BC, 004013E5
", xrefs: 004017C0
z @, xrefs: 004011B0
jq, xrefs: 0040167F, 004017D2, 004017D7, 004017E5, 0040180C, 00401811, 0040181F, 0040198B
Errors: , xrefs: 00401986
Error: , xrefs: 0040167A

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$ExceptionFileNameThrow$ApisCommandFullLineModulePathfputsfree
String ID: "$Archive Errors: $Error: $Errors: $GetFullPathName Error$Sub items Errors: $jq$x B$z @
API String ID: 3265642719-1150129021
Opcode ID: c773df35222393fd28ddaca40b2e66891401fc39d32c85b300611b74e3c6c18c
Instruction ID: 534f0a68ab572439674a15718fc533e9b748ce036701bf02642d9f7af2b2015a
Opcode Fuzzy Hash: c773df35222393fd28ddaca40b2e66891401fc39d32c85b300611b74e3c6c18c
Instruction Fuzzy Hash: 72528A70D01258DADF11EFA5C895BDEBBB0AF14308F1441AEE449772D2DB781A89CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7BA Relevance: 28.9, APIs: 15, Strings: 1, Instructions: 854COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E7BF

Part of subcall function 004115B7: __EH_prolog.LIBCMT ref: 004115BC

Part of subcall function 00418B70: InitializeCriticalSection.KERNEL32 ref: 00418B9E

DeleteCriticalSection.KERNEL32(?), ref: 0040E9FA

Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

SysFreeString.OLEAUT32(?), ref: 0040EC94
DeleteCriticalSection.KERNEL32(?), ref: 0040ED82
DeleteCriticalSection.KERNEL32(?), ref: 0040EDED
DeleteCriticalSection.KERNEL32(?), ref: 0040EE49
DeleteCriticalSection.KERNEL32(?), ref: 0040EF9B
DeleteCriticalSection.KERNEL32(?), ref: 0040EFF2
DeleteCriticalSection.KERNEL32(?), ref: 0040F049

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

SysFreeString.OLEAUT32(?), ref: 0040F072
DeleteCriticalSection.KERNEL32(?), ref: 0040F0AE

Part of subcall function 0040915E: memmove.MSVCRT ref: 0040918B

SysFreeString.OLEAUT32(?), ref: 0040F0E8
DeleteCriticalSection.KERNEL32(?), ref: 0040F124
DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040F19F
DeleteCriticalSection.KERNEL32(?), ref: 0040F22F

Strings

(, xrefs: 0040F2E9

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: CriticalSection$Delete$FreeString$H_prolog$ExceptionInitializeThrowfreemallocmemmove
String ID: (
API String ID: 527550986-3887548279
Opcode ID: 446a92fe0d9b6d5ff2eab511201c66791821879c076ca17a6dd6603e8f85bc05
Instruction ID: d6e78a68a9d5be5bacde93fdad0885ae2f5ebf8ff8468a999ab200fed8580cea
Opcode Fuzzy Hash: 446a92fe0d9b6d5ff2eab511201c66791821879c076ca17a6dd6603e8f85bc05
Instruction Fuzzy Hash: 54824B74D00249DFCF11DFA5C884ADDBBB0BF18308F1484AEE459A7291CB78AA89DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00419D2C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00419D58
__p__fmode.MSVCRT ref: 00419D6D
__p__commode.MSVCRT ref: 00419D7B
__setusermatherr.MSVCRT ref: 00419DA8
_initterm.MSVCRT ref: 00419DBE
__getmainargs.MSVCRT ref: 00419DE1
_initterm.MSVCRT ref: 00419DF1
__p___initenv.MSVCRT ref: 00419DF6
exit.KERNELBASE ref: 00419E16
_XcptFilter.MSVCRT ref: 00419E28

Strings

P B, xrefs: 00419DCB, 00419DCE
P B, xrefs: 00419DD9, 00419DDC

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: P B$P B
API String ID: 167530163-3583781393
Opcode ID: bca006545a28d04027b3fc903f0605031a812510328e61349f35a91f96ca5743
Instruction ID: f1c1613c88e361827a60ee2d6430e86b491c058f9a061bab899c927fc7155da6
Opcode Fuzzy Hash: bca006545a28d04027b3fc903f0605031a812510328e61349f35a91f96ca5743
Instruction Fuzzy Hash: 40314BB5E00305EFDB14DFA0EC45AD97B78FB08724F60812AF512A32E0DB786941CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004012A9 Relevance: 13.9, APIs: 4, Strings: 5, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013D3
_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013FC

Part of subcall function 00401DAE: __EH_prolog.LIBCMT ref: 00401DB3

Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

_CxxThrowException.MSVCRT(?,0041DDC8), ref: 004014FD

Strings

x B, xrefs: 004013BC, 004013E5
", xrefs: 004017C0
z @, xrefs: 004012A9
jq, xrefs: 0040167F
Error: , xrefs: 0040167A

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID: "$Error: $jq$x B$z @
API String ID: 3044594480-687722055
Opcode ID: 105abb600226d0131ef9453cca30999543467e489297b96e2f3d0d5a63f04ab7
Instruction ID: 7ac0dede9f98fec9eb1c1b39b41e7df7d60f04298f2134219041bfe3def959c5
Opcode Fuzzy Hash: 105abb600226d0131ef9453cca30999543467e489297b96e2f3d0d5a63f04ab7
Instruction Fuzzy Hash: 01F16770D00298DEDB21EFA5C895BDEBBB0BF14304F0441AEE14977292DB785A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B278 Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040B27D

Part of subcall function 0040BEEB: __EH_prolog.LIBCMT ref: 0040BEF0

Part of subcall function 00407492: __EH_prolog.LIBCMT ref: 00407497

_CxxThrowException.MSVCRT(?,0041E1B0), ref: 0040B392
_CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 0040B816
_CxxThrowException.MSVCRT(00423050,0041E1B0), ref: 0040B82B

Part of subcall function 00403DCD: __EH_prolog.LIBCMT ref: 00403DD2

_CxxThrowException.MSVCRT(00423050,0041E1B0), ref: 0040B3A7

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

P0B, xrefs: 0040B824
z @, xrefs: 0040B28D

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionH_prologThrow$free
String ID: P0B$z @
API String ID: 2114536809-228493968
Opcode ID: 5b752b00c754d80dd462c80eed99d346b9cb6eecee36879faaaf8797cc02f67f
Instruction ID: 80415a599fe0b547aa77d71a7c6402cf8ac950e2b8ce91f7db9f18a14ad2ee2b
Opcode Fuzzy Hash: 5b752b00c754d80dd462c80eed99d346b9cb6eecee36879faaaf8797cc02f67f
Instruction Fuzzy Hash: 0F421970900259DFCB14DFA9C984BDDBBB4EF48304F1480AAE849BB292DB749E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00411B76 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00411B7B
memcpy.MSVCRT ref: 00411BE2
memmove.MSVCRT ref: 00411CAE

Strings

, xrefs: 00411C4C

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prologmemcpymemmove
String ID:
API String ID: 1608800686-3916222277
Opcode ID: 06cca9289681a650a057e5db6445d20b21d4165150ec291f3020f629dbc88ab2
Instruction ID: f0efae93e1cf06dd7da0d80deb9cfea385ac533b253575772d98703a7808fb3a
Opcode Fuzzy Hash: 06cca9289681a650a057e5db6445d20b21d4165150ec291f3020f629dbc88ab2
Instruction Fuzzy Hash: F35172B1E401169BDF04CF58C885AEEB7B5FF48304F14811AE905AB351E7789D81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004096E3 Relevance: 7.9, APIs: 1, Strings: 3, Instructions: 908COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004096E8

Part of subcall function 00409656: __EH_prolog.LIBCMT ref: 0040965B

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

can not open output file , xrefs: 0040A132
,, xrefs: 0040A28E
z @, xrefs: 0040999E, 00409A2A, 00409A3D, 00409C3C, 00409CAA, 00409CEB, 00409D42, 00409D70, 00409D87, 0040A17E, 0040A1B4, 0040A223, 0040A268

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$free
String ID: ,$can not open output file $z @
API String ID: 2654054672-3366752113
Opcode ID: e4021acf10c05e144b0ba4c8d8dc4a3ef75a86f21a53af52f3158a9468734916
Instruction ID: 7ffc52c154260c420d4a5f12ec48cd137f8a684e05fbd2e850fcf7609794582b
Opcode Fuzzy Hash: e4021acf10c05e144b0ba4c8d8dc4a3ef75a86f21a53af52f3158a9468734916
Instruction Fuzzy Hash: 1F828B71900648EECF11EFA5C981ADEBBB1AF14304F2481BEE44177292DB395E45DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCA7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040BCAC

Strings

Can not create output directory , xrefs: 0040BE0D
z @, xrefs: 0040BD98

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: Can not create output directory $z @
API String ID: 3519838083-3661672706
Opcode ID: d513d20b6cc50ae0be570f3012e1c44788260c0e40265cc58a068c9e09ce33f4
Instruction ID: 246d32385fb4a975fb34a6faf6d035bbe4692238bba53b55af9d53ecfd45f7c6
Opcode Fuzzy Hash: d513d20b6cc50ae0be570f3012e1c44788260c0e40265cc58a068c9e09ce33f4
Instruction Fuzzy Hash: E7716C71900119EBCF11EFA5D841AEEBBB4EF18304F20416EE402B7292DB785E45CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406A1C Relevance: 6.0, APIs: 4, Instructions: 36
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(00000078), ref: 00406A2C
CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A48
SetFileTime.KERNELBASE(00000000,?,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A5F
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A6B

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: File$ChangeCloseCreateErrorFindLastNotificationTime
String ID:
API String ID: 255131691-0
Opcode ID: 85a1c22ea028354ac8943e5fefa8ee7cc2f5e7228d56c7602a5f43497407cd05
Instruction ID: 2d15ff4f5d21fa3b996a1357c662cf8c592ccec830ddb50ccd9867c1ccf9d7e6
Opcode Fuzzy Hash: 85a1c22ea028354ac8943e5fefa8ee7cc2f5e7228d56c7602a5f43497407cd05
Instruction Fuzzy Hash: 1AF0E2757812207FE220AB246C58F97AAAC9F8A729F028135B55A760E0C6294D1AD638

Uniqueness

Uniqueness Score: -1.00%

Function 0040B012 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040B017

Part of subcall function 0040AE16: __EH_prolog.LIBCMT ref: 0040AE1B

Part of subcall function 0040B153: __EH_prolog.LIBCMT ref: 0040B158

Part of subcall function 0040236D: __EH_prolog.LIBCMT ref: 00402372

Strings

z @, xrefs: 0040B022
P1B, xrefs: 0040B037

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: P1B$z @
API String ID: 3519838083-3334625589
Opcode ID: 15a08404549a3715069346adb6742004a6826916f0789c2bd9c2f3783a478a90
Instruction ID: 4bb09bd43c83cf1a26edd2b0f99aa09ce1d6c311f57905ba5debb0ab0f539945
Opcode Fuzzy Hash: 15a08404549a3715069346adb6742004a6826916f0789c2bd9c2f3783a478a90
Instruction Fuzzy Hash: B5116D31900618DFCB24EFA5D8816AEF7B4FF44315F00852EE466B3691D738AA41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00407549 Relevance: 4.6, APIs: 3, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040754E
AreFileApisANSI.KERNEL32(?,00000000,?,00000000,0040C92E,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00407572

Part of subcall function 00407510: CreateFileA.KERNEL32(00000001,?,?,00000000,?,?,00000000,?,?,004075A3,?,?,?,?,?,00000001), ref: 00407532

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,00000000,0040C92E,?,?,?,00000000), ref: 004075D7

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: File$Create$ApisH_prologfree
String ID:
API String ID: 3697404956-0
Opcode ID: 6684766a1a2c28f6622b7f2af9e0b77614d440e366c4ef289b9103af7c9f768f
Instruction ID: 4c561829ebc80b42705eaf63d70327d3a9573cfa90e0a0f938c4de0a047e9e52
Opcode Fuzzy Hash: 6684766a1a2c28f6622b7f2af9e0b77614d440e366c4ef289b9103af7c9f768f
Instruction Fuzzy Hash: 0F119372900109FFCF05AFA0DC419DE7F75EF08318F10452AF911B21A1CB3A9AA5EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040C98E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040C993

Strings

.7z, xrefs: 0040CBA6, 0040CBCE

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: .7z
API String ID: 3519838083-3980757742
Opcode ID: f90371e24ee69f9fe6ac478dcf492b8aaff75f239fe2342c5f44b0422b9e52e2
Instruction ID: b521b267df78481cc613f1cd2daf1531b45f8fee511e283561fe85592d7026a4
Opcode Fuzzy Hash: f90371e24ee69f9fe6ac478dcf492b8aaff75f239fe2342c5f44b0422b9e52e2
Instruction Fuzzy Hash: 56D16E71A00149EFCF10DF98C8D49AEBBB5AF49314B24867EE41AEB391C7399E41DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040C4DD

Part of subcall function 0040C45D: __EH_prolog.LIBCMT ref: 0040C462

Strings

jq, xrefs: 0040C4E6

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: jq
API String ID: 3519838083-1684728866
Opcode ID: 0525d92d46f35548419fe5f33d88a516f1e97c9b4f97f4d5308176bbfe51ca90
Instruction ID: bbc7e673ad77c2f3a5da1a0342a5401b6d833aa7d2d7b1ef3b015a8f5ac6ec90
Opcode Fuzzy Hash: 0525d92d46f35548419fe5f33d88a516f1e97c9b4f97f4d5308176bbfe51ca90
Instruction Fuzzy Hash: B7117C75A00225EACF14AFA4CC959AEB670FF48354F00423EE121B72E1D7785E45C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040786E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(00000000), ref: 00407884

Strings

jq, xrefs: 0040786E

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: AllocString
String ID: jq
API String ID: 2525500382-1684728866
Opcode ID: cb8f81633507c63bb8dc66f60a3cd1d9c96c2c7d82326894cd5b28f2986e899a
Instruction ID: 08cb7957e9ec639422bee52464c6f172cf0a5ece66cacd7ad1014ba17830f184
Opcode Fuzzy Hash: cb8f81633507c63bb8dc66f60a3cd1d9c96c2c7d82326894cd5b28f2986e899a
Instruction Fuzzy Hash: 8FE0ECB2918312EAD7306F55C445647B6E1EF80344B14C83EE48996664E7BDD880C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8CE Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040C8D3

Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 0040C932

Part of subcall function 0040C606: __EH_prolog.LIBCMT ref: 0040C60B

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$ErrorExceptionLastThrowfreemalloc
String ID:
API String ID: 1455235784-0
Opcode ID: 5265ad35fdce3184c2308cfe5d5a5f9508b9e6658d0e330c9e6591bfb703ab74
Instruction ID: 13006a9ff2bb2db2c9a7a40b5c520653315d69514974fcd7a8b3486205c7d14f
Opcode Fuzzy Hash: 5265ad35fdce3184c2308cfe5d5a5f9508b9e6658d0e330c9e6591bfb703ab74
Instruction Fuzzy Hash: DA21C2B2901214EFCB109F65C948A9EBBB1EF44364F15826AFC55B72E1C7388D41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF72 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040CF77

Part of subcall function 0040722A: __EH_prolog.LIBCMT ref: 0040722F

Part of subcall function 00407492: __EH_prolog.LIBCMT ref: 00407497

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

_CxxThrowException.MSVCRT(?,0041E9F0), ref: 0040CFD8

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfree
String ID:
API String ID: 1371406966-0
Opcode ID: 894cc8776ea603293a427e572d17dbde349a7f5f1c21b50c0bb7bd0df93fa1fa
Instruction ID: 835e712a83ce143d0d0d4f64b62db323bb4738cfee00380d8caa728ce2c6f3da
Opcode Fuzzy Hash: 894cc8776ea603293a427e572d17dbde349a7f5f1c21b50c0bb7bd0df93fa1fa
Instruction Fuzzy Hash: FD012675A40204AEC710EF26C491BDEBBF1FF85314F00822FE846A32D1CB786949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407664 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040767F
GetLastError.KERNEL32(?,?,?,?), ref: 0040768D

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7449b344c9b2a9f3f8f352f971a863f5a2482186d91cc9983dd83728de70cf9c
Instruction ID: f4dffb7e77ec5ae0868c3fa73e2b430a45e36f464e7fe576df831fc88b2a9ef1
Opcode Fuzzy Hash: 7449b344c9b2a9f3f8f352f971a863f5a2482186d91cc9983dd83728de70cf9c
Instruction Fuzzy Hash: FAF017B4904208EFCB04CF58E9808AE7BB9EB49324B208569F816A7391D375AE41DA65

Uniqueness

Uniqueness Score: -1.00%

Function 004053E5 Relevance: 2.5, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004053EB
_CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: 96b16c71e6b037255579f44c4117a7fa18857c474ab67b77d5ef7688202bbd38
Instruction ID: 139ac8734f4e39c768685a2ab3e4270d831ea46d8e304d023c04dbb67bcf092c
Opcode Fuzzy Hash: 96b16c71e6b037255579f44c4117a7fa18857c474ab67b77d5ef7688202bbd38
Instruction Fuzzy Hash: 5FD0A97510428C7ACF006FA2D8009CB3F6C8900660B00A02BF85C8E222E634C7C28B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8FC Relevance: 2.1, APIs: 1, Instructions: 554COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F901

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b15a8df8ca74087720f9149dc9b27912cb12b0e12b76bc08ebb0cce0785994d7
Instruction ID: b23ee15f62283b2568ba25fea74014c43950f444574d056def913975de38f1a1
Opcode Fuzzy Hash: b15a8df8ca74087720f9149dc9b27912cb12b0e12b76bc08ebb0cce0785994d7
Instruction Fuzzy Hash: 39323E70900259DFDB10DFA8C584BDEBBB4AF19304F1440BEE845AB391DB78AE49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412801 Relevance: 1.8, APIs: 1, Instructions: 257COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412806

Part of subcall function 00413811: __EH_prolog.LIBCMT ref: 00413816

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 51edff94990abb975f00c84083c1f471aa75bfaa39b12ef91986d894e9fc2382
Instruction ID: 6b96aaf115a561dc07c27b3ab9bbb0939e15c73199d3bb9cbfcc8b6812223371
Opcode Fuzzy Hash: 51edff94990abb975f00c84083c1f471aa75bfaa39b12ef91986d894e9fc2382
Instruction Fuzzy Hash: CAC13770A10258DFDB10EF95C985BDEB7B4EF14308F14809EE819AB292CB786E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040C606 Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C60B

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 734cfe72228689fd3396e6534126a7105ec0acf824d589afb25fe6db3797744a
Instruction ID: 5178ae1b31acc6bb52c17287953be3cc1588305aa4355c3677bd429ec24b6a67
Opcode Fuzzy Hash: 734cfe72228689fd3396e6534126a7105ec0acf824d589afb25fe6db3797744a
Instruction Fuzzy Hash: 3D915A71900149DFCB10EFA9C9859EEBBB4FF58304F20456EE806B7291CB39AE45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041344B Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413450

Part of subcall function 00411932: _CxxThrowException.MSVCRT(?,00420D88), ref: 00411945

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-0
Opcode ID: 90e94f03d9fe783e395809472bf673a2b6d31b0c0308aee722cdb17e9949b6c1
Instruction ID: 328646ad39eb84878764cc0134ece3bb7c0fe789135d1b7bd0d0e4ce335109c6
Opcode Fuzzy Hash: 90e94f03d9fe783e395809472bf673a2b6d31b0c0308aee722cdb17e9949b6c1
Instruction Fuzzy Hash: 6A818B70A00209AFCB25EFA9C491BEEFBB1BF18304F14412EE555A3351CB39AA85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040D07B Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D080

Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

Part of subcall function 0040CDE5: __EH_prolog.LIBCMT ref: 0040CDEA

Part of subcall function 0040722A: __EH_prolog.LIBCMT ref: 0040722F

Part of subcall function 00401DAE: __EH_prolog.LIBCMT ref: 00401DB3

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: 37cdcf6050dd80ad9171f8c3bb514cd05c619be2807efdfaffd69dd900242610
Instruction ID: cab0ca36ea6c89eaaa18b97509a82cde8c02a224afa06496b7fec301dfdedd03
Opcode Fuzzy Hash: 37cdcf6050dd80ad9171f8c3bb514cd05c619be2807efdfaffd69dd900242610
Instruction Fuzzy Hash: 28513671D00209EFCB11EFA5D885ADEBBB5FF48304F14816EF515B72A2DB389A068B54

Uniqueness

Uniqueness Score: -1.00%

Function 00410F24 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410F29

Part of subcall function 004136C5: __EH_prolog.LIBCMT ref: 004136CA

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Part of subcall function 004110D4: __EH_prolog.LIBCMT ref: 004110D9

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 35740016b5e6f2c6f1804e073b2db0f87c50230a418c5bf2f83fac7370e69474
Instruction ID: 73ef9f27857630eb8f619f4f46601d8bcbd8d01cb3e8c71e2b75eb4801d46074
Opcode Fuzzy Hash: 35740016b5e6f2c6f1804e073b2db0f87c50230a418c5bf2f83fac7370e69474
Instruction Fuzzy Hash: 80519170904289DFCF11DFA5C985ADEBBB4AF08304F2440AEE405A7392CB799F85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A472 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A477

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ea6653e504ffe39ed9291bfabe7bbcc9e2a1c941f6fc2be3067267babc26e16a
Instruction ID: 6285e3bbb06bac71b8a60a222a68d217d5a94d67dd3ad31d6ff36d713d7c95e7
Opcode Fuzzy Hash: ea6653e504ffe39ed9291bfabe7bbcc9e2a1c941f6fc2be3067267babc26e16a
Instruction Fuzzy Hash: CF415C75500780AFCB21CF24C494AA6BBF1BF44304F14887EE59AAB652D738F959CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00410512 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410517

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 65f1f35eb89c8accc49011609c4c1ee3753506309f769ad08c57a4fe7e8fdb52
Instruction ID: 512d86458d17f157ff68d4d201275369944e1922b72539c05a6754b28f2d0f22
Opcode Fuzzy Hash: 65f1f35eb89c8accc49011609c4c1ee3753506309f769ad08c57a4fe7e8fdb52
Instruction Fuzzy Hash: D7318171900245DFCB24CF59C4848AABBF2FF48314B2446AEE096AB361C774ED85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBB5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DBBA

Part of subcall function 0040D7F2: __EH_prolog.LIBCMT ref: 0040D7F7

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 84b1ac7be7d5944091699361a4ae5f8055839e7a2e08d9909bdbc32f1723b3c1
Instruction ID: 3318c05fe2475df2f744ea7094431d15421057c11434644ea95d11ea1bb5695f
Opcode Fuzzy Hash: 84b1ac7be7d5944091699361a4ae5f8055839e7a2e08d9909bdbc32f1723b3c1
Instruction Fuzzy Hash: AA11A371B10654DADF08EBA9C1163DEFBE5DF91318F14425F9066772C2CBB81B048B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C45D Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C462

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5a06441c7b4576814edd79900506659bb7a08fc3b4ab1eeb3a4254f01ce2dd7b
Instruction ID: 47d026ce1669ea743996861b283c84681878ff3b1dd964195c12d526481cf53c
Opcode Fuzzy Hash: 5a06441c7b4576814edd79900506659bb7a08fc3b4ab1eeb3a4254f01ce2dd7b
Instruction Fuzzy Hash: 40012972E10116DBCB20DF55C8509AEBB74FF44750B10826BE412B72A0C37C5E42DBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA2 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 00406ADC

Part of subcall function 00406AEA: __EH_prolog.LIBCMT ref: 00406AEF
Part of subcall function 00406AEA: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00406B0B

Part of subcall function 00406A79: SetFileAttributesA.KERNEL32(?,?,00406ACA), ref: 00406A7B

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: File$Attributes$ApisH_prologfree
String ID:
API String ID: 1139671477-0
Opcode ID: c9f87d62a3a46c85bb97564fc79bae1531ea23e9696bc56f8462848db603ed2c
Instruction ID: 5a4acbca960fb223808e688570083969bf9306ba78e7360c801361f0078d7a1a
Opcode Fuzzy Hash: c9f87d62a3a46c85bb97564fc79bae1531ea23e9696bc56f8462848db603ed2c
Instruction Fuzzy Hash: 86E0ED20B00110ABCB107675AC16ADB37A88B46218B20C13BE403B32A1E978D952CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00407D7C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407D81

Part of subcall function 00407CA4: __EH_prolog.LIBCMT ref: 00407CA9

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2ea15d909d7790bd45a1b301f583b2182f9a59a265a692a5f9f3671c467cdce2
Instruction ID: 286010f1982b79376d0199519aa468fd7c222059d1b2f13407d9dc67900f75ac
Opcode Fuzzy Hash: 2ea15d909d7790bd45a1b301f583b2182f9a59a265a692a5f9f3671c467cdce2
Instruction Fuzzy Hash: 46F03472A10218ABDB19DF98CC01BEEB779EF44325F10856AB826E7290C7799A05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405634 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405639

Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prologfputsfree
String ID:
API String ID: 2991183862-0
Opcode ID: 361aeee646b8e5633feb5a697179d586ebf6a84ac78b7e074c38e41508c390eb
Instruction ID: 85d77463f68a2ee20140c798da53980a4d6227e1c63ba0824e1d352e795963f4
Opcode Fuzzy Hash: 361aeee646b8e5633feb5a697179d586ebf6a84ac78b7e074c38e41508c390eb
Instruction Fuzzy Hash: D5F05872A00509AACF05BB54C843AEEBB71EB14308F10816EE501722E2DB7A1E95DA88

Uniqueness

Uniqueness Score: -1.00%

Function 00406BF9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,z @,?), ref: 00406C2D

Part of subcall function 00406AEA: __EH_prolog.LIBCMT ref: 00406AEF
Part of subcall function 00406AEA: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00406B0B

Part of subcall function 00406BEA: CreateDirectoryA.KERNEL32(?,00000000,00406C1A,?,z @,?), ref: 00406BED

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: CreateDirectory$ApisFileH_prologfree
String ID:
API String ID: 2455149606-0
Opcode ID: e684389bbc9d0dd0748a7c28f2bd674140749acc96f1285deb3b3f24e38ad4dc
Instruction ID: e9182faec830f53e1ada4ed54726d664073956b6a9075750bfad7de01d9d9167
Opcode Fuzzy Hash: e684389bbc9d0dd0748a7c28f2bd674140749acc96f1285deb3b3f24e38ad4dc
Instruction Fuzzy Hash: 47E0DF70B001006BDB007765FC6278A37688B4130CF10C17AE402AB1E1EE78D956C608

Uniqueness

Uniqueness Score: -1.00%

Function 00407711 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00407734

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 53d42df8be4e469bf12bd33762c29c1b750572f7d2e4a948a3a83de76b307521
Instruction ID: bbe6aeb1ea1e6052ee290407a306587cef13ccc15bab7cec68d4297f07c79014
Opcode Fuzzy Hash: 53d42df8be4e469bf12bd33762c29c1b750572f7d2e4a948a3a83de76b307521
Instruction Fuzzy Hash: 59E0E575A00208FBCB11CF95D901F8E7BBABB48354F20C069F914AA260D379EA11EF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040779C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004077BF

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 504299f87fb89d0047bb7676cf03167f2554e3be6d89c6ae7c17546a80c499e6
Instruction ID: a788cfedd4852d637b70718a4811bedd840fc10ad6fdbfa488dd85fabfb28c19
Opcode Fuzzy Hash: 504299f87fb89d0047bb7676cf03167f2554e3be6d89c6ae7c17546a80c499e6
Instruction Fuzzy Hash: 82E0E579A00208FFCB11CF95C901B8E7BBABB48354F20C069F9149A260D379AA10EF58

Uniqueness

Uniqueness Score: -1.00%

Function 004136C5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004136CA

Part of subcall function 0041344B: __EH_prolog.LIBCMT ref: 00413450

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c0978009d694865c74bc2a33d11b46a2ada8b0b8ce8826f1f314ed5293309246
Instruction ID: e56c9b5a34f24c4b2b335fcfe8cb56b33002ef008c64caa7418fee8f44cfdbe5
Opcode Fuzzy Hash: c0978009d694865c74bc2a33d11b46a2ada8b0b8ce8826f1f314ed5293309246
Instruction Fuzzy Hash: 51E08C72900108FFCB019F85C802BEE7B38FB45369F10802FF00155200C37A4A60DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407492 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407497

Part of subcall function 0040729B: __EH_prolog.LIBCMT ref: 004072A0
Part of subcall function 0040729B: FindFirstFileW.KERNELBASE(?,?,00000000), ref: 004072CE

Part of subcall function 0040727B: FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FindH_prolog$CloseFileFirst
String ID:
API String ID: 2004497850-0
Opcode ID: ab50a1498f827e730a9cbef3c24a5c1888fd9fa38c81ce9c362cc46269eaa863
Instruction ID: 051957bad08504a415e1d5588613521c2f285170302354068c61b22755458e09
Opcode Fuzzy Hash: ab50a1498f827e730a9cbef3c24a5c1888fd9fa38c81ce9c362cc46269eaa863
Instruction Fuzzy Hash: BAE08CF1C52505AACB08DBA1CC92BEEB334FB41318F00465EF032722D18B382508C929

Uniqueness

Uniqueness Score: -1.00%

Function 00418A30 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00418A44

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 6806db5be1c8f582866a3d516b1947ba29cc734cc0cae6830351c00047cb70d8
Instruction ID: fc15bd5669f08f0e8bb82dc1e75bb8b9ebf1e1d0247e18c6f40537ccf446c2e8
Opcode Fuzzy Hash: 6806db5be1c8f582866a3d516b1947ba29cc734cc0cae6830351c00047cb70d8
Instruction Fuzzy Hash: 5CD0A7B16442017FE6149B28DC06FAA77D89F84704F10842EB149D71D1D9B05C80876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040727B Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 2e13a17fa00f32e2ffd5c6a4892ff0b38d3b488d50b70c37ec772d947705b619
Instruction ID: 1cd0053a2531da801a71ff8709c20484f153a7e0f794c922f16f441aa08e7b7b
Opcode Fuzzy Hash: 2e13a17fa00f32e2ffd5c6a4892ff0b38d3b488d50b70c37ec772d947705b619
Instruction Fuzzy Hash: D2D0123191826146CA642E3CB8449D337D85F0633472907EEF4B4D33E1D3749CC79654

Uniqueness

Uniqueness Score: -1.00%

Function 004075F9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,004075C2,00000000,?,00000000,0040C92E,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00407604

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c2e6e2fd004d8fba40dcf36d88b196163c56aa3e964f2897a4a73cb698526879
Instruction ID: 7f0aceefd0840bbdeb1e8f840846108ea751048b2bb48f28a57f57ee0d2e851f
Opcode Fuzzy Hash: c2e6e2fd004d8fba40dcf36d88b196163c56aa3e964f2897a4a73cb698526879
Instruction Fuzzy Hash: 6AD012319085214BCA646E3C784C9C277D86A863B83250F6AF0B6D32E5D3759C835658

Uniqueness

Uniqueness Score: -1.00%

Function 0040568C Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00405698

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 6580ff8f3b4c9b2dd5a726c106159b2c9b059c26df76a55d145085af54cf24a3
Instruction ID: cf131d332bb71641c6606e6d92cff17108708ad2684ee9b8b6e248c18e027e18
Opcode Fuzzy Hash: 6580ff8f3b4c9b2dd5a726c106159b2c9b059c26df76a55d145085af54cf24a3
Instruction Fuzzy Hash: 5FC02B7350C2307F820407987C088D7BBDCCB0C632310882FF284C2000C975DC008798

Uniqueness

Uniqueness Score: -1.00%

Function 0040561C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00405626

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: 9f3682537f81894a5db16acf5a026ad65e66c729d35f0eed1f5696105da1d0a9
Instruction ID: 3055a33b8b2916f824f64770a2b206d12f9855b6eefb6c375f87e50b719fc513
Opcode Fuzzy Hash: 9f3682537f81894a5db16acf5a026ad65e66c729d35f0eed1f5696105da1d0a9
Instruction Fuzzy Hash: EAC04C73508120AF96151A58BC05886B795DB59631721C52BF25581160DA729C109798

Uniqueness

Uniqueness Score: -1.00%

Function 0040777F Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?), ref: 0040778D

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 54361a933c6f66fc4a53ff628da8d91ad4607a0d9c0ba058e5ed97a55abda049
Instruction ID: 25a54983d51de781230dc2d7b5e464ac7149ddd2bb2d034677340562758f2130
Opcode Fuzzy Hash: 54361a933c6f66fc4a53ff628da8d91ad4607a0d9c0ba058e5ed97a55abda049
Instruction Fuzzy Hash: E1C04C3A158105FF8F021F70CC04C1ABFE2AF99715F10C918B25DC4070C7328024EB02

Uniqueness

Uniqueness Score: -1.00%

Function 0040915E Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405

memmove.MSVCRT ref: 0040918B

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrowmallocmemmove
String ID:
API String ID: 2847158419-0
Opcode ID: cc3506a85f9da5dfc6c33b6f6673e2ce5fe04c0e303d30807e1a46dacb806c3a
Instruction ID: 482d39da45c2f8cd0462654843c70215a31e33ca96f8b29ac42986283be842ae
Opcode Fuzzy Hash: cc3506a85f9da5dfc6c33b6f6673e2ce5fe04c0e303d30807e1a46dacb806c3a
Instruction Fuzzy Hash: 80F082727047026FE2305F16DC8485BB7E9DBC5755310883FF95DA6252C639EC41C668

Uniqueness

Uniqueness Score: -1.00%

Function 00408B6C Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00408B9E

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 662ac572375498242c90138e4ee6cce6eb91b11312f7fa1056ea47a1be8e81c1
Instruction ID: c8783d8a7d335f4854df42e261cc132adcab2544801ccc1f9f7bd42d64c955a8
Opcode Fuzzy Hash: 662ac572375498242c90138e4ee6cce6eb91b11312f7fa1056ea47a1be8e81c1
Instruction Fuzzy Hash: 4FF0BE72A00144DFCF11DFA0D94899A7FB1EF99320B0484AFF88197252CB38A811DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00417000 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00020000,00001000,00000004,004142B5), ref: 00417011

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 40b3809ef12982ed2b642611d98c115126d194588586179802d3c9b16db6065e
Instruction ID: a40f0a692cbd122446d235d4316e198ba1f41a5d65a25bbecdd63107e3e8a2ec
Opcode Fuzzy Hash: 40b3809ef12982ed2b642611d98c115126d194588586179802d3c9b16db6065e
Instruction Fuzzy Hash: 3CB092B079524065FE6906208C0ABA618115348B9FF009068B301D81C4EBD49441602C

Uniqueness

Uniqueness Score: -1.00%

Function 00416FD0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00416FD8

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f4a98244ba83c47b300c1d6d9d6e3f7f69ca4b653a080e097630c1b47b77b64d
Instruction ID: b47a31f33d2dab65ba19fed7834eb5a33906c8ce2160d7fdaf7cedc5739352d9
Opcode Fuzzy Hash: f4a98244ba83c47b300c1d6d9d6e3f7f69ca4b653a080e097630c1b47b77b64d
Instruction Fuzzy Hash: A5B012F051108012DE1C07347C040A73100268010B7C044B8F402C0110E729D024500D

Uniqueness

Uniqueness Score: -1.00%

Function 00417020 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040822C,?,00408206), ref: 0041702C

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8b940bd2d54b2e02ce6fd356d78b802ca04556ce44a6fadc815780e7f4ca2151
Instruction ID: d7362d8e6ace7fc5e0a9da9f1b294476dda612f446f3961d99752673b2bc4fc5
Opcode Fuzzy Hash: 8b940bd2d54b2e02ce6fd356d78b802ca04556ce44a6fadc815780e7f4ca2151
Instruction Fuzzy Hash: FCB0127068530039ED3C47100D05F5619101708701F1080183101A40C0C658D544854C

Uniqueness

Uniqueness Score: -1.00%

Function 00416FF0 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT(?,004144DB,?,0041448D), ref: 00416FF1

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bc1d8412276cc2565f2bd195f3b25eb86f4d6089c1ce18e73bf5630451c65e7f
Instruction ID: 8ead0745542f8c59725e415c93cd0536404af2e60b36a07842a1ea74c6f0e253
Opcode Fuzzy Hash: bc1d8412276cc2565f2bd195f3b25eb86f4d6089c1ce18e73bf5630451c65e7f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041239B Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004123A0

Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AD1
Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AF8
Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405B20
Part of subcall function 00405AA5: memcpy.MSVCRT ref: 00405B39

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID:
API String ID: 3273695820-0
Opcode ID: ea1575024d801dcc0cda5af6ad971ceb36abb96347274110e3f752804487a0f9
Instruction ID: 893faa4ac55e7b3430ef41d9c653ef8b456160620576ff9ff7d6b798b256bf74
Opcode Fuzzy Hash: ea1575024d801dcc0cda5af6ad971ceb36abb96347274110e3f752804487a0f9
Instruction Fuzzy Hash: B2A1FA70A002099FCF18DF55C9919EEBBB2FF98314F14842FE815A7251D778AD92CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004171E0 Relevance: 1.0, Instructions: 995COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b869f2f4f8dc1a01f740a5a2f5011cdac545a677f434155a1b40552727ad551f
Instruction ID: 586160e0a428f2a343ee105bc52d4287d6f34c6cf7980518a909fda8790eb816
Opcode Fuzzy Hash: b869f2f4f8dc1a01f740a5a2f5011cdac545a677f434155a1b40552727ad551f
Instruction Fuzzy Hash: B472F972A083154BC718CE29C98016AFBF3BFD5340F16862EE8A987794E774D946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00417EF0 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9803c8db8919b39b22e60e951130245479d9368fb12c4fe1c3f5fb4592283aad
Instruction ID: 914d8d4abeb419496ea0cf902aa9d6872d5ddc796ecad110a15aa2eeb864abf5
Opcode Fuzzy Hash: 9803c8db8919b39b22e60e951130245479d9368fb12c4fe1c3f5fb4592283aad
Instruction Fuzzy Hash: 24023D72A082158BD709CE18C5902BDBBE2FBC5344F150A3FE89697744DB78D8C9C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041525D Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
Instruction ID: 33472e8ce0ac9e49a25cbb5f929d8ae9c2659553d8a610cd78f8e1026f2c2182
Opcode Fuzzy Hash: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
Instruction Fuzzy Hash: 36D1A031A04515CBCB18CF28C5906FEB7B2EFC5304F1945AACC5A9F346E779A885CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00418F60 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df05fb36d0e258a535389ea28995d16e6c48d1872498011ba35c99b7642440c
Instruction ID: e435e89ad5e7a155f70d261c0c1fe4568892584fb2aa312ae2f8871ce86f404e
Opcode Fuzzy Hash: 7df05fb36d0e258a535389ea28995d16e6c48d1872498011ba35c99b7642440c
Instruction Fuzzy Hash: C0D18F72A146674FD360DF68EC80231B7A2EFD9200F8F0678CA5547262D674AA53DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419640 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c11ccbbe405bec54ae4001e139b4049c8f1a9239a1487f55fb83cccff2f8113
Instruction ID: 7d314292c9fbff8079a9fb1420f0aa651efc89cd32a3d239cee6106bc183fc2a
Opcode Fuzzy Hash: 6c11ccbbe405bec54ae4001e139b4049c8f1a9239a1487f55fb83cccff2f8113
Instruction Fuzzy Hash: 3951B1726187158FC304DF98D88055AF3E2FFC8304F2A8A6DDA445B315E771B91A8BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00416F4A Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5cd681b7fe923d4a2be2489c23972cb569ba397ce26d11a7b380d506af2721
Instruction ID: f10766ddd6232cb784b5b006f375ba88f20709421d03555773f0831bc5e340d6
Opcode Fuzzy Hash: 7b5cd681b7fe923d4a2be2489c23972cb569ba397ce26d11a7b380d506af2721
Instruction Fuzzy Hash: 9E41B171B109200AB35CCE3A8C851A52BC3CBCA386789C23CD5A6C66DDDDBDC15791A4

Uniqueness

Uniqueness Score: -1.00%

Function 00418D70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e89b525241f7ddb1d172a135f55649b0ee6d269f4aaf66db969f89b51f07abc
Instruction ID: 78b86fa6527597e2b4270dee81f24323e6da0840a189db40f3b11fe9aa232233
Opcode Fuzzy Hash: 4e89b525241f7ddb1d172a135f55649b0ee6d269f4aaf66db969f89b51f07abc
Instruction Fuzzy Hash: 2D314D71B082B54BE3208E2E8C40165FFE7AFD5342F9CC2BAD0A4CB746D939D656C264

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
Instruction ID: a79cda8a0ccb7d4d7405c1597de70ad9e48a13ab8400cbbdeb5d8bf8762204a4
Opcode Fuzzy Hash: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
Instruction Fuzzy Hash: FE21B3315106248BD756DE1EE8D46FB73E2EBC4356F66862FE9C483280D23CA856D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040286B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402870

Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626

Strings

Can't allocate required memory, xrefs: 004028C7
jq, xrefs: 0040287D, 004028F6
Can not open encrypted archive. Wrong password?, xrefs: 004028A8, 004028B4
Can not open file as archive, xrefs: 004028AF
Error: , xrefs: 00402895

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prologfputs
String ID: Can not open encrypted archive. Wrong password?$Can not open file as archive$Can't allocate required memory$Error: $jq
API String ID: 1798449854-660727338
Opcode ID: cd18a7aae110030dc8c7509fb13b7ed285f1cdb27597cf78849d0b6947d13980
Instruction ID: 6f93006310a7e4ecaf4085d375b2a29070e8adbc188e6fcd8d94a6893c825321
Opcode Fuzzy Hash: cd18a7aae110030dc8c7509fb13b7ed285f1cdb27597cf78849d0b6947d13980
Instruction Fuzzy Hash: 1611BF72A00640ABDB15FA65C585A6FB7B0FB84318F50853FE106736C2CBBEAD40DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DFE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43timeCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 00402E1B
FileTimeToLocalFileTime.KERNEL32(00000010,00000020,jq,?,?,?,00000000,?,0000000D,00000020,0000000A,00000020,00000000,00000001), ref: 00402E33
_CxxThrowException.MSVCRT(?), ref: 00402E4D

Strings

L+B, xrefs: 00402E0B
jq, xrefs: 00402E08
l+B, xrefs: 00402E3D, 00402E45

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionFileThrowTime$Local
String ID: L+B$jq$l+B
API String ID: 2485030866-966932216
Opcode ID: 355529462fe17c30677c74d8c05643e0b738ccb77fc9e48370b97469747b88d3
Instruction ID: 2496a9c170a0f06d10c74f3ccf17496ceb9064226315382f00129071eb39d7b7
Opcode Fuzzy Hash: 355529462fe17c30677c74d8c05643e0b738ccb77fc9e48370b97469747b88d3
Instruction Fuzzy Hash: FB018470A40208BACF10EFA1DA45ADE77B89B04708B94806BE901B21C1E7F96B45869D

Uniqueness

Uniqueness Score: -1.00%

Function 00408367 Relevance: 10.1, APIs: 8, Instructions: 143COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040837A
memcmp.MSVCRT ref: 004083A0
memcmp.MSVCRT ref: 004083BD
memcmp.MSVCRT ref: 004083DA
memcmp.MSVCRT ref: 00408440
memcmp.MSVCRT ref: 00408474

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: ae276a2fe44e7d983430b93752e7ceb035126392cc39b9dbf909b9f09059af5b
Instruction ID: 9f5349bf7cf674084e191ad0f33d7be061119383b471bd2f022e1868b823e4bc
Opcode Fuzzy Hash: ae276a2fe44e7d983430b93752e7ceb035126392cc39b9dbf909b9f09059af5b
Instruction Fuzzy Hash: 81418CB1700206AFD7149E21CD41EAB73A8AEA5744710417EFC86EB381FB7CED4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7E Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402E83
_CxxThrowException.MSVCRT(?,0041E1B0), ref: 004030F9

Part of subcall function 0040786E: SysAllocString.OLEAUT32(00000000), ref: 00407884

Part of subcall function 00402DFE: _CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 00402E1B
Part of subcall function 00402DFE: FileTimeToLocalFileTime.KERNEL32(00000010,00000020,jq,?,?,?,00000000,?,0000000D,00000020,0000000A,00000020,00000000,00000001), ref: 00402E33
Part of subcall function 00402DFE: _CxxThrowException.MSVCRT(?), ref: 00402E4D

Strings

jq, xrefs: 00402E91, 00403096
= , xrefs: 00402F3F
l+B, xrefs: 004030F2

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$FileTime$AllocH_prologLocalString
String ID: = $jq$l+B
API String ID: 3746970167-1325507436
Opcode ID: eb9eb1550d1a8ed2e196a80416db29cb8060510ae632c796a6a3f1711cc0fa45
Instruction ID: adaa888c81bfec7dde75ced6c72cfe3062ee73a06645ea0c1d4a13df5bce78f0
Opcode Fuzzy Hash: eb9eb1550d1a8ed2e196a80416db29cb8060510ae632c796a6a3f1711cc0fa45
Instruction Fuzzy Hash: D0819070E0124AEBCF14EFA0C5959AEBB75AF44304F20442FE401B72D1DB79AE46DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405477 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040547C

Part of subcall function 00405523: fgetc.MSVCRT ref: 0040552E
Part of subcall function 00405523: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 00405558

_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004054D3
_CxxThrowException.MSVCRT(?,0041DDD8), ref: 004054E9

Strings

(.B, xrefs: 004054C2
-B, xrefs: 004054D8

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$H_prologfgetc
String ID: (.B$-B
API String ID: 1907486920-3869146835
Opcode ID: a9e3766e32b5b51e3493202c938f8ee6b20589220fa3f963b61cecb287e916a3
Instruction ID: e17e98e3704c18d16ccaee19d231d7d9e795953925ee4fbbd1b527f46cc73ee4
Opcode Fuzzy Hash: a9e3766e32b5b51e3493202c938f8ee6b20589220fa3f963b61cecb287e916a3
Instruction Fuzzy Hash: 371142B1E00509AACF15EF95D5819EEB7B4EB04304F50853FE015A72C1D77C5A868B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404B86 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404B8B
_CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404E30

Part of subcall function 00404F96: __EH_prolog.LIBCMT ref: 00404F9B

_CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404DF1
_CxxThrowException.MSVCRT(00422DC0,0041E1B0), ref: 00404E06
_CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404E1B

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$H_prolog
String ID:
API String ID: 206451386-0
Opcode ID: e2025df0af1240f0191cd46306863cc60a3b13274b6bb1d4c7f2c6a444f3e01a
Instruction ID: b888594f10d019682cb7ca96ce158fc016d69faa4a9fc8cc948a28f285ff49a6
Opcode Fuzzy Hash: e2025df0af1240f0191cd46306863cc60a3b13274b6bb1d4c7f2c6a444f3e01a
Instruction Fuzzy Hash: 6E918DB59002099ECB10DF94C580AEEB7B5FF94318F24416BE955B72E1D738AE41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA5 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AD1
_CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AF8
_CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405B20
memcpy.MSVCRT ref: 00405B39

Strings

z @, xrefs: 00405AAF

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ExceptionThrow$memcpy
String ID: z @
API String ID: 2368683791-1165971878
Opcode ID: 25dc454775ed8784ea0cdedb82d16fa6faa16ee3ce24d9fadc2a57ad4e7ca640
Instruction ID: 5489951a91272120a4e0f42bb383af1c466090f88c2470b77b4ede6d70cd54ed
Opcode Fuzzy Hash: 25dc454775ed8784ea0cdedb82d16fa6faa16ee3ce24d9fadc2a57ad4e7ca640
Instruction Fuzzy Hash: 8611B672200A046FCB14EF56C8C1E9BBBE9EB44354710853FF54D97281D775F9858B68

Uniqueness

Uniqueness Score: -1.00%

Function 004056F7 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

CharUpperW.USER32(00000000,?,?,?,?,?,0040586F), ref: 00405712
GetLastError.KERNEL32(?,0040586F), ref: 0040571E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,0040586F), ref: 00405739
CharUpperA.USER32(?,?,0040586F), ref: 00405752
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,0040586F), ref: 00405765

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: Char$ByteMultiUpperWide$ErrorLast
String ID:
API String ID: 3939315453-0
Opcode ID: e84360d828a5b438ad29ce31fdbcbe6a1dffe1f991e02af1f77327b86fda5b7a
Instruction ID: 75452525785c39542b8daf1de7388683e97a46d5a7fa59b14c76898d3bcf9971
Opcode Fuzzy Hash: e84360d828a5b438ad29ce31fdbcbe6a1dffe1f991e02af1f77327b86fda5b7a
Instruction Fuzzy Hash: C60156FA80061DBBDF1067E4ACC9DEF766CDB05354F400572F942E3250E1789E459B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402C46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402C4B
SysFreeString.OLEAUT32(00000000), ref: 00402D17

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Part of subcall function 0040400C: __EH_prolog.LIBCMT ref: 00404011

SysFreeString.OLEAUT32(00000000), ref: 00402CF9

Strings

jq, xrefs: 00402C54

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FreeH_prologString$free
String ID: jq
API String ID: 4082356393-1684728866
Opcode ID: 6f91b67dd2394eef06f891f686f3869f33fc3e7b21d59ab2c92152128bc1d70d
Instruction ID: 93d44f3a5760abfc0aa86eca4c70422a2b577f86d4019f12da3c4c2222722580
Opcode Fuzzy Hash: 6f91b67dd2394eef06f891f686f3869f33fc3e7b21d59ab2c92152128bc1d70d
Instruction Fuzzy Hash: 71215971C00119EBDF05EBA5C985AEEFBB4FF18314F10816AE411B32D1DB789A05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004067E7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004067EC
GetModuleFileNameW.KERNEL32(?,?,00000105,z @,00423400,00000000), ref: 0040681D
AreFileApisANSI.KERNEL32(00000003,z @,00423400,00000000), ref: 00406868

Strings

z @, xrefs: 004067FD

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: File$ApisH_prologModuleName
String ID: z @
API String ID: 605547141-1165971878
Opcode ID: 49116ac75009bc038ed5026f7558190b68c53b85c1e2b9362c61400c1daeef84
Instruction ID: d4a28a327c9532e7657e9bad19d425783da8759da1f86047db9ba15d0f13c3e9
Opcode Fuzzy Hash: 49116ac75009bc038ed5026f7558190b68c53b85c1e2b9362c61400c1daeef84
Instruction Fuzzy Hash: E6218E72A012049ADF10EFA5D8959EFBBB9EF48304F10847FE506F32D1CB794A45CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00406933 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406938
FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040695F
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040697A

Strings

jq, xrefs: 0040694A

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FormatFreeH_prologLocalMessage
String ID: jq
API String ID: 1380236612-1684728866
Opcode ID: b71e4cee168a768d550c8f342afe9cdc77ca748eeb03b3606f8745f78f7f3799
Instruction ID: 6cd3834961a21a14c52cc8e407b858d4d2d7c4e386d739d67f8e828a13c53bac
Opcode Fuzzy Hash: b71e4cee168a768d550c8f342afe9cdc77ca748eeb03b3606f8745f78f7f3799
Instruction Fuzzy Hash: 371196B1D00105AACF01EF9588915EFFB79AF48318F00803FE416B2692CA784916DA64

Uniqueness

Uniqueness Score: -1.00%

Function 004149D3 Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004149FD
memset.MSVCRT ref: 00414A8F
memset.MSVCRT ref: 00414AA2
memset.MSVCRT ref: 00414AE3
memset.MSVCRT ref: 00414AF6

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 53151738b5cb45d6da2caf6ba93a038fa4cc57067eed5bb267cb814d58c2db54
Instruction ID: 5f3c10d1147c43fa79398eed8adb35f3380fdbb8a62ed87b08de67b285ecc485
Opcode Fuzzy Hash: 53151738b5cb45d6da2caf6ba93a038fa4cc57067eed5bb267cb814d58c2db54
Instruction Fuzzy Hash: D6316D70A49B009EE320DB38C951FD7B7D9EF95708F54086EE1DEC7282D678B8418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405778 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040577D
CharUpperW.USER32(?,?,00000000), ref: 00405795
GetLastError.KERNEL32(?,?,00000000), ref: 004057A1
CharUpperA.USER32(?,00000000,?,?,?,00000000), ref: 004057D4

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: CharUpper$ErrorH_prologLast
String ID:
API String ID: 826227211-0
Opcode ID: bb62647c35a6b4b39ff52a49b48add0468e692bfd9ef0e63dfc65056f97f077e
Instruction ID: e127b44befd83df498158281ec6462b6981a6adf9e49f6e2e91893cbe986a66e
Opcode Fuzzy Hash: bb62647c35a6b4b39ff52a49b48add0468e692bfd9ef0e63dfc65056f97f077e
Instruction Fuzzy Hash: CA119372910906DBCB05BBA4D8819EFB774FF49309F10843AE402B62A1DB384D45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004115B7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004115BC

Strings

, xrefs: 0041179B
, xrefs: 00411773

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: $
API String ID: 3519838083-227171996
Opcode ID: e31783c1878d567b13860f4767856df14e65a26e6f59c179ef8b3789cb0db0b9
Instruction ID: c09ca64c516438c389beff03a03fb747e5fcb8e83cc091244ae1e3a0488f634f
Opcode Fuzzy Hash: e31783c1878d567b13860f4767856df14e65a26e6f59c179ef8b3789cb0db0b9
Instruction Fuzzy Hash: F371783090020ACFCB20DF99D981AEEF7B1FF48314F14466ED526A72A1D734AA86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406C3A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406C3F
GetLastError.KERNEL32(?,?,z @,?), ref: 00406CCA

Strings

z @, xrefs: 00406C49

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: z @
API String ID: 1057991267-1165971878
Opcode ID: f4c7ae4e9819a94339cf5b68a245aee67b4628edfde3159287b698975baf48e9
Instruction ID: 5aa1cf87479b677cab348e24d28482d05f8d1d553d987a7ce873fa3599782bfd
Opcode Fuzzy Hash: f4c7ae4e9819a94339cf5b68a245aee67b4628edfde3159287b698975baf48e9
Instruction Fuzzy Hash: C051E33190410ADADF10EBA0C941AEFB770EF11308F25417BD843B72D2DB395DA6CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D301 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D306
FileTimeToLocalFileTime.KERNEL32(?,?,00423400,jq,00000000), ref: 0040D3F7

Strings

jq, xrefs: 0040D312

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FileTime$H_prologLocal
String ID: jq
API String ID: 1029125053-1684728866
Opcode ID: 4abef91a55d26890551075d35ce9528d178323eb37e1b1ce0fe207f688dd6000
Instruction ID: f4bda934816c470ee3f9dc008bf593f5f26308195b6f52696a1c0570e71294e6
Opcode Fuzzy Hash: 4abef91a55d26890551075d35ce9528d178323eb37e1b1ce0fe207f688dd6000
Instruction Fuzzy Hash: 31518070E4021A9ACF14EF95C8916AEB771EF54308F50803FE905B73D1DB7CA949CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406F29 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406F2E
GetFullPathNameW.KERNEL32(?,00000105,00000000,?,z @,00423400,00000000), ref: 00406F79

Strings

z @, xrefs: 00406F3A

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: FullH_prologNamePath
String ID: z @
API String ID: 882179163-1165971878
Opcode ID: 8b542baa3fb09bbdfc88f7eca29094e8904415202bbe43fb20294d5784b07569
Instruction ID: 456a8c749ad78801ab8f642e87f0de58938fa2083bf67819385d7e685a7d3908
Opcode Fuzzy Hash: 8b542baa3fb09bbdfc88f7eca29094e8904415202bbe43fb20294d5784b07569
Instruction Fuzzy Hash: 82519C71D00109DECB01EFA4C840AEEFBB5EF59308F20816EE042B7291DB795E56CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE16 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AE1B

Part of subcall function 0040AF6D: __EH_prolog.LIBCMT ref: 0040AF72

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

z @, xrefs: 0040AE30
P1B, xrefs: 0040AE23

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$free
String ID: P1B$z @
API String ID: 2654054672-3334625589
Opcode ID: f7947c3ff3cae27061cf9d2539886d090dfa4582e4da4e18eb94e97b8a76d47e
Instruction ID: 499cc5735afcd8b4d47c66a35ed56418ab05979329819a7782906da3536ef816
Opcode Fuzzy Hash: f7947c3ff3cae27061cf9d2539886d090dfa4582e4da4e18eb94e97b8a76d47e
Instruction Fuzzy Hash: 66412B75D0024ADECF05EBA5D586AEDBF70EF54318F10806EE401732D2DB781A49DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040299B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004029A0

Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626

Part of subcall function 00406933: __EH_prolog.LIBCMT ref: 00406938
Part of subcall function 00406933: FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040695F

Part of subcall function 00405634: __EH_prolog.LIBCMT ref: 00405639

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

Sub items Errors: , xrefs: 004029E9
jq, xrefs: 004029B7, 004029D1, 004029E3, 00402A27, 00402A2C, 00402A8F

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog$FormatMessagefputsfree
String ID: Sub items Errors: $jq
API String ID: 1037188338-1312119105
Opcode ID: 51101253e6f0cf16317a746bccd30ed1744d818bd7373f330097276747671460
Instruction ID: 72051ac68bb0dd62284419b043163b32f3c58ea1ed6c6781e38d229c8b5fd52d
Opcode Fuzzy Hash: 51101253e6f0cf16317a746bccd30ed1744d818bd7373f330097276747671460
Instruction Fuzzy Hash: 42318171B007019BCB24EB61C585A7FB7B1FB84318F50493EE50AA36D1DA7A6841CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 004073C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004073CA
AreFileApisANSI.KERNEL32(?,?,00000000,00000000,00000001,z @,?,00000000), ref: 0040742D

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

z @, xrefs: 004073D4

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ApisFileH_prologfree
String ID: z @
API String ID: 4245112029-1165971878
Opcode ID: 9ab113db4abb7b6139da2337a3147859d56e8fd75d1529f8d91f029e7248bd4a
Instruction ID: 2a71f41b047c19f9f8f9ef100063250c327e39a9047e493f04ba353b08899cc8
Opcode Fuzzy Hash: 9ab113db4abb7b6139da2337a3147859d56e8fd75d1529f8d91f029e7248bd4a
Instruction Fuzzy Hash: 45211AB1A00A05EFC715DF69D481A9AFBF4FF48314B10862EE44AD3A81D735F954CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C1C1

Strings

LPT, xrefs: 0040C255
COM, xrefs: 0040C240

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: COM$LPT
API String ID: 3519838083-915345583
Opcode ID: 524c944f07671b31d12efe39f1ab468b1d58115f29dc58dde7c5bffb4f73f28c
Instruction ID: ed55f283f029a6f36ea59cad7b791ff1191188b2774c7a0bb762d2dd47f38330
Opcode Fuzzy Hash: 524c944f07671b31d12efe39f1ab468b1d58115f29dc58dde7c5bffb4f73f28c
Instruction Fuzzy Hash: 47118C31E00115CBCB04EFD589809AFB376EF85308B5086AFD412B76C2CB399E45DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405324 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 00405343
__aulldiv.LIBCMT ref: 00405359

Strings

jq, xrefs: 00405332

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: jq
API String ID: 3839614884-1684728866
Opcode ID: ffef78c56428964be75a0f8506253adf945967703e0e212151cb9628b42e6588
Instruction ID: fdbb4a6bf156e63ec36fc5b3d1fbf0a96e05e40bd881586f90bf9e86ef1510b6
Opcode Fuzzy Hash: ffef78c56428964be75a0f8506253adf945967703e0e212151cb9628b42e6588
Instruction Fuzzy Hash: 1501A776A00708FBDB10DF85D881BEEB7B8FF55758F20006AE941A7291D3746E45C764

Uniqueness

Uniqueness Score: -1.00%

Function 00403DCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403DD2

Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410

Strings

jq, xrefs: 00403DD9
z @, xrefs: 00403DEA

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prologfree
String ID: jq$z @
API String ID: 1978129608-3408136156
Opcode ID: 49ba030de8abd301e1262cc128365c39a5b7da7a69ff2a958e47ed265f3ca231
Instruction ID: 403b0aec6f4821f0d0014d847c29108503159186f5067bb4dd1b01443ce727f9
Opcode Fuzzy Hash: 49ba030de8abd301e1262cc128365c39a5b7da7a69ff2a958e47ed265f3ca231
Instruction Fuzzy Hash: 3801A931A01600DFCB14DF99C40979EFBA8EF44324F20426EA091A7692C7B86E018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406126 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040612B

Part of subcall function 00405C52: __EH_prolog.LIBCMT ref: 00405C57

Part of subcall function 00406041: __EH_prolog.LIBCMT ref: 00406046

Strings

jq, xrefs: 00406134
z @, xrefs: 00406137

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: jq$z @
API String ID: 3519838083-3408136156
Opcode ID: 0da70f7030bfe08fdb8b6ec2d71ebfc257fe4fffc7db55e8f521bb42ad752975
Instruction ID: e9deaf19a8e8a40d47764f685ae16118bc0c2711b15a17a9398cbb7b8d303620
Opcode Fuzzy Hash: 0da70f7030bfe08fdb8b6ec2d71ebfc257fe4fffc7db55e8f521bb42ad752975
Instruction Fuzzy Hash: 0701E5B1D01229DECF04EFA9C841ADEBBB4FB48318F00812EE415B3291D7784A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403CFE

Strings

jq, xrefs: 00403D05
z @, xrefs: 00403D54

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: H_prolog
String ID: jq$z @
API String ID: 3519838083-3408136156
Opcode ID: 446597cd78a5c3ee679c09b0b5f328cd49b39cf2de9c22836bfe6d576a36dd2c
Instruction ID: 2fcd53b1a9dacdef85348b448b429a3c22d34a7063514b700d04986bf48d9933
Opcode Fuzzy Hash: 446597cd78a5c3ee679c09b0b5f328cd49b39cf2de9c22836bfe6d576a36dd2c
Instruction Fuzzy Hash: BF11D7B1901744DFC321CF5AC6C0286FFF4FB09708F9089AED18A97A41C3B6A545CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00402517 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(0040254F,00000001,?,?,?,004041A7), ref: 0040252B
_CxxThrowException.MSVCRT(?,0041E1B0), ref: 00402545

Strings

8#B, xrefs: 0040253E

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ConsoleCtrlExceptionHandlerThrow
String ID: 8#B
API String ID: 4041287486-4081203943
Opcode ID: 4c02f3b1afa7c6d99ae8d3d52e0a5d3e165c3c8b500b723dfd0ee80ec4e3d9b0
Instruction ID: 3fbf9acf05ef434e358c39c6909e1b5ff37404118f769d5c3f7ba3408ee342a1
Opcode Fuzzy Hash: 4c02f3b1afa7c6d99ae8d3d52e0a5d3e165c3c8b500b723dfd0ee80ec4e3d9b0
Instruction Fuzzy Hash: F0D012B1750224BADB14DB999D1ABDAB7EC9B04748B50406BB944E62C0E7F8AE40479C

Uniqueness

Uniqueness Score: -1.00%

Function 0040258C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(0040254F,00000000,?,?,00404417), ref: 0040259D
_CxxThrowException.MSVCRT(?,0041E1B0), ref: 004025B7

Strings

8#B, xrefs: 004025B0

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: ConsoleCtrlExceptionHandlerThrow
String ID: 8#B
API String ID: 4041287486-4081203943
Opcode ID: 772252efd9a2d5b49c771ac39d2d49f6d2f31b31515abebef65a7720b3cdb642
Instruction ID: abfa11f6a8ca77f709f8a3ccb442db122f48834c8448276bb0cfd74f51303d17
Opcode Fuzzy Hash: 772252efd9a2d5b49c771ac39d2d49f6d2f31b31515abebef65a7720b3cdb642
Instruction Fuzzy Hash: 70D09EB4640304FED714DBA6AE1AB8A76AC9B0474CF60416BB504A51D1E7F8AA40466D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE95 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040CEA4
memcmp.MSVCRT ref: 0040CEC2
memcmp.MSVCRT ref: 0040CED6

Memory Dump Source

Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: cbbb456cd77182ef58a72903555eb5269fd68cf8cf5e786519a58668202c7b56
Instruction ID: ef55370724e41f7c94e5c4a00684e598735f04457b5ed3082ba78311e219e7db
Opcode Fuzzy Hash: cbbb456cd77182ef58a72903555eb5269fd68cf8cf5e786519a58668202c7b56
Instruction Fuzzy Hash: E501A1B1740205ABCB049B10CC42FEB73955F64740F14826AFD05AB3C2EABDED8186CE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2Exchange Enterprise Guide.pdf

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Add2ExchangeSetup.msi

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdf

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtf

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\First_Time_Installer.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Links\Request Support for DidItBetter.url

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Outlook_Installer.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx64_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx86_Configuration.xml

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx64.cmd

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx86.cmd

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup.zip

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Auto_Migration.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Directory.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_MMC.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Permissions_Commands.rtf

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_SQL_Backup.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\A2E_Setup_Details.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Add2Outlook_Set_Granular_permissions.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Permissions_Task_Creation.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_All_Permissions.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dist_List_Permissions.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\2010-2019_Dynamic_Distribution.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_All_Permissions.ps1

C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Auto_Permissions_Portable\Scripts\Office365_Dist_List_Permissions.ps1

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe